+++ /dev/null
-ossec-hids_3.3.0-1_amd64.deb admin extra
+++ /dev/null
-dh_prep
-dh_installdirs
-dh_installchangelogs
-dh_installdocs
-dh_lintian
-dh_installman
-dh_link
-dh_compress
-dh_fixperms
-dh_installdeb
-dh_shlibdeps
-dh_gencontrol
-dh_md5sums
-dh_builddeb
-dh_builddeb
-dh_prep
-dh_installdirs
-dh_installchangelogs
-dh_installdocs
-dh_lintian
-dh_installman
-dh_link
-dh_compress
-dh_fixperms
-dh_installdeb
-dh_shlibdeps
-dh_gencontrol
-dh_md5sums
-dh_builddeb
-dh_builddeb
-dh_prep
-dh_installdirs
-dh_installchangelogs
-dh_installdocs
-dh_lintian
-dh_installman
-dh_link
-dh_compress
-dh_fixperms
-dh_installdeb
-dh_shlibdeps
-dh_gencontrol
-dh_md5sums
-dh_builddeb
-dh_builddeb
-dh_prep
-dh_installdirs
-dh_installchangelogs
-dh_installdocs
-dh_lintian
-dh_installman
-dh_link
-dh_compress
-dh_fixperms
-dh_installdeb
-dh_shlibdeps
-dh_gencontrol
-dh_md5sums
-dh_builddeb
-dh_builddeb
-dh_prep
-dh_installdirs
-dh_installchangelogs
-dh_installdocs
-dh_lintian
-dh_installman
-dh_link
-dh_compress
-dh_fixperms
-dh_installdeb
-dh_shlibdeps
-dh_gencontrol
-dh_md5sums
-dh_builddeb
-dh_builddeb
-dh_prep
-dh_installdirs
-dh_installchangelogs
-dh_installdocs
-dh_lintian
-dh_installman
-dh_link
-dh_compress
-dh_fixperms
-dh_installdeb
-dh_shlibdeps
-dh_gencontrol
-dh_md5sums
-dh_builddeb
-dh_builddeb
+++ /dev/null
-shlibs:Depends=libc6 (>= 2.14), libssl1.1 (>= 1.1.0), zlib1g (>= 1:1.2.3.3)
-misc:Depends=
-misc:Pre-Depends=
+++ /dev/null
-/var/ossec/rules/local_rules.xml
-/var/ossec/etc/ossec.conf
-/var/ossec/etc/internal_options.conf
-/etc/init.d/ossec-hids
-/etc/ossec-init.conf
+++ /dev/null
-Package: ossec-hids
-Version: 3.3.0-1
-Architecture: amd64
-Maintainer: Ivan Rako <Ivan.Rako@CARNet.hr>
-Installed-Size: 17088
-Depends: postfix | mail-transport-agent, expect (>= 5.45-2), lsb-base (>= 3.2-14), adduser (>= 3.113+nmu3), libc6 (>= 2.14), libssl1.1 (>= 1.1.0), zlib1g (>= 1:1.2.3.3)
-Section: admin
-Priority: extra
-Description: OSSEC open source Host-based Intrusion Detection System (HIDS)
- OSSEC is a scalable, multi-platform, open source Host-based Intrusion
- Detection System (HIDS). It has a powerful correlation and analysis
- engine, integrating log analysis, file integrity checking, Windows
- registry monitoring, centralized policy enforcement, rootkit detection,
- real-time alerting and active response.
- .
- It runs on most operating systems, including Linux, OpenBSD, FreeBSD,
- MacOS, Solaris and Windows.
- .
- More information on OSSEC is available at: http://www.ossec.net/ .
+++ /dev/null
-837694ab5ee70bc5827025502e2b2483 usr/share/doc/ossec-hids/BUGS
-4a1616de42c745c30a02f507f2fd8919 usr/share/doc/ossec-hids/CONFIG
-5286e829a8f7223e6ec167c57a721437 usr/share/doc/ossec-hids/CONTRIBUTORS.gz
-6ecb2d39964fe1cf2c3e143c5427ce42 usr/share/doc/ossec-hids/README.config
-6168b7cb1f75122fa8866a9d11bb8b06 usr/share/doc/ossec-hids/README.md
-37e5b985193f8631e21373d4169588ae usr/share/doc/ossec-hids/active-response-internal.txt
-795bdb6f0d351a17d7f7cae6179cdc9a usr/share/doc/ossec-hids/active-response.txt
-f8c8c2b41823ff6fc0444cdb2eea5be1 usr/share/doc/ossec-hids/changelog.Debian.gz
-c0712e1142b815256284b49e424038de usr/share/doc/ossec-hids/changelog.gz
-00e9f6c6449a29dcdfdcfd64bfd62c11 usr/share/doc/ossec-hids/contrib/active-list.pl
-eb802564770338081e2b7640044a856c usr/share/doc/ossec-hids/contrib/add_localfile.sh
-6361c0b861dd45be86f8dbe5327fb95b usr/share/doc/ossec-hids/contrib/compile_alerts.pl
-75bd099e8853bf6b147a0c00c75256a3 usr/share/doc/ossec-hids/contrib/compile_alerts.txt.gz
-f29c4cc38d9d52754ff1aca1016a1f69 usr/share/doc/ossec-hids/contrib/config2xml.gz
-6edf0c2261cec3147374ab7e223ee8a7 usr/share/doc/ossec-hids/contrib/debian-packages/Readme.txt
-16ff6cb4ce64d56d5c63321d5491f585 usr/share/doc/ossec-hids/contrib/debian-packages/generate_ossec.sh.gz
-837ac8d8a4d8fd89627e49fe93cd6e0f usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/changelog.gz
-84bc3da1b3e33a18e8d5e1bdd7a18d7a usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/compat
-18fdfe6e73421bcde33b90e16e0cedee usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/conffiles
-57488387a176a4715570ec581b45b0f5 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/control
-ec092b426b329155f9f3406f9cadbaef usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/copyright
-f3f919bb9df0b84ae3fb4739c1c221a9 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/ossec-hids-agent.lintian-overrides
-1b20ca88fba887e31f55ff43a371b3d2 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/01_makefile.patch
-9128b264c18030031acd26aefa669114 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/02_ossec-agent.conf.patch
-13cdfb6bf457c720bd7c7a05a53b9992 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/series
-2ef38d3c5c636f5e9f40c86fd0b3f976 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/postinst
-3448af5dc1c73e19b675166663d3d67c usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/postrm
-612e70ec20da876634700dd0d5417d22 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/preinst
-4034b9e90f7d88b55493554e0a87e150 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/rules
-d3a10140af54ec7371d3b9b084b07c14 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/source/format
-8976a785fb2b23cc0a13d17399084dc5 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/templates
-c678fc89d221bb5f3e53fc3bcd93e8e0 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/changelog.gz
-84bc3da1b3e33a18e8d5e1bdd7a18d7a usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/compat
-18fdfe6e73421bcde33b90e16e0cedee usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/conffiles
-1c11554096c4fc6af1d9ea15fdfc61f6 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/control
-ec092b426b329155f9f3406f9cadbaef usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/copyright
-dec1921222bfe2a9191b3c5d22f47d67 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/ossec-hids.lintian-overrides
-37463537093f8a94f4cec1d231d889fa usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/01_makefile.patch
-0326b1ee8f71fe61eb59e31aa23751fe usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/02_ossec-server.conf.patch
-8bb641ab91b5c7d82b76ab71dab7c0bf usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/series
-5bd8dd827930f4fd77055e83ca0e89d4 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/postinst.gz
-70f33cfc6430996167988c2338f307e3 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/postrm
-4fcc2e0e778d4aaaf3a3cd220c994267 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/preinst
-4034b9e90f7d88b55493554e0a87e150 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/rules
-d3a10140af54ec7371d3b9b084b07c14 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/source/format
-a4ba1a5f6da6fdc3c6c95f9f67ed7029 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/templates
-5d47b88205aef993618c9e2968e1e7f2 usr/share/doc/ossec-hids/contrib/iis-logs.bat
-ddcab750caa658684d29c5fffe3cf161 usr/share/doc/ossec-hids/contrib/logtesting/1/log
-58f012497b31188068d211f9f486fc1e usr/share/doc/ossec-hids/contrib/logtesting/1/res
-7e0156b8d732b8448f6af3181d350a18 usr/share/doc/ossec-hids/contrib/logtesting/10/log
-10520ba96802c0cd496ac3f5829456a1 usr/share/doc/ossec-hids/contrib/logtesting/10/res
-04bfbfc40a343ae31a9a7f12fe1b45dd usr/share/doc/ossec-hids/contrib/logtesting/11/log
-a7f736c7941071c81b251972c267d61c usr/share/doc/ossec-hids/contrib/logtesting/11/res
-6afa6e10da301618c4ae55c09291a2bb usr/share/doc/ossec-hids/contrib/logtesting/12/log
-615a3d90fe2095260a8d9415b8d7cf63 usr/share/doc/ossec-hids/contrib/logtesting/12/res
-51e290523486cb0e8e91427b2d876715 usr/share/doc/ossec-hids/contrib/logtesting/13/log
-16b9a5c028be572c13cb1bf0d2422736 usr/share/doc/ossec-hids/contrib/logtesting/13/res
-00b89cd61f97a803d619c0e910bb4af5 usr/share/doc/ossec-hids/contrib/logtesting/14/log
-1dcf0d4e55de853e88392ac3b183a53d usr/share/doc/ossec-hids/contrib/logtesting/14/res
-19e5180cef68d453c4be871f9a71fcaf usr/share/doc/ossec-hids/contrib/logtesting/15/log
-e739dd096294e15d853715275439b623 usr/share/doc/ossec-hids/contrib/logtesting/15/res
-2ca78ae79aec39b9fda64a6ec02a98eb usr/share/doc/ossec-hids/contrib/logtesting/16/log
-487ebee4944ae058518db4b43856d016 usr/share/doc/ossec-hids/contrib/logtesting/16/res
-d12d7187e4c1d5d9f233f9b54aece159 usr/share/doc/ossec-hids/contrib/logtesting/17/log
-0cb8f8c51f9764668de472ca70c3b589 usr/share/doc/ossec-hids/contrib/logtesting/17/res
-15986b5f36aa276ab203380cd2e317b8 usr/share/doc/ossec-hids/contrib/logtesting/18/log
-44d2b68c6b99b42d70b74e59ac90e8c0 usr/share/doc/ossec-hids/contrib/logtesting/18/res
-25c2e286a6281999a16aff5ca7b330e0 usr/share/doc/ossec-hids/contrib/logtesting/19/log
-cb7f10b14fb0276633e30e15a36c3c5d usr/share/doc/ossec-hids/contrib/logtesting/19/res
-28bf66d3ac8948bb1433106bd13f1f9a usr/share/doc/ossec-hids/contrib/logtesting/2/log
-7056fc30f30eada875927771190c654c usr/share/doc/ossec-hids/contrib/logtesting/2/res
-8405e122be04cf249027db9d9f4e9684 usr/share/doc/ossec-hids/contrib/logtesting/20/log
-80a9d8ebdd01e230ec3cd54117ccb0f0 usr/share/doc/ossec-hids/contrib/logtesting/20/res
-4515bd5e79763fb4ee3e0990afa06fb4 usr/share/doc/ossec-hids/contrib/logtesting/21/log
-dcf92d72ec5e27170998e9c96292c187 usr/share/doc/ossec-hids/contrib/logtesting/21/res
-093d4ac9c3c59facac20343e93194461 usr/share/doc/ossec-hids/contrib/logtesting/22/log
-7b4234846173079d01ccb0bf095c617d usr/share/doc/ossec-hids/contrib/logtesting/22/res
-d4d28ea5ec71f05921df7abdcc5d2653 usr/share/doc/ossec-hids/contrib/logtesting/23/log
-eb9d80508d11d762ef8812cbcfce495b usr/share/doc/ossec-hids/contrib/logtesting/23/res
-28a5742d21141bda7684b3a5a21347df usr/share/doc/ossec-hids/contrib/logtesting/24/log
-ce5d26b939433527067e3c8700a02d39 usr/share/doc/ossec-hids/contrib/logtesting/24/res
-fdc4756c8890bfb87469c639eab2e540 usr/share/doc/ossec-hids/contrib/logtesting/25/log
-78318a210801736432946eaf88aabf1b usr/share/doc/ossec-hids/contrib/logtesting/25/res
-3b1d6b063d8508d1557b66c0aa5c8ed6 usr/share/doc/ossec-hids/contrib/logtesting/26/log
-d6a500efd6fef6a77c6110e1c711e5f7 usr/share/doc/ossec-hids/contrib/logtesting/26/res
-6778f805f166351f1e7ba6abfc4a31b7 usr/share/doc/ossec-hids/contrib/logtesting/27/log
-1f6de6748f57796b10897fca0c151257 usr/share/doc/ossec-hids/contrib/logtesting/27/res
-67121ad2041ebad4dea055ec5893030d usr/share/doc/ossec-hids/contrib/logtesting/28/log
-f6a61b3482d7e874afc165b560c5b968 usr/share/doc/ossec-hids/contrib/logtesting/28/res
-e639debcea8f8cb2d9be1374646cf986 usr/share/doc/ossec-hids/contrib/logtesting/29/log
-9dc7f21623adb6139a75f9c516c46799 usr/share/doc/ossec-hids/contrib/logtesting/29/res
-c0106274d05b14a01c6ebc6655df8ed4 usr/share/doc/ossec-hids/contrib/logtesting/3/log
-d9edb0fd6d63d5322db0122547259504 usr/share/doc/ossec-hids/contrib/logtesting/3/res
-079bef27c66438368518cf60ec5fee14 usr/share/doc/ossec-hids/contrib/logtesting/30/log
-a010162d8d4029cdaaa1632a0ddfe80b usr/share/doc/ossec-hids/contrib/logtesting/30/res
-ef8a44ff77a842e2198eaff91185b307 usr/share/doc/ossec-hids/contrib/logtesting/31/log
-dcfa43b3c7a3123345af6bb5040315a4 usr/share/doc/ossec-hids/contrib/logtesting/31/res
-4d4ea3741ca79916a80e6e8122b01ada usr/share/doc/ossec-hids/contrib/logtesting/32/log
-7fa4d54a81b9c8c9df10733ad4f3e8bd usr/share/doc/ossec-hids/contrib/logtesting/32/res
-2e595586e9fc6b63a08a0c9943ae78c8 usr/share/doc/ossec-hids/contrib/logtesting/33/log
-7cf73a0e9ece302b0f375bced880651a usr/share/doc/ossec-hids/contrib/logtesting/33/res
-fab45dea6a8a06ea2635faf4f1f10602 usr/share/doc/ossec-hids/contrib/logtesting/34/log
-fb5cc0403773c11ff499cc8a369795cf usr/share/doc/ossec-hids/contrib/logtesting/34/res
-03eec2ea663c9fcb325894b2eea586fb usr/share/doc/ossec-hids/contrib/logtesting/35/log
-bdafc17a3cba4f8f3a9651da00aa351f usr/share/doc/ossec-hids/contrib/logtesting/35/res
-6d5917975b6a5f90a85a3559397458fa usr/share/doc/ossec-hids/contrib/logtesting/36/log
-676b7f2f9af5d3524ff24c36e2f311a1 usr/share/doc/ossec-hids/contrib/logtesting/36/res
-b32b05370f9db79597c83f2c769c1e70 usr/share/doc/ossec-hids/contrib/logtesting/37/log
-4d202db9345cfd8a0c9c81ff152ef5ef usr/share/doc/ossec-hids/contrib/logtesting/37/res
-c094593056ef3ef08112d73b69f75ad6 usr/share/doc/ossec-hids/contrib/logtesting/38/log
-3d16fc5187e7f2b20ec1d8934769a2f0 usr/share/doc/ossec-hids/contrib/logtesting/38/res
-bb1f606b1173fa6d3d709636aaf52bc6 usr/share/doc/ossec-hids/contrib/logtesting/39/log
-2d619593fcbeb409793df4864fe26ce2 usr/share/doc/ossec-hids/contrib/logtesting/39/res
-ff0629d38e3e17b95c57f728a092893e usr/share/doc/ossec-hids/contrib/logtesting/4/log
-4718e1a6fdf5c90eced9760bd2348ae2 usr/share/doc/ossec-hids/contrib/logtesting/4/res
-79ffdfeca47e9e8c2e96293c36e1b2b5 usr/share/doc/ossec-hids/contrib/logtesting/40/log
-7e03c9a8ba34d3ae60525b9864cd6280 usr/share/doc/ossec-hids/contrib/logtesting/40/res
-7877ffca08e15e3f27f7a226050de61c usr/share/doc/ossec-hids/contrib/logtesting/41/log
-49671d4383fc716af035ec7c6c26a8c0 usr/share/doc/ossec-hids/contrib/logtesting/41/res
-b714adbc716780e807e67e39292bfc41 usr/share/doc/ossec-hids/contrib/logtesting/42/log
-6a8a48180541301bd72340ec0277a254 usr/share/doc/ossec-hids/contrib/logtesting/42/res
-310c5612f9034dace7cf44de56ec85cb usr/share/doc/ossec-hids/contrib/logtesting/43/log
-ceb5a0b590e24fdca6b0ea28565c6050 usr/share/doc/ossec-hids/contrib/logtesting/43/res
-1d4073657a5cf8b13fda4a420386c2ce usr/share/doc/ossec-hids/contrib/logtesting/44/log
-053ea6a14a127e56ec23b0120c463758 usr/share/doc/ossec-hids/contrib/logtesting/44/res
-661b035c6f68719fcb5d4a032c1fc56a usr/share/doc/ossec-hids/contrib/logtesting/5/log
-e6cd0d314f817758a6b8b76b5995f864 usr/share/doc/ossec-hids/contrib/logtesting/5/res
-f98bf6281cade52dda14be0e1abc7d51 usr/share/doc/ossec-hids/contrib/logtesting/6/log
-e77759b334d7b0387218c6f4edb06202 usr/share/doc/ossec-hids/contrib/logtesting/6/res
-d0c640d8ce6c72196aade008c342113a usr/share/doc/ossec-hids/contrib/logtesting/7/log
-633ce5812deeb37fc272eb527e32f7fb usr/share/doc/ossec-hids/contrib/logtesting/7/res
-46f9f7ed1bb605c9a59d322ac5b5e4be usr/share/doc/ossec-hids/contrib/logtesting/8/log
-df256bfdb4fe2d02a347222bf1d57369 usr/share/doc/ossec-hids/contrib/logtesting/8/res
-35c70c693b33cfdeeb422946a4ebb27f usr/share/doc/ossec-hids/contrib/logtesting/9/log
-c4c76b6cbdff0567edd4f470f5ab9c68 usr/share/doc/ossec-hids/contrib/logtesting/9/res
-31c6f82c910c42877aff4f00479d7660 usr/share/doc/ossec-hids/contrib/logtesting/dotests.sh
-1311b61e9420be0e7a7417e21cdf8eb3 usr/share/doc/ossec-hids/contrib/ossec-batch-manager.pl.gz
-26120dcca290d675b436c7288eda0961 usr/share/doc/ossec-hids/contrib/ossec-configure.gz
-c5895071106aaafce8e41dccec8e7727 usr/share/doc/ossec-hids/contrib/ossec-eps.sh
-7c044d3b2fe2204375c189b50c61df79 usr/share/doc/ossec-hids/contrib/ossec-pcre2-config.pl
-86364646e79f43240afe7f983bc59939 usr/share/doc/ossec-hids/contrib/ossec-testing/runtests.py
-39bcbaa85d26e65b4ad7c92bef19adf0 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apache.ini
-ee38334917cf71b6c33825f94d93b40a usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apparmor.ini
-3421ec3af5907dcb48e102646e929097 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/asterisk.ini
-75afbc0fe986ca023736068867fdff44 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cimserver.ini
-7123baf8b8df41f3272b612f95c77822 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cisco_ios.ini
-a672c27e1792b73b52ff9990e366cd03 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cpanel.ini
-02cc805ff8c5587c38fd8db86215cecf usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dnsmasq.ini
-9d5481ea547cf7ba1a5ff6eb9e6f104f usr/share/doc/ossec-hids/contrib/ossec-testing/tests/doas.ini
-869936459b93492d9f93f9b4936e5145 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dovecot.ini
-34cf635f6b9d562d91fc992d3f04eef8 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dpkg.ini
-2cf42013d679aea651dea71adea4def5 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dropbear.ini
-a2482d83a4a95d813eacfc8e7439d522 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/exim.ini
-eca380f2883cc3438e9b57f79bfef9fb usr/share/doc/ossec-hids/contrib/ossec-testing/tests/firewalld.ini
-57582094990d5c08c6b49a9ec7cdba4e usr/share/doc/ossec-hids/contrib/ossec-testing/tests/mailscanner.ini
-7b72af39b93bd432b6325a26de704c67 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/modsecurity.ini
-4a0d9b3d3e14d2d859f5291e3f0d8745 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/named.ini
-b952817f8f1f1b411425b1ed7334d935 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/netscreen.ini
-57882a2537cb2e1ff6b60192fa21c44f usr/share/doc/ossec-hids/contrib/ossec-testing/tests/nginx.ini
-ea4e37c9b552b39405f4c191d6ac8b1e usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd-dhcpd.ini
-110b4d0b34add43417746f84b5356673 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd-httpd.ini
-64ab54d43f3668b5524b166ba3be95a9 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd.ini
-2d158390855a6d8bf83bf94b803518bb usr/share/doc/ossec-hids/contrib/ossec-testing/tests/opensmtpd.ini
-a48e0a51a53a086bbc704c8ea02fac7f usr/share/doc/ossec-hids/contrib/ossec-testing/tests/ossec.ini
-66de64cc3ef095f642d81d1e0dc51760 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/pam.ini
-fabac3657e4e61b0e3832997592b8d06 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/postfix.ini
-a132c18ab8d03015d184451a7e0fba88 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/proftpd.ini
-f236d15c29b7c5636dbbab8ed1771457 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/rsh.ini
-3c02d3985542033902ea8aaabdcfbd14 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/samba.ini
-a07a4270d2c2d5b280da30086a891e74 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sshd.ini.gz
-c484c0fae0c7284cbb82c88e4dfae552 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/su.ini
-c9cea2a751a71e25251517116fceb9da usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sudo.ini
-96622c0f22421c6df4f863883f630146 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/syslog.ini
-debe45435dfc9a5b0433d0e9d5d7ff33 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sysmon.ini
-1d200e5de5b9fac9d5bafdd99538ffaa usr/share/doc/ossec-hids/contrib/ossec-testing/tests/systemd.ini
-5c44a8c308700f0a63062852d1dfd66c usr/share/doc/ossec-hids/contrib/ossec-testing/tests/unbound.ini
-5ee9b388068b9abc92a5b37522823345 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/vsftpd.ini
-d997e1a0ea182d20bfa2e721b6dd630e usr/share/doc/ossec-hids/contrib/ossec-testing/tests/web_appsec.ini.gz
-b8283a5c091484d0e7d0d587b5c36429 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/web_rules.ini.gz
-4f8dc7665e5c3ee5a15c59e8bfc6afc3 usr/share/doc/ossec-hids/contrib/ossec2mysql.conf
-42a9088b5515f119c997fa623a9202d5 usr/share/doc/ossec-hids/contrib/ossec2mysql.pl.gz
-0192e0053819e3c9e96692d75b5d569a usr/share/doc/ossec-hids/contrib/ossec2mysql.sql
-ef414309ea4d052ea794c202495e9971 usr/share/doc/ossec-hids/contrib/ossec2mysqld.pl.gz
-e4776bc8677a9bc9e27954204c7be108 usr/share/doc/ossec-hids/contrib/ossec2rss.php
-580e67249d3d35d56eacfeed2f49676f usr/share/doc/ossec-hids/contrib/ossec_report.txt
-86b3a0b849835358239b14b0a80ac42b usr/share/doc/ossec-hids/contrib/ossec_report_contrib.pl.gz
-51e3a35aaf203053ba0fbd8cfcd5262f usr/share/doc/ossec-hids/contrib/ossec_rules_list.py
-13b9f9e62671298b36279f8e3c8f5414 usr/share/doc/ossec-hids/contrib/ossecmysql.pm
-ed30e7c5961b1bd2665442740fc88cc4 usr/share/doc/ossec-hids/contrib/ossectop.pl.gz
-4dd78bafa46fcc0c8b2715ce6f6bf980 usr/share/doc/ossec-hids/contrib/rename_agent.sh
-e62b7020124e8511442d16a194ec4642 usr/share/doc/ossec-hids/contrib/renumber_agent.sh
-1a708ce0d7829e0f791e22967febf337 usr/share/doc/ossec-hids/contrib/selinux/README.md
-b18f16ade8fbe684aa0a40abcdc9cc38 usr/share/doc/ossec-hids/contrib/selinux/ossec_agent.pp.bz2
-2f588a4bb6bcf254504c4b5230bb8e44 usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.fc
-fb18f2e6b70278427f6091cad15d2903 usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.if
-a86a8c2d38f2eb659d0215d376425ca6 usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.te
-85987f6127d21a45b1cb56730412c6f6 usr/share/doc/ossec-hids/contrib/specs/agent/ossec-hids-agent.spec.gz
-01a9dc72a899b7ce436090dae327d44f usr/share/doc/ossec-hids/contrib/specs/agent/preloaded-vars.conf
-3a715d03ebcf88e49f7f6c57737d16ad usr/share/doc/ossec-hids/contrib/specs/getattr.pl
-289d90f9ced4ecbe3d9c2191f510c019 usr/share/doc/ossec-hids/contrib/specs/local/ossec-hids-local.spec.gz
-2f891a3e416d0437051a57e3352e92e9 usr/share/doc/ossec-hids/contrib/specs/local/preloaded-vars.conf
-e566e49c21dbff66adfbbb221ade1fa8 usr/share/doc/ossec-hids/contrib/specs/remove_ossec
-6487fe6ffc3044c1490855c8ad66d1d3 usr/share/doc/ossec-hids/contrib/specs/server/ossec-hids-server.spec.gz
-91d6bfd71aae00ec8d417a648723d688 usr/share/doc/ossec-hids/contrib/specs/server/preloaded-vars.conf
-36a763900d1684b18d62f522d89b16c9 usr/share/doc/ossec-hids/contrib/util.sh.gz
-d1b76d88e4e86fa5764b6ff87e75afa9 usr/share/doc/ossec-hids/contrib/version_bump.sh
-4394cf0ae4be9a18dc980477b4fe140e usr/share/doc/ossec-hids/contrib/zeromq_pubsub.py
-8ff5151ebf27bcd88147711f7137d84a usr/share/doc/ossec-hids/copyright
-f9dfb3b1d0437204140e01a38e61e67e usr/share/doc/ossec-hids/logs.txt
-b97b59bcd7fd187ef8906e5a11bcd831 usr/share/doc/ossec-hids/manager.txt
-7ff4fdf57fa4a0893acb2aa1456f99ad usr/share/doc/ossec-hids/nmap.txt
-cd1d75de0812f18f2449ce96aa1e2cc9 usr/share/doc/ossec-hids/rootcheck.txt
-81b7533099b1d0b3b16e4536396ab2c3 usr/share/doc/ossec-hids/rule_ids.txt
-4c8e5978b4620d7689a5157676c7419f usr/share/doc/ossec-hids/rules.txt
-167230023fd4073919f4b9b889d03537 usr/share/lintian/overrides/ossec-hids
-0667f3e6e85767903d87259c094f8a96 var/ossec/active-response/bin/disable-account.sh
-419ac74d4b27d162b342768d02d6d820 var/ossec/active-response/bin/firewall-drop.sh
-10469eac45725c47d874bae736a3a66b var/ossec/active-response/bin/firewalld-drop.sh
-91d7f73f73c28c874e122eb5436d132e var/ossec/active-response/bin/host-deny.sh
-91819d33fc1831c33090e6f12634c446 var/ossec/active-response/bin/ip-customblock.sh
-33ab5d196695ec8839f76ffaaa6f27be var/ossec/active-response/bin/ipfw.sh
-5638fccb7b4dd00e319c4c447b69cdfa var/ossec/active-response/bin/ipfw_mac.sh
-efb5285d9f55add13aea64b47b1eaf4d var/ossec/active-response/bin/npf.sh
-538cc11a437c0328be434a9fceaaca72 var/ossec/active-response/bin/ossec-pagerduty.sh
-a9fa1a7766ef5b2a409b395a2c56c70c var/ossec/active-response/bin/ossec-slack.sh
-887f589645c1a8b101a0a69131319d41 var/ossec/active-response/bin/ossec-tweeter.sh
-4174391d0f30e910c3fe08b8f2b926db var/ossec/active-response/bin/pf.sh
-54265163fd59969371516ae7cf4024ee var/ossec/active-response/bin/restart-ossec.sh
-8bcf0f30b891a992272720be3d19bc44 var/ossec/active-response/bin/route-null.sh
-dec7c8080318beef0a9e844dd3e8afd7 var/ossec/agentless/main.exp
-bb7a69b93edd848950a2903025b74f64 var/ossec/agentless/register_host.sh
-f20efab66ce8e00f42fa48d9f17cca69 var/ossec/agentless/ssh.exp
-4eca74f9067487150ee71967f0166e56 var/ossec/agentless/ssh_asa-fwsmconfig_diff
-562d4553a856e50f99ad345e8c67f243 var/ossec/agentless/ssh_foundry_diff
-719fac4c372282feed2fd5660711579c var/ossec/agentless/ssh_generic_diff
-67d9753fc2a85e4aa29adecafff4883d var/ossec/agentless/ssh_integrity_check_bsd
-74afff1cf200a53bfe97cee5cd7c5dcb var/ossec/agentless/ssh_integrity_check_linux
-a655d0f2f1d37d3cd73cac697fadab8b var/ossec/agentless/ssh_nopass.exp
-9950831653276a8f547a22ff3d34c3e9 var/ossec/agentless/ssh_pixconfig_diff
-3921be40dcc0f788733b6ff425f34fc1 var/ossec/agentless/sshlogin.exp
-bbc944400c8ff42548db56aa9526c26e var/ossec/agentless/su.exp
-858c96ea523f106627b033152bc45160 var/ossec/bin/agent_control
-0fa527f240cc1d16c26b63955fb4db59 var/ossec/bin/clear_stats
-36de274c925176e3cc53d3774e962231 var/ossec/bin/list_agents
-0b213358c43940d7f7ca8d5cf69d79c4 var/ossec/bin/manage_agents
-9fd711315cfb08eb74103ad1155d69ef var/ossec/bin/ossec-agentd
-614c35e1e006c7551856ac42fb6d2b98 var/ossec/bin/ossec-agentlessd
-b3c45cb55eb11954cda9fceb052e1978 var/ossec/bin/ossec-analysisd
-4511bcb7fbf06ff32b9311238b55b9f1 var/ossec/bin/ossec-authd
-096f42b8e97277346c9fd06b9bab779e var/ossec/bin/ossec-client.sh
-e37e405944dbdcb15bf0df4214a40a02 var/ossec/bin/ossec-csyslogd
-961e17c1a00f382020ac77a796624f50 var/ossec/bin/ossec-dbd
-d2b89d867a04c1af272ad5e01408302e var/ossec/bin/ossec-execd
-60767dfe6f316821d3f55ae95c3e182c var/ossec/bin/ossec-local.sh
-76ff1fcbfb08e3323580852251097586 var/ossec/bin/ossec-logcollector
-59031d3829364329414e27dda58e53db var/ossec/bin/ossec-logtest
-fb66fafd6c383d2a77499f0085d70fd6 var/ossec/bin/ossec-maild
-fa78d72cf7530cce68a4daf5706d5468 var/ossec/bin/ossec-makelists
-debbfe5fc8cb7bd0b37fa62e8940e2a3 var/ossec/bin/ossec-monitord
-fb1c1262c8fa7a80454e3935ac2191e6 var/ossec/bin/ossec-regex
-4d7747d88b85adfb93501c22eab86488 var/ossec/bin/ossec-regex-convert
-d9107438d274884fbe49fda623c3e22c var/ossec/bin/ossec-remoted
-23209f1ff0f3d099dd9e5a8768e7a26c var/ossec/bin/ossec-reportd
-97cbc7d61d3221a3b2e4ca7a9957e26f var/ossec/bin/ossec-server.sh
-91c528bf32ea3bc93c494d58c8e74589 var/ossec/bin/ossec-syscheckd
-7e035f74f7e831096e791988c511c27b var/ossec/bin/rootcheck_control
-f27238a80ba5b405ea32379df7652f73 var/ossec/bin/syscheck_control
-34aaed0dec4f3a4cf8967eb46cbd9189 var/ossec/bin/syscheck_update
-413f2fac20102a054ff6364ba1e1a442 var/ossec/bin/verify-agent-conf
-15eb9e43bbe430143208d817ebf9bcfa var/ossec/etc/decoder.xml
-c7276d8581d1b292ef4c435efe15792c var/ossec/etc/ossec-agent.conf
-4480b406998c79f7620a707ae0fbc28a var/ossec/etc/ossec-local.conf
-f7de27d80c3249b33f5d467c587c747b var/ossec/etc/ossec-server.conf
-b7e95261db48d69b8e0a51d62eb4d80b var/ossec/etc/shared/acsc_office2016_rcl.txt
-ef369cb627325b368ff115858b88b2d3 var/ossec/etc/shared/cis_apache2224_rcl.txt
-966703e11b6c7f99849f833c26756b30 var/ossec/etc/shared/cis_debian_linux_rcl.txt
-edda0c19b1b599ba0c05c8156a4180a3 var/ossec/etc/shared/cis_debianlinux7-8_L1_rcl.txt
-74e421baff5866743077f1393a9920f0 var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt
-5dac76cfcffd4a92cac52cd76e898625 var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
-5944dadb63dc5a85ad1883be5583cc8a var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
-1398ee965c76a016588243ca5e623c53 var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
-35f2c78645df44f97bd437ce62af51ac var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
-a803ee5e8225e03e07dde6678dbfe90d var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
-a9f685121627f1ffddbbad95f2f781c3 var/ossec/etc/shared/cis_rhel_linux_rcl.txt
-0e69cca992d4712c6224dce082c65050 var/ossec/etc/shared/cis_sles11_linux_rcl.txt
-0e0884a98f115381c3a80b9b0f512a45 var/ossec/etc/shared/cis_sles12_linux_rcl.txt
-381c96094ba7dfb120305faee69c2cae var/ossec/etc/shared/cis_solaris11_rcl.txt
-9a1c5ebfae7fdb099eb4b0e4f266c60b var/ossec/etc/shared/cis_win10_enterprise_L1_rcl.txt
-d3c349f0c1506f540ea2d538ce9af96a var/ossec/etc/shared/cis_win10_enterprise_L2_rcl.txt
-67df0f28863c45756458c39d271f4ec3 var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
-6b179293b008d27e21bb7484e23ee481 var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
-5dc14ff9f648cfa87c5865b8ac25a497 var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
-ab93937229e6e6e1172a428faedfe8ab var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
-3e00294108353fd5a11779ea49348745 var/ossec/etc/shared/cis_win2016_domainL1_rcl.txt
-37b794d6e0361e52bbc09ee1ff68fd41 var/ossec/etc/shared/cis_win2016_domainL2_rcl.txt
-9abca97a0ba2a6d8261642b7b9095593 var/ossec/etc/shared/cis_win2016_memberL1_rcl.txt
-6443af3efe35dffe10b8c993a661fc16 var/ossec/etc/shared/cis_win2016_memberL2_rcl.txt
-f2363ea4b7db5e4678e4e5970edeb3bf var/ossec/etc/shared/rootkit_files.txt
-bf8f5e69576d2c24ac99d429b0457182 var/ossec/etc/shared/rootkit_trojans.txt
-739b1094ed1fc5b9ed56c90767a4f13c var/ossec/etc/shared/system_audit_pw.txt
-c5c836fe0934b93310e22965dd6008a4 var/ossec/etc/shared/system_audit_rcl.txt
-072526aa22390da8d1ae90675daa89ab var/ossec/etc/shared/system_audit_ssh.txt
-8cc6abc69459c3dc6ed57721799a85da var/ossec/etc/shared/win_applications_rcl.txt
-456aead916261071d591e36d9d2ffe7c var/ossec/etc/shared/win_audit_rcl.txt
-f946edf404eb1f0a7c4cd7379843d10d var/ossec/etc/shared/win_malware_rcl.txt
-5beb343b0a745e27809ba05e18f02325 var/ossec/rules/apache_rules.xml
-a89d6ede255a6153871bcea44b97c2ad var/ossec/rules/apparmor_rules.xml
-453cf7fef0d15e0235e8810952a79641 var/ossec/rules/arpwatch_rules.xml
-606ec5a3a06273f62d918b31c6f23db1 var/ossec/rules/asterisk_rules.xml
-38976de60331ee0dc1282cc6c3c7d11a var/ossec/rules/attack_rules.xml
-6b5e4a2c2db3bb11a5484542cdc19335 var/ossec/rules/cimserver_rules.xml
-08a8fe27f0a473cc52332a5bbbaa5c48 var/ossec/rules/cisco-ios_rules.xml
-08898a5bb515ce41f078b9f1a506efbf var/ossec/rules/clam_av_rules.xml
-241a2216fd53ac49f4c5fbf3339c5a8c var/ossec/rules/courier_rules.xml
-5195c41ee82b764c74bd609a28f04d6e var/ossec/rules/dnsmasq_rules.xml
-e260c65b0f751713c8e429929e3336fc var/ossec/rules/dovecot_rules.xml
-3972e18cb731845c73302fac4a0c2b61 var/ossec/rules/dropbear_rules.xml
-e96bad66449712e467dd7f4bdc9b168c var/ossec/rules/exim_rules.xml
-ec419a3314ee54458c675f46045945cc var/ossec/rules/firewall_rules.xml
-0b7dbf62e17827bbad194ba0e207267e var/ossec/rules/firewalld_rules.xml
-713c2fa70a1522db77bbbf1a5ad0a02f var/ossec/rules/ftpd_rules.xml
-60786f05c15b410a10c02e26748552fc var/ossec/rules/hordeimp_rules.xml
-c3f69db682835a9c6d340dcb84c71bac var/ossec/rules/ids_rules.xml
-85fa200afdbc14dc8370b1fedb84cb1e var/ossec/rules/imapd_rules.xml
-67cbbd76dbd60be15c44ff4ce32ea54f var/ossec/rules/kesl_rules.xml
-97f77273c44125c3d3cdc5b9d59e4ffd var/ossec/rules/last_rootlogin_rules.xml
-cc120a808a7056f0324841dda62f4b3e var/ossec/rules/linux_usbdetect_rules.xml
-1b5d5422cb39fd4162105796117dea28 var/ossec/rules/log-entries/101
-dfa8b00422f0a1e9b3d23beb2f2d7de0 var/ossec/rules/log-entries/1101
-9f8c154eef305de60090b3735b3f0130 var/ossec/rules/log-entries/1301_1302_1303
-840b9d7bf203ef470646a39d8aca9157 var/ossec/rules/log-entries/1401
-131b09172a2d71a0001e0b13546292d7 var/ossec/rules/log-entries/1402
-72c684543aca976f6bb24f10c75753e6 var/ossec/rules/log-entries/1602
-843c0581e37ec7281bdf033c42c1a735 var/ossec/rules/log-entries/1603
-f104f91c9dd237fa3f2044ffa7b82f56 var/ossec/rules/log-entries/1607
-4c52e893fbdff1a517ae45a4827aabb6 var/ossec/rules/log-entries/1609
-80841a291739e028b74b43fbf0125106 var/ossec/rules/log-entries/1901
-5d9309013b89ea3a3a03bf2e9b8911cb var/ossec/rules/log-entries/1902
-a825252dc314231bfc4b66d346e09776 var/ossec/rules/log-entries/1903
-64fe673e7c8a6631a9bf12d93344cabd var/ossec/rules/log-entries/1905
-2c839ec3029c2b665caeb96f58c4ea88 var/ossec/rules/log-entries/201
-46693453e00064949bc744350598429f var/ossec/rules/log-entries/202
-f928e6b85fac0b83cc0975b8cc526015 var/ossec/rules/log-entries/204
-5658dc589f061472dfa66abfee25e4a1 var/ossec/rules/log-entries/2501
-ec28a3b731da5f3928acd0c96a6bdf71 var/ossec/rules/log-entries/2601
-11ef54ac0855e58c2ce6499613897f8f var/ossec/rules/log-entries/301
-fce48671b83304965c67d70666ec99d3 var/ossec/rules/log-entries/401
-990af66fbb2d0be60d3cecb66aa3d0a6 var/ossec/rules/log-entries/403
-e7b2f3fdff7a25379c66170a0263c6ba var/ossec/rules/log-entries/408
-cae367ba5c8ceb24d8b979576b31cfb0 var/ossec/rules/log-entries/409
-08c11c76a46d52f5d11f5fb510afa288 var/ossec/rules/log-entries/access-control
-9af99ce364db350d654b4ac94dfb8623 var/ossec/rules/log-entries/apache-error.logs
-f784ed5df7c3d92694e10d841ee7e269 var/ossec/rules/log-entries/cisco-ios-ids
-cb8418c9c8f51b0a32fcb5b37ba1ed5e var/ossec/rules/log-entries/ciscoios
-0a056a908813715c485d47b8503acb99 var/ossec/rules/log-entries/ftpd
-f88ca67e43ec8dc545e06cc06fe5bc20 var/ossec/rules/log-entries/iis6
-e656870b1d5b842fb981f6ac498bc3bb var/ossec/rules/log-entries/imapd
-0987510c57d89de58dd28f1c4ceb28b2 var/ossec/rules/log-entries/kernel
-5e089cc0673e3afc18d678e165af2563 var/ossec/rules/log-entries/mail-alerts
-ea41a85db66019fea625a5dae568c6fe var/ossec/rules/log-entries/mail-errors
-41d886855f4bcbaea0080351ecc4b9f7 var/ossec/rules/log-entries/ns1
-13430ed34ed2166883ce2e3c14316848 var/ossec/rules/log-entries/proftpd
-ba18cb7475d7deb95969d63455e478e6 var/ossec/rules/log-entries/smbd
-e815c435abcc6d55f12048987e393cec var/ossec/rules/log-entries/spamd
-b3a0c9f26aef9e3a7c4c731384a219f5 var/ossec/rules/log-entries/sshd
-eb888813ad59cfbf608c61de066e424c var/ossec/rules/log-entries/symantecws
-b1d2f27c745b5c6b4e97cbe6c57fced7 var/ossec/rules/log-entries/telnetd
-7911bf548fa638ab6a65444430ed5542 var/ossec/rules/log-entries/unkown
-90aa5b996c0590eed871b4bbfb2d26b1 var/ossec/rules/log-entries/vpn.log
-d3f4dec83fdbd7820caff802d719b402 var/ossec/rules/log-entries/vpopmail
-6527d50177a04985148e6d38705a1c23 var/ossec/rules/log-entries/worms
-d0008b254bcdb6590914984cb595c822 var/ossec/rules/log-entries/xferlog
-f4c33f878dddee2a7930a6bde6a0e6f8 var/ossec/rules/mailscanner_rules.xml
-372c2345d862659866496e0c02b60d7c var/ossec/rules/mcafee_av_rules.xml
-50fbc8d49ae3a468b49b1edf31064e70 var/ossec/rules/mhn_cowrie_rules.xml
-dd1181e1a8f5c47da045e29159e0a5a4 var/ossec/rules/mhn_dionaea_rules.xml
-3a7ed0f22cd277ef710809a82508a44d var/ossec/rules/ms-exchange_rules.xml
-c833e578b1b65a7666924e5ac21bf7fb var/ossec/rules/ms-se_rules.xml
-e9dcba8f1ab8edba3b0fdfa1b6d13872 var/ossec/rules/ms1016_usbdetect_rules.xml
-4573b0c0a55e592b04935d1e4cbae468 var/ossec/rules/ms_dhcp_rules.xml
-ae39b715c5ca2f34800effc60ff1843b var/ossec/rules/ms_firewall_rules.xml
-143b815660a94c95af7f6053c77f4344 var/ossec/rules/ms_ftpd_rules.xml
-df929e3b4ec60a56b86c809979bff0fe var/ossec/rules/ms_ipsec_rules.xml
-eda74865e7efc41267fe1afad93c658e var/ossec/rules/ms_powershell_rules.xml
-2dfcb3434e16ef1bd1ab17dae91f316b var/ossec/rules/msauth_rules.xml
-11749a4a81df69d17d2a9f8f0068e54a var/ossec/rules/mysql_rules.xml
-7a2e1f5d8076430a994f1e679c5f3feb var/ossec/rules/named_rules.xml
-63da34e778e2f4d66139b939dd4c7484 var/ossec/rules/netscreenfw_rules.xml
-28204ef8bad631254a755f33f4546ddb var/ossec/rules/nginx_rules.xml
-97e21ddec67096b83b1325b5f6b60aea var/ossec/rules/nsd_rules.xml
-50a7300c8c1ba9854fe79da28b4d4b98 var/ossec/rules/openbsd-dhcpd_rules.xml
-43a4c289dc1b07f206b279d4e3a187ba var/ossec/rules/openbsd_rules.xml
-b0d00dc7ecff9211064693218a3a95db var/ossec/rules/opensmtpd_rules.xml
-39bcb6a994b23a044c0790d77a77b3e1 var/ossec/rules/ossec_rules.xml
-7e39bf479a30ea9ff891866c5077a503 var/ossec/rules/owncloud_rules.xml
-f54b9e7e6c0d0189620dd17f11a472b4 var/ossec/rules/pam_rules.xml
-e77da584db6c13d934d098d2353ac80e var/ossec/rules/php_rules.xml
-501da0094cc3d4ba62c65ed3b353549d var/ossec/rules/pix_rules.xml
-f5e4afd5cd4cca4e9c4328467a0d3111 var/ossec/rules/policy_rules.xml
-c8ca757b0bf3cb7649228c1947065aff var/ossec/rules/postfix_rules.xml
-41df6baaaa55420cf4e197438474dd74 var/ossec/rules/postgresql_rules.xml
-dc0b51f4d2ca9f015b007f2bf6fd40a8 var/ossec/rules/proftpd_rules.xml
-902a2869fd182e1df364bb633312b27a var/ossec/rules/proxmox-ve_rules.xml
-14bbf5613389bdfcb4ff361eb421a029 var/ossec/rules/psad_rules.xml
-365c9ac9f7c384aa372cf360f99f4b66 var/ossec/rules/pure-ftpd_rules.xml
-223c7d61ec6a954fc5738a8794e87a2d var/ossec/rules/racoon_rules.xml
-cca2c4a80b3bec3d938b27f8d84f83f4 var/ossec/rules/roundcube_rules.xml
-12479fdb28410e4227b63f5c4542ad86 var/ossec/rules/rules_config.xml
-a8589d02ef5ac8909366e17576e04206 var/ossec/rules/sendmail_rules.xml
-ba0f553a0315b988468431a518ecaea8 var/ossec/rules/smbd_rules.xml
-c7d6a9819a0114fd3723da037ca72941 var/ossec/rules/solaris_bsm_rules.xml
-91acc4c37a82a24917dd49a0234935d9 var/ossec/rules/sonicwall_rules.xml
-266dfbc74658e58209e905c8d3aa265c var/ossec/rules/spamd_rules.xml
-ca00f4c574a557007a67e665edbdb1b4 var/ossec/rules/squid_rules.xml
-5654f8fb648baf0176e78126729d1731 var/ossec/rules/sshd_rules.xml
-cec4c84ab0c472e23fac03c800976191 var/ossec/rules/symantec-av_rules.xml
-4469b35f943baa308e6f24a6414e448a var/ossec/rules/symantec-ws_rules.xml
-adefc2dcbc751cdd80cfb65a5d27f606 var/ossec/rules/syslog_rules.xml
-2ec0a4435ba7507da7695d7d66e8e836 var/ossec/rules/sysmon_rules.xml
-83938b706ce03aea17e247a8ec7ccbdf var/ossec/rules/systemd_rules.xml
-70a2d32b8e8d58e6d268174084300d09 var/ossec/rules/telnetd_rules.xml
-533f767e83344e274cab9511f4258a9a var/ossec/rules/topleveldomain_rules.xml
-388e96bc1d1e809f8d803b1d89b5c4a4 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_da.xml
-76cae7282056b7368f87dc35f51dd042 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_de.xml
-7eef6cf722c3b3d9054e08ab360065ab var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_en.xml
-878dd9f2ba85ea6412f37643bb9a9e1e var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_es.xml
-8608a50c1b269e01288e44c35dc4ed1e var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr.xml
-cddc3675a94cba0429ef52a114ce2c2d var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr_funny.xml
-d70b192f8e625ceb73a30f1a897c33db var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_it.xml
-b4301ce8f2e89a1108b302c6e7bc5bbe var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_nl.xml
-7b24fe651dc07f5e61213cf3e85d81d4 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_no.xml
-c173fbc5724f751887abdcedcb1a1f5f var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_pt_br.xml
-2ff1852c585c59cc2cb927afa2368f5c var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_ro.xml
-6e429d9a2635a1fc63b64a0e2357b8b7 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sk.xml
-3189235616e06ede7a0e28638e91ae45 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml
-e1d4cfcfc1afffe9291ff74531b93f43 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_tr.xml
-4a4bd7aa57d4a3c50ee1221fdd18058e var/ossec/rules/trend-osce_rules.xml
-556dfdd1f092dbf2443a0c899c31e2a7 var/ossec/rules/unbound_rules.xml
-248a9698a23b03848be4641c1e6aebb0 var/ossec/rules/vmpop3d_rules.xml
-c517617b906c22556d34136a4994a529 var/ossec/rules/vmware_rules.xml
-fe8aa8e3dd3d60a9247b8faade030ea3 var/ossec/rules/vpn_concentrator_rules.xml
-812d2a049e381d2816493904ee4cc61b var/ossec/rules/vpopmail_rules.xml
-efb95fd6017a26023f522bfdd855195b var/ossec/rules/vsftpd_rules.xml
-a4f2a7206c4ea2ddade684aae026fd2f var/ossec/rules/web_appsec_rules.xml
-0a6c46cde0395a03387714fb7162ef32 var/ossec/rules/web_rules.xml
-4d72b512251ac20bb9b55a41a1c5cae9 var/ossec/rules/wordpress_rules.xml
-d4a4116cd4bb720352855b93fbd1905a var/ossec/rules/zeus_rules.xml
+++ /dev/null
-#!/bin/sh
-
-set -e
-
-case "$1" in
- configure)
- # continue below
- ;;
-
- abort-upgrade|abort-remove|abort-deconfigure)
- exit 0
- ;;
-
- *)
- echo "postinst called with unknown argument \`$1'" >&2
- exit 0
- ;;
-esac
-
-# users and group names
-OSSEC_USER="ossec"
-OSSEC_USER_MAIL="ossecm"
-OSSEC_USER_EXEC="ossece"
-OSSEC_USER_REM="ossecr"
-OSSEC_GROUP="ossec"
-
-# get installation directory
-. /etc/ossec-init.conf
-if [ "X${DIRECTORY}" = "X" ]; then
- DIRECTORY="/var/ossec"
-fi
-
-# create group
-if ! getent group $OSSEC_GROUP >/dev/null; then
- addgroup --system $OSSEC_GROUP
-fi
-
-# create/modify users
-if ! getent passwd $OSSEC_USER >/dev/null; then
- adduser --quiet --system --no-create-home \
- --ingroup $OSSEC_GROUP \
- --home $DIRECTORY --shell /bin/false $OSSEC_USER
-else
- usermod -g $OSSEC_GROUP -s /bin/false \
- -d $DIRECTORY $OSSEC_USER >/dev/null 2>&1
-fi
-if ! getent passwd $OSSEC_USER_MAIL >/dev/null; then
- adduser --quiet --system --no-create-home \
- --ingroup $OSSEC_GROUP \
- --home $DIRECTORY --shell /bin/false $OSSEC_USER_MAIL
-else
- usermod -g $OSSEC_GROUP -s /bin/false \
- -d $DIRECTORY $OSSEC_USER_MAIL >/dev/null 2>&1
-fi
-if ! getent passwd $OSSEC_USER_EXEC >/dev/null; then
- adduser --quiet --system --no-create-home \
- --ingroup $OSSEC_GROUP \
- --home $DIRECTORY --shell /bin/false $OSSEC_USER_EXEC
-else
- usermod -g $OSSEC_GROUP -s /bin/false \
- -d $DIRECTORY $OSSEC_USER_EXEC >/dev/null 2>&1
-fi
-if ! getent passwd $OSSEC_USER_REM >/dev/null; then
- adduser --quiet --system --no-create-home \
- --ingroup $OSSEC_GROUP \
- --home $DIRECTORY --shell /bin/false $OSSEC_USER_REM
-else
- usermod -g $OSSEC_GROUP -s /bin/false \
- -d $DIRECTORY $OSSEC_USER_REM >/dev/null 2>&1
-fi
-
-# fix ownership
-chown -R root:$OSSEC_GROUP $DIRECTORY
-chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/alerts
-chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/ossec
-chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/fts
-chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/syscheck
-chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/rootcheck
-chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/agent-info
-chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/rids
-chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/stats
-chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs
-chown -R root:$OSSEC_GROUP $DIRECTORY/etc
-touch $DIRECTORY/logs/ossec.log
-chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs/ossec.log
-chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh
-chown -R root:$OSSEC_GROUP $DIRECTORY/rules
-chown root:$OSSEC_GROUP $DIRECTORY/etc/decoder.xml
-chown root:$OSSEC_GROUP $DIRECTORY/etc/internal_options.conf
-chown root:$OSSEC_GROUP $DIRECTORY/etc/client.keys >/dev/null 2>&1 || true
-chown root:$OSSEC_GROUP $DIRECTORY/agentless/*
-chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh
-chown -R root:$OSSEC_GROUP $DIRECTORY/etc/shared
-chown root:$OSSEC_GROUP $DIRECTORY/var/run
-chown root:$OSSEC_GROUP $DIRECTORY/active-response/bin/*
-chown root:$OSSEC_GROUP $DIRECTORY/bin/*
-chown root:$OSSEC_GROUP $DIRECTORY/etc/ossec.conf
-
-# fix perms
-chmod -R 550 $DIRECTORY
-chmod -R 770 $DIRECTORY/queue/alerts
-chmod -R 770 $DIRECTORY/queue/ossec
-chmod -R 750 $DIRECTORY/queue/fts
-chmod -R 750 $DIRECTORY/queue/syscheck
-chmod -R 750 $DIRECTORY/queue/rootcheck
-chmod -R 750 $DIRECTORY/queue/diff
-chmod -R 755 $DIRECTORY/queue/agent-info
-chmod -R 755 $DIRECTORY/queue/rids
-chmod -R 755 $DIRECTORY/queue/agentless
-chmod -R 750 $DIRECTORY/stats
-chmod -R 750 $DIRECTORY/logs
-chmod -R 550 $DIRECTORY/rules
-chmod 770 $DIRECTORY/var/run
-chmod 550 $DIRECTORY/etc
-chmod 440 $DIRECTORY/etc/internal_options.conf
-chmod -R 770 $DIRECTORY/etc/shared
-chmod 700 $DIRECTORY/.ssh
-chmod 755 $DIRECTORY/active-response/bin/*
-chmod 550 $DIRECTORY/bin/*
-chmod 440 $DIRECTORY/etc/ossec.conf
-
-# fixups: no need for execute bits on files there
-find $DIRECTORY/rules -type f -exec chmod ugo-x '{}' ';'
-find $DIRECTORY/etc -type f -exec chmod ugo-x '{}' ';'
-
-# copy timezone and localtime
-if [ -e /etc/timezone ]; then
- cmp -s /etc/timezone $DIRECTORY/etc/timezone || \
- cp -a /etc/timezone $DIRECTORY/etc/timezone
-fi
-if [ -e /etc/localtime ]; then
- cmp -s /etc/localtime $DIRECTORY/etc/localtime || \
- cp -a /etc/localtime $DIRECTORY/etc/localtime
-fi
-
-# update system v init links
-update-rc.d ossec-hids defaults >/dev/null
-
-# and start the service
-service ossec-hids restart
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-
-
-exit 0
+++ /dev/null
-#! /bin/sh
-
-set -e
-
-case "$1" in
- purge)
- # continue below
- ;;
-
- remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
- exit 0
- ;;
-
- *)
- echo "postrm called with unknown argument \`$1'" >&2
- exit 1
- ;;
-esac
-
-# cleanup leftovers
-rm -rf /var/ossec/etc /var/ossec/queue /var/ossec/stats
-
-# chown ossec mail directory back to root
-chown -Rh root:root /var/ossec
-
-# users and group names
-OSSEC_USER="ossec"
-OSSEC_USER_MAIL="ossecm"
-OSSEC_USER_EXEC="ossece"
-OSSEC_USER_REM="ossecr"
-OSSEC_GROUP="ossec"
-
-# delete users/groups
-if getent passwd $OSSEC_USER >/dev/null; then
- deluser $OSSEC_USER
-fi
-if getent passwd $OSSEC_USER_MAIL >/dev/null; then
- deluser $OSSEC_USER_MAIL
-fi
-if getent passwd $OSSEC_USER_EXEC >/dev/null; then
- deluser $OSSEC_USER_EXEC
-fi
-if getent passwd $OSSEC_USER_REM >/dev/null; then
- deluser $OSSEC_USER_REM
-fi
-if getent group $OSSEC_GROUP >/dev/null; then
- delgroup --quiet $OSSEC_GROUP
-fi
-
-# update system v init links
-update-rc.d -f ossec-hids remove
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-
-
-exit 0
+++ /dev/null
-#!/bin/sh
-
-set -e
-
-case "$1" in
- purge|remove)
- # continue below
- ;;
-
- *)
- exit 0
- ;;
-esac
-
-# stop the service
-service ossec-hids stop
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-
-
-exit 0
+++ /dev/null
-#!/bin/sh
-
-### BEGIN INIT INFO
-# Provides: ossec-hids
-# Required-Start: $local_fs $remote_fs $syslog
-# Required-Stop: $local_fs $remote_fs $syslog
-# Should-Start: $network
-# Should-Stop: $network
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: OSSEC HIDS init script
-# Description: Init script for OSSEC HIDS services
-### END INIT INFO
-
-# OSSEC Controls OSSEC HIDS
-# Author: Daniel B. Cid <dcid@ossec.net>
-# Modified for slackware by Jack S. Lai
-# Modified for Debian package by Dinko Korunic <kreator@carnet.hr>
-# Modified for CARNet by Ivan Rako <Ivan.Rako@CARNet.hr>
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-
-. /lib/lsb/init-functions
-. /etc/ossec-init.conf
-if [ "X${DIRECTORY}" = "X" ]; then
- DIRECTORY="/var/ossec"
-fi
-
-start() {
- ${DIRECTORY}/bin/ossec-control start
-}
-
-stop() {
- ${DIRECTORY}/bin/ossec-control stop
-}
-
-status() {
- ${DIRECTORY}/bin/ossec-control status
-}
-
-
-case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart)
- stop
- start
- ;;
- force-reload)
- stop
- start
- ;;
- status)
- status
- ;;
- *)
- echo "*** Usage: $0 {start|stop|restart|status}"
- exit 1
-esac
-
-exit 0
+++ /dev/null
-DIRECTORY="/var/ossec"
-VERSION="v3.3.0"
-DATE="Mon Jun 17 14:58:09 UTC 2019"
-TYPE="local"
+++ /dev/null
-OSSEC v3.3.0
-Copyright (C) 2019 Trend Micro Inc.
-
-
-** Reporting bugs **
-
-Please, make sure to include the following information:
-
--OSSEC version number.
--Content of /etc/ossec-init.conf
--Content of /var/ossec/etc/ossec.conf
--Content of /var/ossec/logs/ossec.log
--Operating system name/version (uname -a if Unix)
--Any other relevant information.
-
-
-
-Github (Public Issue Reporting):
-https://github.com/ossec/ossec-hids/issues
-
-Email (Private Issue Reporting):
-If you prefer to contact us privately or if it is a security
-issue, send an e-mail to OSSEC Project ( ossec@ossec-hids.org ).
-
+++ /dev/null
-OSSEC v3.3.0
-Copyright (C) 2019 Trend Micro Inc.
-
-
-= Information about OSSEC =
-
-Visit http://ossec.github.io
-
-
-= Recommended Installation =
-
-See INSTALL
-
-
-== Configuring OSSEC ==
-
-Just follow the steps from the install.sh script.
-More information at
-https://ossec.github.io/docs/manual/index.html
+++ /dev/null
-Configuration options:
-
-http://www.ossec.net/en/manual.html
+++ /dev/null
-OSSEC v3.3.0 Copyright (C) 2019 Trend Micro Inc.
-
-# Information about OSSEC
-
-OSSEC is a full platform to monitor and control your systems. It mixes together
-all the aspects of HIDS (host-based intrusion detection), log monitoring and
-SIM/SIEM together in a simple, powerful and open source solution.
-
-Visit our website for the latest information. [ossec.github.io](http://ossec.github.io)
-
-
-
-## Current Releases
-
-The current stable releases are available on the ossec website.
-
-* Releases can be downloaded from: [Downloads](http://ossec.github.io/downloads.html)
-* Release documentation is available at: [docs](http://ossec.github.io/docs/)
-
-## Development ##
-
-The development version is hosted on GitHub and just a simple git clone away.
-
-[](https://travis-ci.org/ossec/ossec-hids)
-[](https://scan.coverity.com/projects/1847)
-
-
-## Credits and Thanks ##
-
-* OSSEC comes with a modified version of zlib and a small part
- of openssl (sha1 and blowfish libraries)
-* This product includes software developed by the OpenSSL Project
- for use in the OpenSSL Toolkit (http://www.openssl.org/)
-* This product includes cryptographic software written by Eric
- Young (eay@cryptsoft.com)
-* This product include software developed by the zlib project
- (Jean-loup Gailly and Mark Adler)
-* This product include software developed by the cJSON project
- (Dave Gamble)
-
-
+++ /dev/null
-OSSEC HIDS 0.6
-Copyright (c) 2004-2006 Daniel B. Cid <daniel.cid@gmail.com>
- <dcid@ossec.net>
-
-
-How the active response works internally:
-
-- Read active-response.txt for details on configuration
-
-
-1 - The analysis server receives an event that matches the
- active response policy.
-
-2 - The analysis server verifies that all required fields
- are provided with the event. It means that the analysis
- server was able to decode the event and extract the
- necessary information. One example is if it was able
- to extract the IP address from the event to send to
- the firewall to be blocked.
-
-3 - If the active response policy specify that the action
- must be executed locally on the AS, a message is sent
- to the execd directly.
-
-4 - If the active response policy specify that the action
- must be executed remotely, a message is sent to the
- "Active response forwarder" (remoted) to forward the
- event to the specified agent.
-
+++ /dev/null
-OSSEC HIDS v0.7
-Copyright (c) 2004-2006 Daniel B. Cid <daniel.cid@gmail.com>
- <dcid@ossec.net>
-
-
-http://www.ossec.net/en/manual.html#active-response
+++ /dev/null
-#!/usr/bin/perl
-#
-# OSSEC active-response script to store a suspicious IP address in a MySQL table.
-#
-# Available actions are:
-# 'add' - Create a new record in the MySQL DB
-# 'delete' - Remove a existing record
-#
-# History
-# -------
-# 2010/10/24 xavir@rootshell.be Created
-#
-
-use strict;
-use warnings;
-use DBI;
-use Regexp::IPv6 qw($IPv6_re);
-
-# -----------------------
-# DB access configuration
-# -----------------------
-my $db_name = 'ossec_active_lists';
-my $db_user = 'suspicious';
-my $db_pass = 'xxxxxxxxxx';
-
-my ($second, $minute, $hour, $dayOfMonth, $month, $yearOffset, $dayOfWeek, $dayOfYear, $daylightSavings) = localtime();
-my $theTime = sprintf("%d-%02d-%02d %02d:%02d:%02d",
- $yearOffset+1900, $month+1, $dayOfMonth, $hour, $minute, $second);
-
-my $nArgs = $#ARGV + 1;
-if ($nArgs != 5) {
- print STDERR "Usage: active-list.pl <action> <username> <ip>\n";
- exit 1;
-}
-
-my $action = $ARGV[0];
-my $ipAddr = $ARGV[2];
-my $alertId = $ARGV[3];
-my $ruleId = $ARGV[4];
-
-if ($action ne "add" && $action ne "delete") {
- WriteLog("Invalid action: $action\n");
- exit 1;
-}
-
-if ($ipAddr =~ m/^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)/) {
- if ($1 > 255 || $2 > 255 || $3 > 255 || $4 > 255) {
- WriteLog("Invalid IP address: $ipAddr\n");
- exit 1;
- }
-}
-else if ($ipAddr =~ m/^$IPv6_re/) {
-}
-else {
- WriteLog("Invalid IP address: $ipAddr\n");
-}
-
-WriteLog("active-list.pl $action $ipAddr $alertId $ruleId\n");
-
-my $dbh = DBI->connect('DBI:mysql:' . $db_name, $db_user, $db_pass) || \
- die "Could not connect to database: $DBI::errstr";
-
-if ( $action eq "add" ) {
- my $sth = $dbh->prepare('SELECT ip FROM ip_addresses WHERE ip = "' . $ipAddr . '"');
- $sth->execute();
- my $result = $sth->fetchrow_hashref();
- if (!$result->{ip}) {
- $sth = $dbh->prepare('INSERT INTO ip_addresses VALUES ("' . $ipAddr . '","'. $theTime . '",' . $alertId . ',' . $ruleId . ',"Added by suspicious-ip Perl Script")');
- if (!$sth->execute) {
- WriteLog("Cannot insert new IP address: $DBI::errstr\n");
- }
- }
- else {
- $sth = $dbh->prepare('UPDATE ip_addresses SET timestamp = "' . $theTime . '", alertid = ' . $alertId . ', ruleid = ' . $ruleId . ' WHERE ip = "' . $ipAddr . '"');
- if (!$sth->execute) {
- WriteLog("Cannot update IP address: $DBI::errstr\n");
- }
- }
-}
-else {
- my $sth = $dbh->prepare('DELETE FROM ip_addresses WHERE ip = "' . $ipAddr . '"');
- if (!$sth->execute) {
- WriteLog("Cannot remove IP address: $DBI::errstr\n");
- }
-}
-
-$dbh->disconnect;
-exit 0;
-
-sub WriteLog
-{
- if ( $_[0] eq "" ) { return; }
-
- my $pwd = `pwd`;
- chomp($pwd);
- my $date = `date`;
- chomp($date);
-
- open(LOGH, ">>" . $pwd . "/../active-responses.log") || die "Cannot open log file.";
- print LOGH $date . " " . $_[0];
- close(LOGH);
- return;
-}
+++ /dev/null
-#!/bin/sh
-# Add a localfile to ossec.
-# by Daniel B. Cid - dcid ( at ) ossec.net
-
-FILE=$1
-FORMAT=$2
-
-if [ "X$FILE" = "X" ]; then
- echo "$0: <filename> [<format>]"
- exit 1;
-fi
-
-if [ "X$FORMAT" = "X" ]; then
- FORMAT="syslog"
-fi
-
-# Checking if file is already configured
-grep "$FILE" /var/ossec/etc/ossec.conf > /dev/null 2>&1
-if [ $? = 0 ]; then
- echo "$0: File $FILE already configured at ossec."
- exit 1;
-fi
-
-# Checking if file exist
-ls -la $FILE > /dev/null 2>&1
-if [ ! $? = 0 ]; then
- echo "$0: File $FILE does not exist."
- exit 1;
-fi
-
-echo "
-<ossec_config>
- <localfile>
- <log_format>$FORMAT</log_format>
- <location>$FILE</location>
- </localfile>
-</ossec_config>
-" >> /var/ossec/etc/ossec.conf
-
-echo "$0: File $FILE added.";
-exit 0;
+++ /dev/null
-#!/usr/bin/perl -w
-use strict;
-# Contrib by Meir Michanie
-# meirm at riunx.com
-# Licensed under GPL
-my $VERSION='0.1';
-my $ossec_path='/var/ossec';
-my $rules_config="$ossec_path/etc/rules_config.xml";
-my $usersignatures_path="$ossec_path/user_signatures";
-my $signatures_path="$ossec_path/signatures";
-while ( @ARGV) {
- $_=shift @ARGV;
- if (m/^-u$|^--user-signatures$/) {
- $usersignatures_path= shift @ARGV;
- &help() unless -d $usersignatures_path;
- }elsif (m/^-s$|^--signatures$/){
- $signatures_path= shift @ARGV;
- &help() unless -d $signatures_path;
- }elsif (m/^-c$|^--rules_config$/){
- $rules_config= shift @ARGV;
- &help() unless -f $rules_config;
- }elsif (m/^-h$|^--help$/){
- &help;
- }
-}
-print STDERR "Adding $rules_config\n";
-my @rules_files=($rules_config);
-opendir (USERDEFINED , "$usersignatures_path") || die ("Could not open dir $usersignatures_path\n");
-my @temparray=();
-while ($_ = readdir(USERDEFINED)){
- chomp;
- next unless -f "$usersignatures_path/$_";
- print STDERR "Adding $usersignatures_path/$_\n";
- push @temparray, "$usersignatures_path/$_";
-}
-close (USERDEFINED);
-push @rules_files , sort (@temparray);
-
-@temparray=();
-opendir(RULES,"$signatures_path") || die ("Could not open dir $signatures_path\n");
-while ($_ = readdir(RULES)){
- chomp;
- next unless -f "$signatures_path/$_";
- print STDERR "Adding $signatures_path/$_\n";
- push @temparray, "$signatures_path/$_";
-}
-close (RULES);
-push @rules_files , sort (@temparray);
-map { print STDERR "processing: $_\n";} @rules_files;
-foreach (@rules_files){
- open (RFILE, "$_") ||die ("Could not open file $_");
- my @content=<RFILE>;
- close (RFILE);
- print join ('',@content);
-}
-
-sub help(){
- print STDERR "$0\nRules compilation tool for OSSEC \n";
- print "This tool facilitates the building of monolitic rules file to be included in ossec.xml.\n"
- . "You only need one rules include entry in ossec.xml\n"
- . "<rules>\n"
- . "\t<include>ossec_rules.xml</include>"
- ."</rules>"
-
- . "$0 will print to STDOUT the result of the mixing.\n"
- . "If no parameter are passed then the application will use the default locations.\n"
- . "Default values:\n"
- . "--user-signatures -> $usersignatures_path\n"
- . "--signatures -> $signatures_path\n"
- . "--rules-config -> $rules_config\n"
- . "Compiling rules allows us to generate multiple configurations and even facilitate the upgrade of them.\n"
- . "By instance, you can make a directory with symbolic links to rules you want to use without altering the standard repository.\n"
- . "There are more examples of situation where you can use a subset of the rules repository\n"
- . "I invite someone to reword this explanation.\n";
-
- print STDERR "\n\nUsage:\n";
- print STDERR "$0 [-u|--user-signatures] <user-signatures-dir> [-s|--signatures] <signatures-dir>\n"
- ."\n\nBUGS:\n"
- . "I just wanted to deliver version one.\n"
- . "I will change the script to read the directory sorted, so you can link signatures with names that would emulate the behavior of the sysV system.\n";
-
- exit;
-}
+++ /dev/null
-ossec-debian
-============
-
-OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
-
-These are the files used to create OSSEC-HIDS version 2.8 debian packages, the ones included both in ossec.net website and in WAZUH repository. You can find these packages at:
-
-http://www.ossec.net/?page_id=19
-
-or directly at: http://ossec.wazuh.com/repos/apt/
-
-There are two different packages that can be built with these files:
-
-* ossec-hids: Package that includes both the server and the agent.
-* ossec-hids-agent: Package that includes just the agent.
-
-Each one of the subdirectories includes:
-
-* Patches
-* Debian control files: changelog, compat, control, copyright, lintian-overrides, postinst, postrm, preinst, rules
-
-Additionally a script, ```generate_ossec.sh```, is included to generate the Debian packages for Jessie, Sid and Wheezy Debian distributions, both for i386 and amd64 architectures. This script uses Pbuilder to build the packages, and uploads those to an APT repository, setup with Reprepro.
-
-For more details on how to create Debian Packages and an APT repository you can check my post at:
-
-http://santi-bassett.blogspot.com/2014/07/setting-up-apt-repository-with-reprepro.html
-
-Please don't hesitate to contribute (preferably via pull requests) to improve these packages.
+++ /dev/null
-/var/ossec/etc/ossec.conf
+++ /dev/null
-Source: ossec-hids-agent
-Section: admin
-Priority: extra
-Maintainer: Santiago Bassett <santiago.bassett@gmail.com>
-Build-Depends: debhelper (>= 7.0.50~), libssl-dev, linux-libc-dev
-Standards-Version: 3.8.4
-Homepage: http://www.ossec.net
-
-Package: ossec-hids-agent
-Architecture: any
-Depends: ${shlibs:Depends}, libc6 (>= 2.7), libssl1.0.0, expect, debconf
-Conflicts: ossec-hids
-Description: OSSEC Agent - Host Based Intrusion Detection System
- OSSEC HIDS for log analysis, integrity checking, rootkits detection and
- active response. This package includes the server and the agent.
+++ /dev/null
-This work was packaged for Debian by:
-
- Santiago Bassett <santiago.bassett@gmail.com> on Fri, 29 Nov 2013 03:11:44 +0000
-
-It was downloaded from:
-
- http://www.ossec.net
-
-Upstream Authors:
-
- dcid@dcid.me
- Jia-BingJB_Cheng@trendmicro.com
- vichargrave@gmail.com
- ossec@michaelstarks.com
- ddpbsd@gmail.com
- scott@atomicorp.com
- brad.lhotsky@gmail.com
- jeremy@jeremyrossi.com
- santiago.bassett@gmail.com
-
-Copyright:
-
- GNU General Public License version 2.
-
-License:
-
- GNU General Public License version 2.
-
-The Debian packaging is:
-
- Copyright (C) 2014 Santiago Bassett <santiago.bassett@gmail.com>
-
-and is licensed under the GPL version 2,
-see "/usr/share/common-licenses/GPL-2".
+++ /dev/null
-ossec-hids-agent: embedded-library
-ossec-hids-agent: embedded-zlib
-ossec-hids-agent: possible-gpl-code-linked-with-openssl
-ossec-hids-agent: new-package-should-close-itp-bug
-ossec-hids-agent: possibly-insecure-handling-of-tmp-files-in-maintainer-script
-ossec-hids-agent: non-standard-dir-in-var
-ossec-hids-agent: file-in-unusual-dir
-ossec-hids-agent: hardening-no-fortify-functions
-ossec-hids-agent: hardening-no-relro
+++ /dev/null
-Index: ossec-hids-agent-2.8.2/Makefile
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ ossec-hids-agent-2.8.2/Makefile 2015-06-15 03:15:51.083134760 +0000
-@@ -0,0 +1,54 @@
-+#
-+# Santiago Bassett <santiago.bassett@gmail.com>
-+# 06/15/2015
-+#
-+
-+DESTDIR=/
-+DIR=$(DESTDIR)/var/ossec/
-+OSSEC_INIT=$(DIR)/etc/ossec-init.conf
-+CEXTRA="-DCLIENT"
-+all:
-+ echo "CEXTRA=$(CEXTRA)" >> src/Config.OS
-+ (cd src; make all)
-+
-+clean:
-+ rm bin/* || /bin/true
-+ chmod 750 $(DIR) || /bin/true
-+ chmod 750 $(DIR)/* || /bin/true
-+ (cd src; make clean)
-+ rm -f src/Config.OS
-+ rm -f src/analysisd/compiled_rules/compiled_rules.h
-+ rm -f src/isbigendian.c
-+ rm -f src/analysisd/ossec-makelists
-+ rm -f src/analysisd/ossec-logtest
-+ rm -f src/isbigendian
-+
-+install:
-+ mkdir -p $(DIR)
-+ (cd $(DIR); mkdir -p logs bin queue queue/ossec queue/alerts queue/syscheck queue/diff queue/rids)
-+ (cd $(DIR); mkdir -p var var/run etc etc/init.d etc/shared active-response active-response/bin agentless .ssh)
-+ cp -pr src/rootcheck/db/*.txt $(DIR)/etc/shared/
-+ chmod -x $(DIR)/etc/shared/*.txt
-+ cp -pr etc/internal_options.conf $(DIR)/etc/
-+ chmod -x $(DIR)/etc/internal_options.conf
-+ cp -pr etc/local_internal_options.conf $(DIR)/etc/ > /dev/null 2>&1 || /bin/true
-+ cp -pr etc/client.keys $(DIR)/etc/ > /dev/null 2>&1 ||/bin/true
-+ cp -pr src/agentlessd/scripts/* $(DIR)/agentless/
-+ cp -pr src/client-agent/ossec-agentd ${DIR}/bin/
-+ cp -pr src/os_auth/agent-auth ${DIR}/bin/
-+ cp -pr src/logcollector/ossec-logcollector ${DIR}/bin/
-+ cp -pr src/syscheckd/ossec-syscheckd ${DIR}/bin/
-+ cp -pr src/os_execd/ossec-execd ${DIR}/bin/
-+ cp -pr src/init/ossec-client.sh ${DIR}/bin/ossec-control
-+ cp -pr src/addagent/manage_agents ${DIR}/bin/
-+ cp -pr contrib/util.sh ${DIR}/bin/
-+ sh src/init/fw-check.sh execute > /dev/null
-+ cp -pr active-response/*.sh ${DIR}/active-response/bin/
-+ cp -pr active-response/firewalls/*.sh ${DIR}/active-response/bin/
-+ cp -pr etc/ossec-agent.conf $(DIR)/etc/ossec.conf
-+ chmod -x $(DIR)/etc/ossec.conf
-+ cp -p src/init/ossec-hids-debian.init $(DIR)/etc/init.d/ossec
-+ echo "DIRECTORY=\"/var/ossec\"" > $(OSSEC_INIT)
-+ echo "VERSION=\"v2.8.2\"" >> $(OSSEC_INIT)
-+ echo "DATE=\"`date`\"" >> $(OSSEC_INIT)
-+ echo "TYPE=\"agent\"" >> $(OSSEC_INIT)
+++ /dev/null
-Index: ossec-hids-2.8.2/etc/ossec-agent.conf
-===================================================================
---- ossec-hids-2.8.2.orig/etc/ossec-agent.conf 2015-06-10 15:38:32.000000000 +0000
-+++ ossec-hids-2.8.2/etc/ossec-agent.conf 2015-07-12 18:54:10.859134760 +0000
-@@ -25,40 +25,46 @@
- <rootcheck>
- <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
-+ <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
- </rootcheck>
-
- <localfile>
- <log_format>syslog</log_format>
-- <location>/var/log/messages</location>
-+ <location>/var/log/syslog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
-- <location>/var/log/authlog</location>
-+ <location>/var/log/auth.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
-- <location>/var/log/secure</location>
-+ <location>/var/log/dpkg.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
-- <location>/var/log/xferlog</location>
-+ <location>/var/log/kern.log</location>
- </localfile>
-
-+<!--
-+
- <localfile>
- <log_format>syslog</log_format>
-- <location>/var/log/maillog</location>
-+ <location>/var/log/mail.log</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
-- <location>/var/www/logs/access_log</location>
-+ <location>/var/log/apache2/access.log</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
-- <location>/var/www/logs/error_log</location>
-+ <location>/var/log/apache2/error.log</location>
- </localfile>
-+
-+-->
-+
- </ossec_config>
+++ /dev/null
-02_ossec-agent.conf.patch
-01_makefile.patch
+++ /dev/null
-#!/bin/sh
-# postinst script for ossec-hids
-# Santiago Bassett <santiago.bassett@gmail.com>
-# 03/25/2014
-
-set -e
-
-case "$1" in
- configure)
-
- DIR="/var/ossec/"
- USER="ossec"
- GROUP="ossec"
- OSSEC_HIDS_TMP_DIR="/tmp/ossec-hids"
-
- OSMYSHELL="/sbin/nologin"
- if [ ! -f ${OSMYSHELL} ]; then
- if [ -f "/bin/false" ]; then
- OSMYSHELL="/bin/false"
- fi
- fi
-
- if ! getent group | grep -q "^ossec"
- then
- addgroup --system ossec
- fi
- if ! getent passwd | grep -q "^ossec"
- then
- adduser --system --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER} > /dev/null 2>&1
- fi
-
- # Default for all directories
- chmod -R 550 ${DIR}
- chown -R root:${GROUP} ${DIR}
-
- # To the ossec queue (default for agentd to read)
- chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
- chmod -R 770 ${DIR}/queue/ossec
-
- # For the logging user
- chown -R ${USER}:${GROUP} ${DIR}/logs
- chmod -R 750 ${DIR}/logs
- chmod -R 775 ${DIR}/queue/rids
- touch ${DIR}/logs/ossec.log
- chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
- chmod 664 ${DIR}/logs/ossec.log
-
- chown -R ${USER}:${GROUP} ${DIR}/queue/diff
- chmod -R 750 ${DIR}/queue/diff
- chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 || true
-
- # For the etc dir
- chmod 550 ${DIR}/etc
- chown -R root:${GROUP} ${DIR}/etc
- if [ -f /etc/localtime ]; then
- cp -pL /etc/localtime ${DIR}/etc/;
- chmod 555 ${DIR}/etc/localtime
- chown root:${GROUP} ${DIR}/etc/localtime
- fi
-
- if [ -f /etc/TIMEZONE ]; then
- cp -p /etc/TIMEZONE ${DIR}/etc/;
- chmod 555 ${DIR}/etc/TIMEZONE
- fi
-
- # More files
- chown root:${GROUP} ${DIR}/etc/internal_options.conf
- chown root:${GROUP} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
- chown root:${GROUP} ${DIR}/etc/client.keys >/dev/null 2>&1 || true
- chown root:${GROUP} ${DIR}/agentless/*
- chown ${USER}:${GROUP} ${DIR}/.ssh
- chown root:${GROUP} ${DIR}/etc/shared/*
-
- chmod 550 ${DIR}/etc
- chmod 440 ${DIR}/etc/internal_options.conf
- chmod 660 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
- chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1 || true
- chmod 550 ${DIR}/agentless/*
- chmod 700 ${DIR}/.ssh
- chmod 770 ${DIR}/etc/shared
- chmod 660 ${DIR}/etc/shared/*
-
- # For the /var/run
- chmod 770 ${DIR}/var/run
- chown root:${GROUP} ${DIR}/var/run
-
- # For util.sh
- chown root:${GROUP} ${DIR}/bin/util.sh
- chmod +x ${DIR}/bin/util.sh
-
- # For binaries and active response
- chmod 755 ${DIR}/active-response/bin/*
- chown root:${GROUP} ${DIR}/active-response/bin/*
- chown root:${GROUP} ${DIR}/bin/*
- chmod 550 ${DIR}/bin/*
-
- # For ossec.conf
- chown root:${GROUP} ${DIR}/etc/ossec.conf
- chmod 660 ${DIR}/etc/ossec.conf
-
- # Debconf
- . /usr/share/debconf/confmodule
- db_input high ossec-hids-agent/server-ip || true
- db_go
-
- db_get ossec-hids-agent/server-ip
- SERVER_IP=$RET
-
- sed -i "s/<server-ip>[^<]\+<\/server-ip>/<server-ip>${SERVER_IP}<\/server-ip>/" ${DIR}/etc/ossec.conf
- db_stop
-
- # ossec-init.conf
- if [ -e ${DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then
- if [ -e /etc/ossec-init.conf ]; then
- rm -f /etc/ossec-init.conf
- fi
- ln -s ${DIR}/etc/ossec-init.conf /etc/ossec-init.conf
- fi
-
- # init.d/ossec file
- if [ -x ${DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then
- if [ -e /etc/init.d/ossec ]; then
- rm -f /etc/init.d/ossec
- fi
- ln -s ${DIR}/etc/init.d/ossec /etc/init.d/ossec
- fi
-
- # Service
- if [ -x /etc/init.d/ossec ]; then
- update-rc.d -f ossec defaults
- fi
-
- # Delete tmp directory
- if [ -d ${OSSEC_HIDS_TMP_DIR} ]; then
- rm -r ${OSSEC_HIDS_TMP_DIR}
- fi
-
- ;;
-
-
- abort-upgrade|abort-remove|abort-deconfigure)
-
- ;;
-
-
- *)
- echo "postinst called with unknown argument \`$1'" >22
- exit 1
- ;;
-
-esac
-
-exit 0
+++ /dev/null
-#!/bin/sh
-# postrm script for ossec-hids
-# Santiago Bassett <santiago.bassett@gmail.com>
-# 03/25/2014
-
-
-set -e
-
-case "$1" in
- purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
- if getent passwd | grep -q "^ossec"
- then
- deluser ossec
- fi
- if getent group | grep -q "^ossec"
- then
- delgroup ossec
- fi
- rm -f /etc/init.d/ossec
- rm -f /etc/ossec-init.conf
- update-rc.d -f ossec remove
-
- ;;
-
- *)
- echo "postrm called with unknown argument \`$1'" >&2
- exit 1
-
- ;;
-
-esac
-
-exit 0
+++ /dev/null
-#!/bin/sh
-# preinst script for ossec-hids
-# Santiago Bassett <santiago.bassett@gmail.com>
-# 03/25/2014
-
-set -e
-
-# configuration variables
-OSSEC_HIDS_TMP_DIR="/tmp/ossec-hids"
-
-# environment configuration
-if [ ! -d ${OSSEC_HIDS_TMP_DIR} ]; then
- mkdir ${OSSEC_HIDS_TMP_DIR}
-fi
-
-case "$1" in
- install|upgrade)
- # back up the current user rules
- if [ -f /var/ossec/rules/local_rules.xml ]; then
- cp /var/ossec/rules/local_rules.xml ${OSSEC_HIDS_TMP_DIR}/local_rules.xml
- fi
- ;;
-
- abort-upgrade)
-
- ;;
-
- *)
- echo "preinst called with unknown argument \`$1'" >&2
- exit 1
-
- ;;
-
-esac
-
-exit 0
+++ /dev/null
-#!/usr/bin/make -f
-# -*- makefile -*-
-# Sample debian/rules that uses debhelper.
-#
-# This file was originally written by Joey Hess and Craig Small.
-# As a special exception, when this file is copied by dh-make into a
-# dh-make output file, you may use that output file without restriction.
-# This special exception was added by Craig Small in version 0.37 of dh-make.
-#
-# Modified to make a template file for a multi-binary package with separated
-# build-arch and build-indep targets by Bill Allombert 2001
-
-# Uncomment this to turn on verbose mode.
-#export DH_VERBOSE=1
-
-# This has to be exported to make some magic below work.
-export DH_OPTIONS
-
-
-%:
- dh $@
-
-override_dh_auto_configure:
-
-override_dh_auto_build:
- $(MAKE) all
-
-override_dh_auto_clean:
- $(MAKE) clean
+++ /dev/null
-3.0 (quilt)
+++ /dev/null
-Template: ossec-hids-agent/server-ip
-Type: string
-Default: 127.0.0.1
-Description: OSSEC server IP address for this agent. This server is also known as Manager and will receive information from the agent. You need to specify the IP address, the hostname is not valid. The agent still needs to be registered and started manually.
+++ /dev/null
-/var/ossec/etc/ossec.conf
+++ /dev/null
-Source: ossec-hids
-Section: admin
-Priority: extra
-Maintainer: Santiago Bassett <santiago.bassett@gmail.com>
-Build-Depends: debhelper (>= 7.0.50~), libssl-dev, linux-libc-dev
-Standards-Version: 3.8.4
-Homepage: http://www.ossec.net
-
-Package: ossec-hids
-Architecture: any
-Depends: ${shlibs:Depends}, libc6 (>= 2.7), libssl1.0.0, expect, debconf
-Conflicts: ossec-hids-agent
-Description: OSSEC - Host Based Intrusion Detection System
- OSSEC HIDS for log analysis, integrity checking, rootkits detection and
- active response. This package includes the server and the agent.
+++ /dev/null
-This work was packaged for Debian by:
-
- Santiago Bassett <santiago.bassett@gmail.com> on Fri, 29 Nov 2013 03:11:44 +0000
-
-It was downloaded from:
-
- http://www.ossec.net
-
-Upstream Authors:
-
- dcid@dcid.me
- Jia-BingJB_Cheng@trendmicro.com
- vichargrave@gmail.com
- ossec@michaelstarks.com
- ddpbsd@gmail.com
- scott@atomicorp.com
- brad.lhotsky@gmail.com
- jeremy@jeremyrossi.com
- santiago.bassett@gmail.com
-
-Copyright:
-
- GNU General Public License version 2.
-
-License:
-
- GNU General Public License version 2.
-
-The Debian packaging is:
-
- Copyright (C) 2014 Santiago Bassett <santiago.bassett@gmail.com>
-
-and is licensed under the GPL version 2,
-see "/usr/share/common-licenses/GPL-2".
+++ /dev/null
-ossec-hids: embedded-library
-ossec-hids: embedded-zlib
-ossec-hids: possible-gpl-code-linked-with-openssl
-ossec-hids: new-package-should-close-itp-bug
-ossec-hids: possibly-insecure-handling-of-tmp-files-in-maintainer-script
-ossec-hids: non-standard-dir-in-var
-ossec-hids: file-in-unusual-dir
-ossec-hids: hardening-no-fortify-functions
-ossec-hids: hardening-no-relro
+++ /dev/null
-Index: ossec-hids-2.8.2/Makefile
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ ossec-hids-2.8.2/Makefile 2015-08-10 04:36:27.819134760 +0000
-@@ -0,0 +1,72 @@
-+#
-+# Santiago Bassett <santiago.bassett@gmail.com>
-+# 06/15/2015
-+#
-+
-+DESTDIR?=/
-+DIR=$(DESTDIR)/var/ossec/
-+OSSEC_INIT=$(DIR)/etc/ossec-init.conf
-+
-+all:
-+ echo "HEXTRA=-DMAX_AGENTS=16384" >> src/Config.OS
-+ (cd src; make all; make build)
-+
-+clean:
-+ rm bin/* || /bin/true
-+ mkdir -p $(DIR)/rules/translated/
-+ chmod 750 $(DIR) || /bin/true
-+ chmod 750 $(DIR)/* || /bin/true
-+ chmod 750 $(DIR)/rules/translated/ || /bin/true
-+ chmod 750 $(DIR)/rules/translated/* || /bin/true
-+ (cd src; make clean)
-+ rm -f src/Config.OS
-+ rm -f src/analysisd/compiled_rules/compiled_rules.h
-+ rm -f src/isbigendian.c
-+ rm -f src/analysisd/ossec-makelists
-+ rm -f src/analysisd/ossec-logtest
-+ rm -f src/isbigendian
-+
-+install:
-+ mkdir -p $(DIR)
-+ (cd $(DIR); mkdir -p logs logs/archives logs/alerts logs/firewall bin stats rules queue queue/alerts queue/ossec queue/fts queue/syscheck queue/rootcheck queue/diff queue/agent-info queue/agentless queue/rids tmp var var/run etc etc/init.d etc/shared active-response active-response/bin agentless .ssh contrib)
-+ cp -pr etc/rules/* $(DIR)/rules/
-+ chmod -x $(DIR)/rules/*.xml
-+ chmod -x $(DIR)/rules/log-entries/*
-+ chmod -x $(DIR)/rules/translated/pure_ftpd/*.xml
-+ cp -pL /etc/localtime $(DIR)/etc/ 2>/dev/null || /bin/true
-+ cp -p /etc/TIMEZONE $(DIR)/etc/ 2>/dev/null || /bin/true
-+ cp -p contrib/compile_alerts.pl $(DIR)/contrib/
-+ cp -p contrib/compile_alerts.txt $(DIR)/contrib/
-+ cp -p contrib/config2xml $(DIR)/contrib/
-+ cp -p contrib/ossec-batch-manager.pl $(DIR)/contrib/
-+ cp -p contrib/ossec-eps.sh $(DIR)/contrib/
-+ cp -pr bin/ossec* $(DIR)/bin/
-+ cp -pr bin/manage_agents $(DIR)/bin/
-+ cp -pr bin/syscheck_update $(DIR)/bin/
-+ cp -pr bin/verify-agent-conf $(DIR)/bin/
-+ cp -pr bin/clear_stats $(DIR)/bin/
-+ cp -pr bin/list_agents $(DIR)/bin/
-+ cp -pr bin/agent_control $(DIR)/bin/
-+ cp -pr bin/syscheck_control $(DIR)/bin/
-+ cp -pr bin/rootcheck_control $(DIR)/bin/
-+ cp -pr contrib/util.sh $(DIR)/bin/
-+ cp -pr src/init/ossec-server.sh $(DIR)/bin/ossec-control
-+ cp -pr etc/decoder.xml $(DIR)/etc/
-+ chmod -x $(DIR)/etc/decoder.xml
-+ cp -pr etc/local_decoder.xml $(DIR)/etc/ > /dev/null 2>&1 || /bin/true
-+ cp -pr etc/local_internal_options.conf $(DIR)/etc/ > /dev/null 2>&1 || /bin/true
-+ cp -pr etc/client.keys $(DIR)/etc/ > /dev/null 2>&1 ||/bin/true
-+ cp -pr src/agentlessd/scripts/* $(DIR)/agentless/
-+ cp -pr etc/internal_options.conf $(DIR)/etc/
-+ chmod -x $(DIR)/etc/internal_options.conf
-+ cp -pr etc/ossec-server.conf $(DIR)/etc/ossec.conf
-+ chmod -x $(DIR)/etc/ossec.conf
-+ cp -pr src/rootcheck/db/*.txt $(DIR)/etc/shared/
-+ chmod -x $(DIR)/etc/shared/*.txt
-+ cp -p active-response/*.sh $(DIR)/active-response/bin/
-+ cp -p active-response/firewalls/*.sh $(DIR)/active-response/bin/
-+ cp -p src/init/ossec-hids-debian.init $(DIR)/etc/init.d/ossec
-+ echo "DIRECTORY=\"/var/ossec\"" > $(OSSEC_INIT)
-+ echo "VERSION=\"$(cat src/VERSION)" >> $(OSSEC_INIT)
-+ echo "DATE=\"`date`\"" >> $(OSSEC_INIT)
-+ echo "TYPE=\"server\"" >> $(OSSEC_INIT)
+++ /dev/null
-Index: ossec-hids-2.8.2/etc/ossec-server.conf
-===================================================================
---- ossec-hids-2.8.2.orig/etc/ossec-server.conf 2015-06-10 15:38:32.000000000 +0000
-+++ ossec-hids-2.8.2/etc/ossec-server.conf 2015-07-12 18:46:24.995134760 +0000
-@@ -2,10 +2,10 @@
-
- <ossec_config>
- <global>
-- <email_notification>yes</email_notification>
-- <email_to>daniel.cid@example.com</email_to>
-- <smtp_server>smtp.example.com.</smtp_server>
-- <email_from>ossecm@ossec.example.com.</email_from>
-+ <email_notification>no</email_notification>
-+ <email_to>your_email_address@example.com</email_to>
-+ <smtp_server>smtp.your_domain.com.</smtp_server>
-+ <email_from>ossecm@ossec.your_domain.com.</email_from>
- </global>
-
- <rules>
-@@ -90,14 +90,11 @@
- <rootcheck>
- <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
-+ <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
- </rootcheck>
-
- <global>
- <white_list>127.0.0.1</white_list>
-- <white_list>192.168.2.1</white_list>
-- <white_list>192.168.2.190</white_list>
-- <white_list>192.168.2.32</white_list>
-- <white_list>192.168.2.10</white_list>
- </global>
-
- <remote>
-@@ -138,6 +135,7 @@
- - level (severity) >= 6.
- - The IP is going to be blocked for 600 seconds.
- -->
-+ <disabled>yes</disabled>
- <command>host-deny</command>
- <location>local</location>
- <level>6</level>
-@@ -149,6 +147,7 @@
- - 600 seconds on the firewall (iptables,
- - ipfilter, etc).
- -->
-+ <disabled>yes</disabled>
- <command>firewall-drop</command>
- <location>local</location>
- <level>6</level>
-@@ -159,36 +158,41 @@
-
- <localfile>
- <log_format>syslog</log_format>
-- <location>/var/log/messages</location>
-+ <location>/var/log/syslog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
-- <location>/var/log/authlog</location>
-+ <location>/var/log/auth.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
-- <location>/var/log/secure</location>
-+ <location>/var/log/dpkg.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
-- <location>/var/log/xferlog</location>
-+ <location>/var/log/kern.log</location>
- </localfile>
-
-+<!--
-+
- <localfile>
- <log_format>syslog</log_format>
-- <location>/var/log/maillog</location>
-+ <location>/var/log/mail.log</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
-- <location>/var/www/logs/access_log</location>
-+ <location>/var/log/apache2/access.log</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
-- <location>/var/www/logs/error_log</location>
-+ <location>/var/log/apache2/error.log</location>
- </localfile>
-+
-+-->
-+
- </ossec_config>
+++ /dev/null
-02_ossec-server.conf.patch
-01_makefile.patch
+++ /dev/null
-#!/bin/sh
-# postrm script for ossec-hids
-
-set -e
-
-case "$1" in
- purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
- if getent passwd | grep -q "^ossecr"
- then
- deluser ossecr
- fi
- if getent passwd | grep -q "^ossecm"
- then
- deluser ossecm
- fi
- if getent passwd | grep -q "^ossec"
- then
- deluser ossec
- fi
- if getent group | grep -q "^ossec"
- then
- delgroup ossec
- fi
- rm -f /etc/init.d/ossec
- rm -f /etc/ossec-init.conf
- update-rc.d -f ossec remove
-
- ;;
-
- *)
- echo "postrm called with unknown argument \`$1'" >&2
- exit 1
-
- ;;
-
-esac
-
-exit 0
+++ /dev/null
-#!/bin/sh
-# preinst script for ossec-hids
-
-set -e
-
-# configuration variables
-OSSEC_HIDS_TMP_DIR="/tmp/ossec-hids"
-
-# environment configuration
-if [ ! -d ${OSSEC_HIDS_TMP_DIR} ]; then
- mkdir ${OSSEC_HIDS_TMP_DIR}
-fi
-
-case "$1" in
- install|upgrade)
- # back up the current user rules
- if [ -f /var/ossec/rules/local_rules.xml ]; then
- cp /var/ossec/rules/local_rules.xml ${OSSEC_HIDS_TMP_DIR}/local_rules.xml
- fi
- ;;
-
- abort-upgrade)
-
- ;;
-
- *)
- echo "preinst called with unknown argument \`$1'" >&2
- exit 1
-
- ;;
-
-esac
-
-exit 0
+++ /dev/null
-#!/usr/bin/make -f
-# -*- makefile -*-
-# Sample debian/rules that uses debhelper.
-#
-# This file was originally written by Joey Hess and Craig Small.
-# As a special exception, when this file is copied by dh-make into a
-# dh-make output file, you may use that output file without restriction.
-# This special exception was added by Craig Small in version 0.37 of dh-make.
-#
-# Modified to make a template file for a multi-binary package with separated
-# build-arch and build-indep targets by Bill Allombert 2001
-
-# Uncomment this to turn on verbose mode.
-#export DH_VERBOSE=1
-
-# This has to be exported to make some magic below work.
-export DH_OPTIONS
-
-
-%:
- dh $@
-
-override_dh_auto_configure:
-
-override_dh_auto_build:
- $(MAKE) all
-
-override_dh_auto_clean:
- $(MAKE) clean
+++ /dev/null
-3.0 (quilt)
+++ /dev/null
-Template: ossec-hids/email_notification
-Type: select
-Choices: yes, no
-Default: no
-Description: Enable email notification when an alert is triggered.
-
-Template: ossec-hids/email_to
-Type: string
-Default: root@localhost
-Description: This is the email address where alerts will be sent to.
-
-Template: ossec-hids/email_from
-Type: string
-Default: ossecm@localhost
-Description: This is the from email address used to send alerts.
-
-Template: ossec-hids/smtp_server
-Type: string
-Default: localhost
-Description: SMTP server IP address or hostname.
+++ /dev/null
-@echo off
-
-rem Searching for IIS logs.
-rem If we find any log in the NCSA or W3C extended format,
-rem change the config to support that. If not, let the user know.
-rem Example of log to look: nc060215.log or ex060723.log
-
-echo.
-echo Looking for IIS log files to monitor.
-echo For more information visit:
-echo http://www.ossec.net/en/manual.html#iis
-echo.
-echo.
-
-IF EXIST %WinDir%\System32\LogFiles\W3SVC1\nc??????.log (
- echo * IIS NCSA log found. Changing config to read it.
- echo. >> ossec.conf
- echo ^<ossec_config^> >> ossec.conf
- echo ^<localfile^> >> ossec.conf
- echo ^<location^>%WinDir%\System32\LogFiles\W3SVC1\nc%%y%%m%%d.log^</location^> >> ossec.conf
- echo ^<log_format^>iis^</log_format^> >> ossec.conf
- echo ^</localfile^> >> ossec.conf
- echo ^</ossec_config^> >> ossec.conf
- pause
- )
-
-IF EXIST %WinDir%\System32\LogFiles\W3SVC1\ex??????.log (
- echo * IIS W3C extended log found. Changing config to read it.
- echo. >> ossec.conf
- echo ^<ossec_config^> >> ossec.conf
- echo ^<localfile^> >> ossec.conf
- echo ^<location^>%WinDir%\System32\LogFiles\W3SVC1\ex%%y%%m%%d.log^</location^> >> ossec.conf
- echo ^<log_format^>iis^</log_format^> >> ossec.conf
- echo ^</localfile^> >> ossec.conf
- echo ^</ossec_config^> >> ossec.conf
- pause
- )
-
-IF EXIST %WinDir%\System32\LogFiles\W3SVC3\ex??????.log (
- echo * IIS W3C extended log found. Changing config to read it.
- echo. >> ossec.conf
- echo ^<ossec_config^> >> ossec.conf
- echo ^<localfile^> >> ossec.conf
- echo ^<location^>%WinDir%\System32\LogFiles\W3SVC3\nc%%y%%m%%d.log^</location^> >> ossec.conf
- echo ^<log_format^>iis^</log_format^> >> ossec.conf
- echo ^</localfile^> >> ossec.conf
- echo ^</ossec_config^> >> ossec.conf
- pause
- )
-
-IF EXIST %WinDir%\System32\LogFiles\W3SVC1 (
- echo * IIS Log found. Look at the link above if you want to monitor it.
- pause
- exit )
-
-rem EOF
-
+++ /dev/null
-Nov 2 13:24:34 melancia pam: gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Nov 2 13:24:34 melancia pam: gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11'
- hostname: 'melancia'
- program_name: 'pam'
- log: 'gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty'
- hostname: 'triumph'
- program_name: 'PAM-securetty'
- log: 'Couldn't open /etc/securetty'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '1001'
- Level: '2'
- Description: 'File missing. Root access unrestricted.'
-**Alert to be generated.
-
-
+++ /dev/null
-Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0'
- hostname: 'bogus.com'
- program_name: 'su'
- log: 'ericx to root on /dev/ttyu0'
-
-**Phase 2: Completed decoding.
- decoder: 'su'
- srcuser: 'ericx'
- dstuser: 'root'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5305'
- Level: '4'
- Description: 'First time (su) is executed by user.'
-**Alert to be generated.
-
-
+++ /dev/null
-May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '2501'
- Level: '5'
- Description: 'User authentication failure.'
-**Alert to be generated.
-
-
+++ /dev/null
-May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '2501'
- Level: '5'
- Description: 'User authentication failure.'
-**Alert to be generated.
-
-
+++ /dev/null
-Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Jul 5 12:13:15 lili su[2614]: Authentication failed for root
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Jul 5 12:13:15 lili su[2614]: Authentication failed for root'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Jul 5 12:13:15 lili su[2614]: Authentication failed for root'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '2501'
- Level: '5'
- Description: 'User authentication failure.'
-**Alert to be generated.
-
-
+++ /dev/null
-Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006'
- hostname: 'niban'
- program_name: 'useradd'
- log: 'new group: name=test, gid=5006'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5901'
- Level: '8'
- Description: 'New group added to the system'
-**Alert to be generated.
-
-
+++ /dev/null
-Nov 1 14:54:03 melancia runuser: pam_unix(runuser:session): session opened for user root by (uid=0)
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Nov 1 14:54:03 melancia runuser: pam_unix(runuser:session): session opened for user root by (uid=0)'
- hostname: 'melancia'
- program_name: 'runuser'
- log: 'pam_unix(runuser:session): session opened for user root by (uid=0)'
-
-**Phase 2: Completed decoding.
- decoder: 'pam'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5501'
- Level: '3'
- Description: 'Login session opened.'
-**Alert to be generated.
-
-
+++ /dev/null
-May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000'
- hostname: 'niban'
- program_name: 'useradd'
- log: 'new group: name=logr, gid=12000'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5901'
- Level: '8'
- Description: 'New group added to the system'
-**Alert to be generated.
-
-
+++ /dev/null
-Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001'
- hostname: 'niban'
- program_name: 'useradd'
- log: 'new group: name=test2, gid=12001'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5901'
- Level: '8'
- Description: 'New group added to the system'
-**Alert to be generated.
-
-
+++ /dev/null
-Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls'
- hostname: 'enigma'
- program_name: 'sudo'
- log: 'dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls'
-
-**Phase 2: Completed decoding.
- decoder: 'sudo'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5404'
- Level: '10'
- Description: 'Three failed attempts to run sudo'
-**Alert to be generated.
-
-
+++ /dev/null
-May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls'
- hostname: 'enigma'
- program_name: 'sudo'
- log: 'dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls'
-
-**Phase 2: Completed decoding.
- decoder: 'sudo'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5404'
- Level: '10'
- Description: 'Three failed attempts to run sudo'
-**Alert to be generated.
-
-
+++ /dev/null
-Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4'
- hostname: 'localhost'
- program_name: 'vsftpd'
- log: 'pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4'
-
-**Phase 2: Completed decoding.
- decoder: 'pam'
- srcip: '1.2.3.4'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5503'
- Level: '5'
- Description: 'User login failed.'
-**Alert to be generated.
-
-
+++ /dev/null
-Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure'
- hostname: 'enigma'
- program_name: 'sudo'
- log: 'dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure'
-
-**Phase 2: Completed decoding.
- decoder: 'sudo'
- dstuser: 'dcid'
- url: '/var/www/htdocs'
- srcuser: 'root'
- status: '/usr/bin/tail /var/log/secure'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5403'
- Level: '4'
- Description: 'First time user executed sudo.'
-**Alert to be generated.
-
-
+++ /dev/null
-May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers'
- hostname: 'lili'
- program_name: 'sudo'
- log: 'dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers'
-
-**Phase 2: Completed decoding.
- decoder: 'sudo'
- dstuser: 'dcid'
- url: '/home/dcid'
- srcuser: 'root'
- status: '/usr/bin/vi /etc/sudoers'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5403'
- Level: '4'
- Description: 'First time user executed sudo.'
-**Alert to be generated.
-
-
+++ /dev/null
-Oct 26 18:07:45 ccs rpc.statd[189]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Oct 26 18:07:45 ccs rpc.statd[189]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220'
- hostname: 'ccs'
- program_name: 'rpc.statd'
- log: 'gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '1002'
- Level: '2'
- Description: 'Unknown problem somewhere in the system.'
-**Alert to be generated.
-
-
+++ /dev/null
-May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com'
- hostname: 'server'
- program_name: 'ftpd'
- log: 'ANONYMOUS FTP LOGIN FROM emaca.here.com'
-
-**Phase 2: Completed decoding.
- decoder: 'ftpd'
- srcip: 'emaca.here.com'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '11106'
- Level: '3'
- Description: 'Remote host connected to FTP server.'
-**Alert to be generated.
-
-
+++ /dev/null
-May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped'
- hostname: 'victim-host'
- program_name: 'inetd'
- log: '/usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '40107'
- Level: '14'
- Description: 'Heap overflow in the Solaris cachefsd service.'
- Info - CVE: '2002-0033'
-**Alert to be generated.
-
-
+++ /dev/null
-May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped'
- hostname: 'victim-host'
- program_name: 'inetd'
- log: '/usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '40107'
- Level: '14'
- Description: 'Heap overflow in the Solaris cachefsd service.'
- Info - CVE: '2002-0033'
-**Alert to be generated.
-
-
+++ /dev/null
-Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0'
- hostname: 'hostj'
- program_name: 'named'
- log: 'security: notice: dropping source port zero packet from [64.211.251.254].0'
-
-**Phase 2: Completed decoding.
- decoder: 'named'
- srcip: '64.211.251.254'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '12101'
- Level: '12'
- Description: 'Invalid DNS packet. Possibility of attack.'
-**Alert to be generated.
-
-
+++ /dev/null
-sshd[7386]: error: Bad prime description in line 73
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'sshd[7386]: error: Bad prime description in line 73'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'sshd[7386]: error: Bad prime description in line 73'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '1002'
- Level: '2'
- Description: 'Unknown problem somewhere in the system.'
-**Alert to be generated.
-
-
+++ /dev/null
-Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11)
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11)'
- hostname: 'elrond'
- program_name: 'sshd'
- log: 'refused connect from accsys.elink.net.au (203.31.101.11)'
-
-**Phase 2: Completed decoding.
- decoder: 'sshd'
- srcip: '203.31.101.11'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '2503'
- Level: '5'
- Description: 'Connection blocked by Tcp Wrappers.'
-**Alert to be generated.
-
-
+++ /dev/null
-Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.'
- hostname: 'hostname'
- program_name: 'cimserver'
- log: 'PGS17200: Authentication failed for user jones_b.'
-
-**Phase 2: Completed decoding.
- decoder: 'cimserver'
- dstuser: 'jones_b'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '9610'
- Level: '5'
- Description: 'Compaq Insight Manager authentication failure.'
-**Alert to be generated.
-
-
+++ /dev/null
-Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '1002'
- Level: '2'
- Description: 'Unknown problem somewhere in the system.'
-**Alert to be generated.
-
-
+++ /dev/null
-Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2'
-
-**Phase 2: Completed decoding.
- No decoder matched.
-
-**Phase 3: Completed filtering (rules).
- Rule id: '1002'
- Level: '2'
- Description: 'Unknown problem somewhere in the system.'
-**Alert to be generated.
-
-
+++ /dev/null
-[Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: '[Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)'
- hostname: 'melancia'
- program_name: '(null)'
- log: '[error] [client 127.0.0.1] request failed: URI too long (longer than 8190)'
-
-**Phase 2: Completed decoding.
- decoder: 'apache-errorlog'
- srcip: '127.0.0.1'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '30117'
- Level: '10'
- Description: 'Invalid URI, file name too long.'
-**Alert to be generated.
-
-
+++ /dev/null
-[Mon Sep 11 16:55:08 2006] [error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: '[Mon Sep 11 16:55:08 2006] [error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed'
- hostname: 'melancia'
- program_name: '(null)'
- log: '[error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed'
-
-**Phase 2: Completed decoding.
- decoder: 'apache-errorlog'
- srcip: '127.0.0.1'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '30117'
- Level: '10'
- Description: 'Invalid URI, file name too long.'
-**Alert to be generated.
-
-
+++ /dev/null
-Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]'
-
-**Phase 2: Completed decoding.
- No decoder matched.
+++ /dev/null
-Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast'
- hostname: 'niban'
- program_name: 'sudo'
- log: ' dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast'
-
-**Phase 2: Completed decoding.
- decoder: 'sudo'
- dstuser: 'dcid'
- url: '/home/dcid'
- srcuser: 'root'
- status: '/usr/bin/tail /var/log/snort/alert.fast'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '5403'
- Level: '4'
- Description: 'First time user executed sudo.'
-**Alert to be generated.
-
-
+++ /dev/null
-Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec'
-
-**Phase 2: Completed decoding.
- decoder: 'vsftpd'
- dstuser: 'xx'
- status: 'OK UPLOAD'
- srcip: '1.2.3.4'
- url: '/a.php'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '11404'
- Level: '0'
- Description: 'FTP server file upload.'
+++ /dev/null
-MySQL log: 060516 22:38:46 mysqld ended
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'MySQL log: 060516 22:38:46 mysqld ended'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'MySQL log: 060516 22:38:46 mysqld ended'
-
-**Phase 2: Completed decoding.
- decoder: 'mysql_log'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '50120'
- Level: '12'
- Description: 'Database shutdown message.'
-**Alert to be generated.
-
-
+++ /dev/null
-Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]'
- hostname: 'gandalf'
- program_name: 'pop3d'
- log: 'LOGIN FAILED, ip=[::ffff:1.2.3.4]'
-
-**Phase 2: Completed decoding.
- decoder: 'courier'
- srcip: '::ffff:1.2.3.4'
-
-**Phase 3: Completed filtering (rules).
- Rule id: '3902'
- Level: '5'
- Description: 'Courier (imap/pop3) authentication failed.'
-**Alert to be generated.
-
-
+++ /dev/null
-type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"
+++ /dev/null
-**Phase 1: Completed pre-decoding.
- full event: 'type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"'
- hostname: 'melancia'
- program_name: '(null)'
- log: 'type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"'
-
-**Phase 2: Completed decoding.
- decoder: 'auditd'
- action: 'SYSCALL'
- id: '148'
- status: 'yes'
- extra_data: '/tmp/wget'
+++ /dev/null
-#!/bin/sh
-
-hostname=`hostname`
-hostname melancia
-
-cleanup() {
- hostname $hostname
- rm -f ./tmpres
-}
-
-trap "cleanup" INT TERM EXIT
-exitcode=0
-
-if diff --help 2>&1 | grep -q -- --color; then
- diff_cmd='diff --color'
-else
- diff_cmd='diff'
-fi
-
-echo "Starting log unit tests (must be run as root and on a system with OSSEC installed)."
-echo "(it will make sure the current rules are working as they should)."
-rm -f ./tmpres
-for i in ./*/log; do
- idir=`dirname $i`
-
- rm -f ./tmpres || exit "Unable to remove tmpres.";
- cat $i | /var/ossec/bin/ossec-logtest 2>&1|grep -av ossec-testrule |grep -aA 500 "Phase 1:" > ./tmpres
-
- if [ ! -f $idir/res ]; then
- echo "** Creating entry for $i - Not set yet."
- cat ./tmpres > $idir/res
- rm -f tmpres
- continue;
- fi
- MD1=`md5sum ./tmpres | cut -d " " -f 1`
- MD2=`md5sum $idir/res | cut -d " " -f 1`
-
- if [ ! $MD1 = $MD2 ]; then
- exitcode=1
- echo
- echo
- echo
- echo "**ERROR: Unit testing failed. Output for the test $i failed."
- echo "== DIFF OUTPUT: =="
- $diff_cmd -Na -U `wc -l $idir/res` tmpres
- rm -f tmpres
- fi
-
-done
-
-echo ""
-if [ $exitcode -eq 0 ]; then
- echo "Log unit tests completed. Everything seems ok (nothing changed since last test regarding the outputs)."
-else
- echo "Log unit tests completed. Some tests failed."
-fi
-exit $exitcode
+++ /dev/null
-#!/bin/sh
-# Calculate OSSEC events per second
-# Author Michael Starks ossec [at] michaelstarks [dot] com
-# License: GPLv3
-
-if [ ! -e /etc/ossec-init.conf ]; then
- echo OSSEC does not appear to be installed on this system. Goodbye.
- exit 1
-else
- grep -q agent /etc/ossec-init.conf && echo This script can only be run on the manager. Goodbye. && exit 1
-fi
-
-#Reset counters
-COUNT=0
-EPSSUM=0
-EPSAVG=0
-#Source OSSEC Dir
-. /etc/ossec-init.conf
-
-for i in $(grep 'Total events for day' ${DIRECTORY}/stats/totals/*/*/ossec-totals-*.log | cut -d: -f3); do
- COUNT=$((COUNT+1))
- DAILYEVENTS=$i
- EPSSUM=$(($DAILYEVENTS+$EPSSUM))
-done
-
-EPSAVG=$(($EPSSUM/$COUNT/(86400)))
-
-echo Your total lifetime number of events collected is: $EPSSUM
-echo Your total daily number of events average is: $(($EPSSUM/$COUNT))
-echo Your daily events per second average is: $EPSAVG
+++ /dev/null
-#! /usr/bin/perl -w
-
-use strict;
-use warnings;
-
-use Cwd qw/getcwd realpath/;
-use File::Basename;
-use File::Find;
-use File::Temp qw/tempfile/;
-
-my $ossec_regex_convert = realpath(dirname($0) . '/../src/ossec-regex-convert');
-
-sub get_install_dir () {
- open(FILE, '<', 'src/LOCATION') || die("Cannot find INSTALL DIR");
- my $dir = '/var/ossec';
-
- while (<FILE>) {
- if (m{^DIR\s*=\s*(["']?)(.*)\g1$}p) {
- $dir = $2;
- last;
- }
- }
-
- return $dir;
-}
-
-my $old_tags = join('|', split(/\n/m, `$ossec_regex_convert -t`));
-
-sub convert_file ($) {
- my $filename = shift();
- print("Converting ${filename}...\n");
-
- unless (open(SRC, '<', $filename)) {
- print(STDERR "Cannot read '${filename}'\n");
- return;
- }
- my ($tmp_fh, $tmp_filename) = tempfile('tmp-ossec-config-convert.XXXXX', DIR => '/tmp', SUFFIX => '.xml');
-
- while (<SRC>) {
- if (m{^(\s*)<\s*($old_tags)([^>]*)>(.*?)<\s*/\s*\g2\s*>}pg) {
- my ($indent, $old_type, $options, $old_regex) = ($1, $2, $3, $4);
- $old_regex =~ s/'/'\\''/g;
- my $out = qx/$ossec_regex_convert -b -- $old_type '$old_regex'/;
- chomp($out);
- my ($type, $regex) = split(/ /, $out, 2);
- if ($old_regex) {
- print($tmp_fh "$indent<$type$options>$regex</$type>\n");
- } else {
- print($tmp_fh "$indent<$type$options></$type>\n");
- }
- } else {
- print($tmp_fh $_);
- }
- }
-
- close(SRC);
- close($tmp_fh);
-
- rename($tmp_filename, $filename);
-}
-
-sub wanted() {
- my $filename = $File::Find::name;
-
- if ($filename =~ m/[.]xml$/) {
- convert_file($filename);
- }
-}
-
-my $INSTALL_DIR = get_install_dir();
-if (! -d ${INSTALL_DIR}) {
- print(STDERR "Please install OSSEC first\n");
- exit(1);
-}
-
-find({wanted => \&wanted, no_chdir => 1}, $INSTALL_DIR);
-
-exit(0);
+++ /dev/null
-#!/usr/bin/env python
-import ConfigParser
-import subprocess
-import os
-import sys
-import os.path
-
-
-class OssecTester(object):
- def __init__(self):
- self._error = False
- self._debug = False
- self._quiet = False
- self._ossec_conf = "/var/ossec/etc/ossec.conf"
- self._base_dir = "/var/ossec/"
- self._ossec_path = "/var/ossec/bin/"
- self._test_path = "./tests"
-
- def buildCmd(self, rule, alert, decoder):
- cmd = ['%s/ossec-logtest' % (self._ossec_path), ]
- cmd += ['-q']
- if self._ossec_conf:
- cmd += ["-c", self._ossec_conf]
- if self._base_dir:
- cmd += ["-D", self._base_dir]
- cmd += ['-U', "%s:%s:%s" % (rule, alert, decoder)]
- return cmd
-
- def runTest(self, log, rule, alert, decoder, section, name, negate=False):
- #print self.buildCmd(rule, alert, decoder)
- p = subprocess.Popen(
- self.buildCmd(rule, alert, decoder),
- stdout=subprocess.PIPE,
- stderr=subprocess.STDOUT,
- stdin=subprocess.PIPE,
- shell=False)
- std_out = p.communicate(log)[0]
- if (p.returncode != 0 and not negate) or (p.returncode == 0 and negate):
- self._error = True
- print ""
- print "-" * 60
- print "Failed: Exit code = %s" % (p.returncode)
- print " Alert = %s" % (alert)
- print " Rule = %s" % (rule)
- print " Decoder = %s" % (decoder)
- print " Section = %s" % (section)
- print " line name = %s" % (name)
- print " "
- print std_out
- elif self._debug:
- print "Exit code= %s" % (p.returncode)
- print std_out
- else:
- sys.stdout.write(".")
-
- def run(self, selective_test=False):
- for aFile in os.listdir(self._test_path):
- aFile = os.path.join(self._test_path, aFile)
- if aFile.endswith(".ini"):
- if selective_test and not aFile.endswith(selective_test):
- continue
- print "- [ File = %s ] ---------" % (aFile)
- tGroup = ConfigParser.ConfigParser()
- tGroup.read([aFile])
- tSections = tGroup.sections()
- for t in tSections:
- rule = tGroup.get(t, "rule")
- alert = tGroup.get(t, "alert")
- decoder = tGroup.get(t, "decoder")
- for (name, value) in tGroup.items(t):
- if name.startswith("log "):
- if self._debug:
- print "-" * 60
- if name.endswith("pass"):
- neg = False
- elif name.endswith("fail"):
- neg = True
- else:
- neg = False
- self.runTest(value, rule, alert, decoder,
- t, name, negate=neg)
- print ""
- if self._error:
- sys.exit(1)
-
-if __name__ == "__main__":
- if len(sys.argv) == 2:
- selective_test = sys.argv[1]
- if not selective_test.endswith('.ini'):
- selective_test += '.ini'
- else:
- selective_test = False
- OT = OssecTester()
- OT.run(selective_test)
+++ /dev/null
-[Attempt to access forbidden directory index.]
-log 1 pass = [error] [client 80.230.208.105] Directory index forbidden by rule: /home/
-rule = 30106
-alert = 5
-decoder = apache-errorlog
-
-[Code Red attack]
-log 1 pass = [error] [client 64.94.163.159] Client sent malformed Host header
-rule = 30107
-alert = 6
-decoder = apache-errorlog
-
-[Attempt to access an non-existent file]
-log 1 pass = [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida
-rule = 30112
-alert = 0
-decoder = apache-errorlog
-
-[Apache notice messages grouped]
-log 1 pass = [notice] Apache configured
-rule = 30103
-alert = 0
-decoder = apache-errorlog
-
-[Apache 2.2 error messages grouped]
-log 1 pass = [Fri Dec 13 06:59:54 2013] [error] [client 12.34.65.78] PHP Notice:
-rule = 30101
-alert = 0
-decoder = apache-errorlog
-
-[Apache 2.4 error messages grouped]
-log 1 pass = [Tue Sep 30 11:30:13.262255 2014] [core:error] [pid 20101] [client 99.47.227.95:34567] AH00037: Symbolic link not allowed or link target not accessible: /usr/share/awstats/icon/mime/document.png
-log 2 pass = [Tue Sep 30 12:11:21.258612 2014] [ssl:error] [pid 30473] AH02032: Hostname www.example.com provided via SNI and hostname ssl://www.example.com provided via HTTP are different
-rule = 30301
-alert = 0
-decoder = apache-errorlog
-
-[Apache 2.4 warn messages grouped]
-log 1 pass = [Tue Sep 30 12:24:22.891366 2014] [proxy:warn] [pid 2331] [client 77.127.180.111:54082] AH01136: Unescaped URL path matched ProxyPass; ignoring unsafe nocanon, referer: http://www.easylinker.co.il/he/links.aspx?user=bguyb
-rule = 30302
-alert = 0
-decoder = apache-errorlog
-
-[Attempt to access forbidden file or directory]
-log 1 pass = [Tue Sep 30 14:25:44.895897 2014] [authz_core:error] [pid 31858] [client 99.47.227.95:38870] AH01630: client denied by server configuration: /var/www/example.com/docroot/
-rule = 30305
-alert = 5
-decoder = apache-errorlog
-
-[Apache messages grouped]
-log 1 pass = [Thu Oct 23 15:17:55.926067 2014] [ssl:info] [pid 18838] [client 36.226.119.49:2359] AH02008: SSL library error 1 in handshake (server www.example.com:443)
-log 2 pass = [Thu Oct 23 15:17:55.926123 2014] [ssl:info] [pid 18838] SSL Library Error: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request -- speaking HTTP to HTTPS port!?
-rule = 30100
-alert = 0
-decoder = apache-errorlog
-
-[PHP Notices in Apache 2.4 errorlog]
-log 1 pass = [Sun Nov 23 18:49:01.713508 2014] [:error] [pid 15816] [client 141.8.147.9:51507] PHP Notice: A non well formed numeric value encountered in /path/to/file.php on line 123
-rule = 30318
-alert = 5
-decoder = apache-errorlog
-
-[auth fail]
-log 1 pass = [Tue Feb 07 08:50:22.679122 2017] [auth_basic:error] [pid 14446] [client 10.101.1.50:33168] AH01617: user pupkin: authentication failure for "/secret/": Password Mismatch
-rule = 30308
-alert = 5
-decoder = apache-errorlog
-
-[script 404]
-log 1 pass = [Tue Feb 07 02:43:19.799723 2017] [cgi:error] [pid 9721] [client 10.101.1.50:44324] AH02811: script not found or unable to stat: /var/www/html/showmail.pl
-rule = 30321
-alert = 2
-decoder = apache-errorlog
-
-[permission denied]
-log 1 pass = [Thu Feb 02 01:44:27.699327 2017] [access_compat:error] [pid 7934] [client ::1:50058] AH01797: client denied by server configuration: /var/www/html/'
-log 2 pass = [Thu Feb 02 00:59:02.285651 2017] [core:error] [pid 20009] (13)Permission denied: [client ::1:49934] AH00132: file permissions deny server access: /var/www/html/1
-rule = 30320
-alert = 2
-decoder = apache-errorlog
-
+++ /dev/null
-[Ignore ALLOWED or STATUS]
-log 1 pass = Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003
-
-rule = 52001
-alert = 0
-decoder = iptables
-
-[Apparmor ALLOWED or STATUS]
-log 1 pass = Jun 23 20:46:15 hostname kernel: [ 11.103248] audit: type=1400 audit(1403549175.177:2): apparmor="STATUS" operation="profile_load" name="/sbin/klogd" pid=2185 comm="apparmor_parser"
-
-rule = 52001
-alert = 0
-decoder = iptables
-
-[Apparmor DENIED]
-log 1 pass = Jul 14 11:03:47 hostname kernel: [ 8665.951930] type=1400 audit(1405328627.702:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xfce4/defaults.list" pid=16418 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
-
-rule = 52002
-alert = 3
-decoder = iptables
-
-[Apparmor DENIED mknod operation.]
-log 1 pass = Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33
-
-rule = 52004
-alert = 4
-decoder = iptables
-
-[Apparmor DENIED exec operation.]
-log 1 pass = Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type =1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0
-
-rule = 52003
-alert = 5
-decoder = iptables
-
+++ /dev/null
-[login failed]
-log 1 pass = Aug 29 07:21:05 hostname asterisk[3284]: NOTICE[3734]: chan_sip.c:28088 in handle_request_register: Registration from '"3810" <sip:3810@1.2.3.4:5060>' failed for '37.8.26.31:5065' - Wrong password
-log 2 pass = Dec 16 18:02:04 asterisk1 asterisk[31774]: NOTICE[31787]: chan_sip.c:11242 in handle_request_register: Registration from '"503"<sip:503@192.168.1.107>' failed for '192.168.1.137' - Wrong password
-
-rule = 6210
-alert = 5
-decoder = asterisk
-
-[invalid extension]
-log 1 pass = Aug 30 16:02:29 hostname asterisk[3284]: NOTICE[3734][C-00001c7a]: chan_sip.c:25650 in handle_request_invite: Call from '' (89.163.146.112:5071) to extension '70046313115067' rejected because extension not found in context 'default'.
-
-rule = 6258
-alert = 5
-decoder = asterisk
-
+++ /dev/null
-[rshd: illegal]
-log 1 pass = Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.
-log 2 fail = Dec 18 18:06:29 hostname vimserver[18575]: PGS17200: Authentication failed for user domain\jones_b.
-
-
-rule = 9610
-alert = 5
-decoder = cimserver
-
+++ /dev/null
-[cisco ios ids: sig]
-log 1 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:51654 -> 10.10.10.10:4444]
-log 2 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80]
-log 3 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:2 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:60797 -> 10.10.10.10:80]
-
-
-rule = 20100
-alert = 8
-decoder = cisco-ios
-
-
-[cisco ios: acl ]
-log 1 pass = Sep 1 10:25:29 10.10.10.1 %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet
-log 2 pass = Sep 1 10:25:29 10.10.10.1 %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet
-
-
-rule = 4100
-alert = 0
-decoder = cisco-ios
-
-
+++ /dev/null
-[successful login]
-log 1 fail = [2016-04-18 13:07:02 -0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
-log 2 fail = [2016-04-18 13:07:15 -0400] info [cpsrvd] 10.1.5.19 - reseller (possessor: root) - SUCCESS LOGIN cpaneld
-log 3 fail = [2016-04-18 13:08:27 -0400] info [cpsrvd] 10.1.5.19 - emailaccount@reseller.com (possessor: reseller) - SUCCESS LOGIN webmaild
-
-rule = 11007
-alert = 3
-decoder = postgresql_log
-
-
-[cpanel attacks]
-log 1 fail = [2017-01-25 06:01:10 -0500] info [cpsrvd] 10.1.5.19 - test "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user test (loadcpdata failed)
-
-rule = 11001
-alert = 5
-decoder = postgresql_log
-
-[cpanel attacks 2]
-log 1 fail = [2016-11-18 09:32:19 +0000] info [cpsrvd] 10.1.5.19 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
-
-rule = 11000
-alert = 5
-decoder = cpanel-login
-
-[successful login 2]
-log 1 fail = [2016-04-18 13:07:02 +0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
-
-rule = 11006
-alert = 3
-decoder = cpanel-login
-
-[session purge]
-log 1 fail = [2017-01-25 06:15:38 -0500] info [cpsrvd] 10.1.5.19 PURGE root:Nmm4xzhSpA2Sddv3 logout
-
-rule = 11009
-alert = 3
-decoder = postgresql_log
-
+++ /dev/null
-[dnsmasq group]
-log 1 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 query[A] server.example.com from 10.10.10.33
-log 2 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 forwarded server.example.com to 10.20.20.10
-log 3 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 reply server.example.com is <CNAME>
-
-rule = 53551
-alert = 0
-decoder = dnsmasq
-
+++ /dev/null
-[failed command]
-log 1 fail = Apr 13 08:49:20 ix doas: failed command for ddp2: ls
-
-rule = 51554
-alert = 5
-decoder = doas
-
-[command run as root]
-log 1 fail = Mar 22 07:21:58 ix doas: ddp ran command /bin/ksh as root from /data/ddp/projects/git/sysconf/ossec/rules
-
-rule = 51556
-alert = 2
-decoder = doas
-
-[failed auth]
-log 1 fail = Feb 29 14:58:39 ix doas: failed auth for ddp
-
-rule = 51557
-alert = 5
-decoder = doas
-
-[doas command run]
-log 1 fail = Aug 13 15:16:40 ix doas: ddp ran command as ddpnfs: ls
-
-rule = 51555
-alert = 1
-decoder = doas
-
+++ /dev/null
-[auth failed]
-log 1 pass = Dec 19 06:21:06 ny dovecot: imap-login: Disconnected (auth failed, 7 attempts in 111 secs): user=<thousands>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<+hgd5vxDBMZtycjJ>
-log 2 pass = Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user
-log 3 pass = Jan 11 03:42:09 hostname dovecot: auth(default): pam(user@example.com,1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
-
-rule = 9705
-alert = 5
-decoder = dovecot
-
-[dovecot is starting]
-log 1 pass = Jun 17 10:15:24 hostname dovecot: Dovecot v1.2.rc3 starting up (core dumps disabled)
-
-rule = 9703
-alert = 3
-decoder = dovecot
-
-[fatal error]
-log 1 pass = Jun 17 10:15:24 hostname dovecot: Fatal: auth(default): Support not compiled in for passdb driver 'ldap'
-log 2 pass = Jun 17 10:15:24 hostname dovecot: Fatal: Auth process died too early - shutting down
-
-rule = 9704
-alert = 2
-decoder = dovecot
-
-[user authentication failure]
-log 1 pass = Jun 23 15:04:05 Info: imap-login: Login: user=<username>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.5 Authentication Failure:
-
-rule = 9770
-alert = 0
-decoder = dovecot-info
-
-[dovecot auth failed]
-log 1 pass = Jan 11 03:42:09 hostname dovecot: auth-worker(default): sql(user@example.com,1.2.3.4): Password mismatch
-
-rule = 9702
-alert = 5
-decoder = dovecot
-
-[XXX nothing]
-log 1 fail = Jan 07 14:46:28 Warn: auth(default): userdb(username,::ffff:127.0.0.1): user not found from userdb
-log 3 fail = May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5, secured
-
-rule = 1002
-alert = 2
-decoder =
-
-[XXX unknown 1002]
-log 1 pass = Mar 13 15:25:07 Info: auth(default): pam(user@example.com,::ffff:1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
-
-rule = 9771
-alert = 5
-decoder = dovecot-info
-
-[session disconnected]
-log 1 pass = Jul 4 17:30:51 hostname dovecot[2992]: pop3-login: Disconnected: rip=1.2.3.4, lip=1.2.3.5
-
-rule = 9706
-alert = 3
-decoder = dovecot
-
-[aborted login]
-log 1 pass = Jan 30 09:37:55 hostname dovecot: pop3-login: Aborted login: user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5
-
-rule = 9707
-alert = 5
-decoder = dovecot
-
-[XXX logged out]
-log 1 fail = Jun 23 15:04:06 Info: IMAP(username): Disconnected: Logged out bytes=59/566
-
-rule = 1002
-alert = 2
-decoder = dovecot-info
-
-[unknown user]
-log 1 pass = Mar 13 15:25:07 Info: auth(default): passwd-file(user@example.com,::ffff:1.2.3.4): unknown user
-
-rule = 9771
-alert = 5
-decoder = dovecot-info
-
+++ /dev/null
-[dpkg log]
-log 1 pass = 2018-05-31 12:09:56 upgrade vlc-plugin-visualization:amd64 3.0.2-1+b1 3.0.3-1
-log 2 pass = 2018-05-11 09:41:49 conffile /etc/redis/redis.conf keep
-
-rule = 2900
-alert = 0
-decoder = windows-date-format
-
+++ /dev/null
-[already listening]
-log 1 pass = Jun 25 14:04:30 10.0.0.1 dropbear[30746]: Failed listening on '7001': Error listening: Address already in use
-
-rule = 51011
-alert = 1
-decoder = dropbear
-
+++ /dev/null
-[auth failure]
-log 1 pass = 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user)
-log 2 pass = 2017-01-24 05:22:29 dovecot_plain authenticator failed for (test) [::1]:39454: 535 Incorrect authentication data (set_id=test)
-
-rule = 13006
-alert = 5
-decoder = windows-date-format
-
-[exim connection]
-log 1 pass = 2017-01-24 03:09:46 SMTP connection from [10.101.1.10]:55010 (TCP/IP connection count = 1)
-
-rule = 13008
-alert = 0
-decoder = windows-date-format
-
-[exim connection lost]
-log 1 pass = 2017-01-24 02:53:13 SMTP connection from (hydra) [10.101.1.10]:53682 lost
-
-rule = 13009
-alert = 1
-decoder = windows-date-format
-
-[exim syntax/protocol error]
-log 1 pass = 2017-01-24 05:36:23 SMTP call from (000000) [::1]:39480 dropped: too many syntax or protocol errors (last command was "123")
-
-rule = 13010
-alert = 5
-decoder = windows-date-format
-
+++ /dev/null
-[Incorrect chain/target/match.]
-log 3 fail = Jul 18 10:51:43 localhost firewalld: 2014-07-18 10:51:43 ERROR: '/sbin/iptables -D INPUT_ZONES -t filter -i enp1s0 -g IN_public' failed: iptables: No chain/target/match by that name.
-
-rule = 40902
-alert = 3
-decoder =
-
-[Incorrect chain/target/match.]
-log 3 fail = Jul 18 10:51:43 localhost firewalld: 2014-07-18 10:51:43 ERROR: COMMAND_FAILED: '/sbin/iptables -D INPUT_ZONES -t filter -i enp1s0 -g IN_public' failed: iptables: No chain/target/match by that name.
-
-rule = 40902
-alert = 3
-decoder =
-
-[firewalld: zone already set]
-log 3 fail = Jul 18 11:04:51 localhost firewalld: 2014-07-18 11:04:51 ERROR: ZONE_ALREADY_SET
-
-rule = 40903
-alert = 2
-decoder =
-
+++ /dev/null
-[update phishing]
-log 1 fail = Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites list updated
-rule = 3752
-alert = 0
-decoder =
-
+++ /dev/null
-[ModSecurity Warning messages grouped]
-log 1 pass = [Mon Feb 09 16:47:55.974089 2015] [:error] [pid 17675] [client 172.16.10.87] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"] [hostname "172.16.10.91"] [uri "/wordpress/wp-includes/rss-functions.php"] [unique_id "VNkA238AAQEAAEULYMwAAAAA"]
-log 2 pass = [Thu Jan 22 14:33:30.959520 2015] [:error] [pid 2406] [client 172.16.10.87] ModSecurity: Warning. Pattern match "^(?i)(?:ft|htt)ps?(.*?)\\\\?+$" at ARGS:path_prefix. [file "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "160"] [id "950119"] [rev "2"] [msg "Remote File Inclusion Attack"] [data "Matched Data: http://cirt.net/rfiinc.txt? found within ARGS:path_prefix: http://cirt.net/rfiinc.txt?"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/RFI"] [hostname "172.16.10.91"] [uri "/wordpress/web/BetaBlockModules//Module/Module.php"] [unique_id "VMEmWn8AAQEAAAlmdHgAAAAI"]
-rule = 30401
-alert = 0
-decoder = apache-errorlog
-
-[ModSecurity Audit log messages grouped]
-log 1 pass = [Mon Feb 09 21:17:06.798110 2015] [:error] [pid 8608] [client 172.16.10.57] ModSecurity: Audit log: Failed writing (requested 83 bytes, written 24): No space left on device [hostname "172.16.10.91"] [uri "/403.php"] [unique_id "VNk-8n8AAQEAACGg7LEAAAAE"]
-log 2 pass = [Wed Feb 11 19:46:12.759594 2015] [:error] [pid 1130] [client 172.16.10.91] ModSecurity: Audit log: Failed to lock global mutex: Identifier removed [hostname "172.16.10.91"] [uri "/wordpress/wp-cron.php"] [unique_id "VNvLw38AAQEAAARqTXsAAAAD"]
-rule = 30403
-alert = 0
-decoder = apache-errorlog
-
-[ModSecurity rejected a query]
-log 1 pass = [Mon Feb 09 16:47:55.908176 2015] [:error] [pid 17679] [client 172.16.10.91] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "172.16.10.91"] [uri "/wordpress/wp-cron.php"] [unique_id "VNkA238AAQEAAEUP9hIAAAAI"]
-log 2 pass = [Mon Feb 09 16:47:55.973954 2015] [:error] [pid 17675] [client 172.16.10.87] ModSecurity: Access denied with code 403 (phase 4). Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_50_outbound.conf"] [line "53"] [id "970901"] [rev "2"] [msg "The application is not available"] [data "Matched Data: 500 found within RESPONSE_STATUS: 500"] [severity "ERROR"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "172.16.10.91"] [uri "/wordpress/wp-includes/rss-functions.php"] [unique_id "VNkA238AAQEAAEULYMwAAAAA"]
-rule = 30411
-alert = 7
-decoder = apache-errorlog
+++ /dev/null
-[Query cache denied]
-log 1 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied
-log 2 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.4#32769: query (cache) denied
-log 3 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied
-log 4 fail = Aug 29 15:33:13 ns3 name[464]: client 217.148.39.4#32769: query (cache) denied
-log 5 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache)
-log 6 pass = Mar 13 01:42:45 net19 named[6147]: client 31.150.218.239#6173 (odcdavcxkvin.games.yuanyou8.com): query (cache) 'odcdavcxkvin.games.yuanyou8.com/A/IN' denied
-
-rule = 12108
-alert = 5
-decoder = named
+++ /dev/null
-[Firewall configuration changed.]
-log 1 pass = 2014-05-23T10:25:58.681222-04:00 10.10.10.1 ssg5-serial: NetScreen device_id=0275112227993284 [Root]system-information-00767: System configuration saved by netscreen via web from host 10.10.10.101 to 10.10.10.1:443 by netscreen. (2014-05-23 10:58:17)
-
-rule = 4509
-alert = 8
-decoder = netscreenfw
-
-[Firewall policy changed.]
-log 1 pass = 2014-05-23T10:29:55.704201-04:00 10.10.10.1 ssg5-serial: NetScreen device_id=0275112227993284 [Root]system-notification-00018: Policy (5, Trust->Untrust, 10.10.10.0/24->172.16.19.0/24,ANY, Permit) was modified by netscreen via web from host 10.10.10.101 to 10.10.10.1:443. (2014-05-23 11:02:13)
-
-rule = 4508
-alert = 8
-decoder = netscreenfw
-
-[Successfull admin login to the Netscreen firewall]
-log 1 pass = 2014-05-23T10:39:20.681154-04:00 10.10.10.1 ssg5-serial: NetScreen device_id=0275112227993284 [Root]system-warning-00515: Management session via SSH from 10.10.10.100:0 for admin netscreen has timed out (2014-05-23 11:11:39)
-
-rule = 4507
-alert = 8
-decoder = netscreenfw
-
-[syn flood]
-log 1 pass = Jul 7 05:02:34 ssg5.17.168.192.in-addr.arpa ssg5: NetScreen device_id=ssg5 [Root]system-emergency-00005: SYN flood! From 192.168.18.53:41437 to 192.168.17.251:9612, proto TCP (zone Untrust int ethernet0/0). Occurred 1 times. (2016-07-07 05:02:32)
-
-rule = 4560
-alert = 3
-decoder = netscreenfw
-
+++ /dev/null
-; YYYY/MM/DD HH:MM:SS [LEVEL] PID:TID yadda yadda
-[Nginx messages grouped.]
-log 1 pass = 2014/12/30 06:07:37 [yadda] 80:2 yadda yadda
-
-rule = 31300
-alert = 0
-decoder = nginx-errorlog
-
-[Nginx error message.]
-log 1 pass = 2014/12/30 06:07:37 [error] 80:2 yadda yadda
-
-rule = 31301
-alert = 3
-decoder = nginx-errorlog
-
-[Nginx warning message.]
-log 1 pass = 2014/12/30 06:07:37 [warn] 80:2 yadda yadda
-
-rule = 31302
-alert = 3
-decoder = nginx-errorlog
-
-[Nginx critical message.]
-log 1 pass = 2014/12/30 06:07:37 [crit] 80:2
-
-rule = 31303
-alert = 5
-decoder = nginx-errorlog
-
-[Server returned 404 (reported in the access.log).]
-log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah failed (2: No such file or directory)
-log 2 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah is not found (2: No such file or directory)
-
-rule = 31310
-alert = 0
-decoder = nginx-errorlog
-
-[Incomplete client request.]
-log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah accept() failed (53: Software caused connection abort)
-
-rule = 31311
-alert = 0
-decoder = nginx-errorlog
-
-[Initial 401 authentication request.]
-log 1 pass = 2015/01/08 11:31:23 [error] 80:2 no user/password was provided for basic authentication
-
-rule = 31312
-alert = 0
-decoder = nginx-errorlog
-
-[Web authentication failed.]
-log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda password mismatch, client yadda
-log 2 pass = 2015/01/08 11:31:23 [error] 80:2 yadda was not found in yadda
-
-rule = 31315
-alert = 5
-decoder = nginx-errorlog
-
-# Can't yet test frequency <rule id="31316" level="10" frequency="6" timeframe="240">
-;[Multiple web authentication failures.]
-;
-;rule = 31316
-;alert = 10
-;decoder = nginx-errorlog
-
-[Common cache error when files were removed.]
-log 1 pass = 2015/01/08 11:31:23 [crit] 80:2 yadda yadda failed (2: No such file or directory
-
-rule = 31317
-alert = 0
-decoder = nginx-errorlog
-
-[Invalid URI, file name too long.]
-log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda yadda failed (36: File name too long)
-
-rule = 31320
-alert = 10
-decoder = nginx-errorlog
+++ /dev/null
-[lease release]
-log 1 pass = Jan 26 18:12:55 junction dhcpd[4842]: IP address 192.168.1.16 answers a ping after sending a release
-log 2 pass = Jan 26 18:12:40 junction dhcpd[4842]: Possible release spoof - Not releasing address 192.168.17.160
-
-rule = 53003
-alert = 5
-decoder = dhcpd
-
-[no free leases]
-log 1 pass = Jan 26 17:42:32 junction dhcpd[4842]: no free leases on subnet 192.168.17.0
-
-rule = 53011
-alert = 7
-decoder = dhcpd
-
-[normal dhcp stuff]
-log 1 pass = Jan 27 09:25:36 junction dhcpd[71391]: DHCPREQUEST for 192.168.17.164 from f4:8c:50:9d:eb:35 via em1
-log 2 pass = Jan 27 09:25:36 junction dhcpd[71391]: DHCPDISCOVER from f4:8c:50:9d:eb:35 via em1
-log 3 pass = Jan 27 09:25:31 junction dhcpd[71391]: DHCPOFFER on 192.168.17.164 to f4:8c:50:9d:eb:35 via em1
-
-rule = 53001
-alert = 1
-decoder = dhcpd
-
-
+++ /dev/null
-[access]
-log 1 pass = wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:29:48 -0400] "GET / HTTP/1.0" 302 0
-log 2 pass = wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:32:57 -0400] "GET /nmaplowercheck1531024375 HTTP/1.1" 302 0
-rule = 31100
-alert = 0
-decoder = openbsd-httpd
-
-[POST]
-log 1 pass = www.wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:33:13 -0400] "POST /sdk HTTP/1.1" 404 0
-
-rule = 31530
-alert = 3
-decoder = openbsd-httpd
-
+++ /dev/null
-[sendsyslog drop]
-log 1 fail = Oct 16 08:15:07 ix sendsyslog: dropped 2 messages, error 55
-
-rule = 51558
-alert = 4
-decoder =
-
+++ /dev/null
-[message failed]
-log 1 pass = Aug 14 10:15:25 junction.example.com smtpd[28882]: smtp-in: Failed command on session 1f55bdcdf16e28a3: "MAIL FROM:<root@junction.example.com> " => 421 4.3.0: Temporary Error
-
-rule = 53501
-alert = 3
-decoder = smtpd
-
-[new session]
-log 1 pass = Aug 17 01:26:02 ix smtpd[22704]: smtp-in: New session 08d856b172f69c5c from host ix.example.com [local]
-
-rule = 53502
-alert = 0
-decoder = smtpd
-
-[message accepted]
-log 1 pass = Aug 17 01:26:02 ix smtpd[22704]: smtp-in: Accepted message 4296f490 on session 08d856b172f69c5c: from=<root@ix.example.com>, to=<ddp@ix.example.com>, size=1746, ndest=1, proto=ESMTP
-
-rule = 53504
-alert = 0
-decoder = smtpd
-
-[session closed]
-log 1 pass = Aug 17 01:26:02 ix smtpd[22704]: smtp-in: Closing session 08d856b172f69c5c
-
-rule = 53503
-alert = 0
-decoder = smtpd
-
-[disconnect]
-log 1 pass = Mar 4 00:11:00 ix smtpd[22421]: smtp-in: Received disconnect from session 427e7493ebe154ae
-
-rule = 53500
-alert = 0
-decoder = smtpd
-
-[no ssl]
-log 1 pass = Mar 4 00:13:55 ix smtpd[22421]: smtp-in: Disconnecting session 427e7497e03518ef: IO error: No SSL error
-
-rule = 53507
-alert = 2
-decoder = smtpd
-
-[started tls]
-log 1 pass = Mar 4 00:13:55 ix smtpd[22421]: smtp-in: Started TLS on session 427e749c2e46f809: version=TLSv1.2, cipher=EDH-RSA-DES-CBC3-SHA, bits=112
-
-rule = 53500
-alert = 0
-decoder = smtpd
-
+++ /dev/null
-[ossec: active response: add host]
-log 1 pass = Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 172.16.0.1 1304756247.60385 31151
-rule = 603
-alert = 3
-decoder = ar_log
-
-[ossec: active response: add firewall]
-log 2 pass = Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 172.16.0.1 1304756247.60385 31151
-rule = 601
-alert = 3
-decoder = ar_log
-
-
-[ossec: active response: delete host]
-log 3 pass = Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/host-deny.sh delete - 172.16.0.1 1304756247.60385 31151
-rule = 604
-alert = 3
-decoder = ar_log
-
-
-[ossec: active response: delete firewall]
-log 4 pass = Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
-
-rule = 602
-alert = 3
-decoder = ar_log
-
-[ossec-logcollector: ignore informational messages at startup]
-log 1 pass = 2015/01/29 21:09:49 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/error_log'.
-
-rule = 701
-alert = 0
-decoder = ossec-logcollector
-
-[agent started]
-log 1 pass = ossec: Agent started: 'any'
-
-rule = 501
-alert = 3
-decoder = ossec
-
+++ /dev/null
-[User login failed.]
-log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
-log 2 pass = Jun 28 23:01:27 xxxx auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lipjigaglgihgoeadcdaa.p.salmon@xxx.xxx.xxx.xxx rhost=91.195.103.44
-
-rule = 5503
-alert = 5
-decoder = pam
-
-[Attempt to login with an invalid user.]
-log 1 pass = Nov 11 22:46:29 localhost vsftpd(pam_unix)[25073]: check pass; user unknown
-
-rule = 5504
-alert = 5
-decoder = pam
-
-[Login session opened.]
-log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[14592]: session opened for user news by (uid=0)
-
-rule = 5501
-alert = 3
-decoder = pam
-
-[Login session closed.]
-log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[14592]: session closed for user news
-
-rule = 5502
-alert = 3
-decoder = pam
-
-[User missed the password more than one time]
-log 1 pass = Nov 11 22:46:29 localhost sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.3.1 user=root
-
-rule = 2502
-alert = 10
-decoder = pam
-
+++ /dev/null
-[reject rcpt]
-log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; from=<kos@mafia.network>, to=<z13699753428@vip.163.com>, proto=ESMTP, helo=<XL-20160217QQJV>
-
-rule = 3306
-alert = 6
-decoder = postfix-reject
-
-[domain not found]
-log 1 pass = Jun 18 20:59:29 mybox postfix/postscreen[12181]: NOQUEUE: reject: RCPT from [213.158.187.41]:45263: 450 4.3.2 Service currently unavailable; from=<purchase@otherfolks.com>, to=<media@example.com>, proto=ESMTP, helo=<some.box.net>
-
-rule = 3303
-alert = 5
-decoder = postfix-reject
-
+++ /dev/null
-[unable to open incoming connection (reason may vary)]
-log 1 pass = Jan 04 22:51:57 server proftpd[26169] server.example.net: Fatal: unable to open incoming connection: Der Socket ist nicht verbunden
-rule = 11222
-alert = 4
-decoder = proftpd
-
-[FTP Authentication success]
-log 1 pass = Jan 04 22:51:57 hayaletgemi proftpd[26916]: hayaletgemi (85.101.218.135[85.101.218.135]) - ANON anonymous: Login successful.
-log 2 pass = Jan 04 22:51:57 juf01 proftpd[12564]: juf01 (pD9EE35B1.dip.t-dialin.net[217.238.53.177]) - USER jufu: Login successful
-log 3 pass = Jan 04 22:51:57 xx.yy.zz proftpd[30362] xx.yy.zz (aa.bb.cc[aa.bb.vv.dd]): USER backup: Login successful.
-rule = 11205
-alert = 3
-decoder = proftpd
-
-[Connection refused by TCP Wrappers]
-log 1 pass = Jan 04 22:51:57 server proftpd[2344]: refused connect from 192.168.1.2 (192.168.1.2)
-rule = 11207
-alert = 5
-decoder = proftpd
-
-[Connection denied by ProFTPD configuration]
-log 1 pass = Jan 04 22:51:57 valhalla proftpd[15181]: valhalla (crawl-66-249-66-80.googlebot.com[66.249.66.80]) - Connection from crawl-66-249-66-80.googlebot.com [66.249.66.80] denied.
-rule = 11206
-alert = 5
-decoder = proftpd
-
-[Login failed accessing the FTP server]
-log 1 pass = 2015-04-16 21:51:02,805 zuse proftpd[26189] zuse.domain.com (182.100.67.115[182.100.67.115]): USER root (Login failed): Incorrect password
-rule = 11204
-alert = 5
-decoder = proftpd
-
+++ /dev/null
-[rshd: illegal]
-log 1 pass = Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port
-log 2 fail = Dec 17 10:49:23 hostname rhsd[347339]: Connection from 10.217.223.31 on illegal port
-
-rule = 2551
-alert = 10
-decoder = rshd
-
+++ /dev/null
-[samba: denied connect]
-log 1 pass = Dec 18 18:06:28 hostname smbd[832]: Denied connection from (192.168.3.23)
-
-
-rule = 13102
-alert = 5
-decoder = smbd
-
-[samba: connect denied]
-log 1 pass = Dec 18 18:06:28 hostname smbd[832]: Denied connection from (192.168.3.23)
-
-
-rule = 13102
-alert = 5
-decoder = smbd
-
-[samba: permission denied]
-log 1 fail = Dec 18 18:06:28 hostname smbd[17535]: Permission denied user not allowed to delete, pause, or resume print job. User name: ahmet. Printer name: prnq1.
-log 2 fail = Dec 18 18:06:28 hostname smbd[17535]: Permission denied\-\- user not allowed to delete, pause, or resume print job. User name: ahmet. Printer name: prnq1.
-
-rule = 13102
-alert = 5
-decoder = smbd
+++ /dev/null
-[su: failed ]
-log 1 pass = Apr 27 15:22:23 niban su[2921936]: failed: ttyq4 changing from ldap to root
-log 2 pass = Jun 20 17:19:59 dactyl su: FAILED SU (to root) mmoorcro on pts/0
-rule = 5302
-alert = 9
-decoder = su
-
-[su: bad pass]
-log 1 pass = Apr 27 15:22:23 niban su[234]: BAD SU ger to fwmaster on /dev/ttyp0
-rule = 5301
-alert = 5
-decoder = su
-
-[su: pam - auth fail]
-log 1 fail = Apr 27 15:22:23 niban su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
-log 2 fail = Apr 27 15:22:23 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
-rule = 5503
-alert = 5
-decoder = su
-
-
-[su: work fts]
-log 1 pass = Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1
-rule = 5305
-alert = 4
-decoder = su
-
+++ /dev/null
-[sudo: all]
-log 1 pass = Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
-log 2 pass = Apr 14 10:59:01 enigma sudo: dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudit ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin
-log 3 pass = Apr 19 14:52:02 enigma sudo: dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid .
-log 4 pass = Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash
-
-rule = 5403
-alert = 4
-decoder = sudo
-
-[Failed attempt to run sudo]
-log 1 pass = Jun 25 15:51:13 precise32 sudo: mike : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls
-
-rule = 5401
-alert = 5
-decoder = sudo
-
-[First time user executed sudo]
-log 1 pass = Jun 25 15:48:21 precise32 sudo: mike : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/su -
-
-rule = 5403
-alert = 4
-decoder = sudo
-
-[3 incorrect password attempts]
-log 1 pass = Jun 25 16:15:45 precise32 sudo: mike : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls
-
-rule = 5404
-alert = 10
-decoder = sudo
-
-[unauthorized user]
-log 1 pass = Apr 13 08:36:31 ix sudo: ddp2 : user NOT in sudoers ; TTY=ttypZ ; PWD=/home/ddp2 ; USER=root ; COMMAND=/bin/ls
-
-rule = 5405
-alert = 5
-decoder = sudo
-
+++ /dev/null
-[Uninteresting nouveau error.]
-log 1 fail = Jul 18 09:21:57 localhost kernel: nouveau E[ PGRAPH][0000:0f:00.0] DATA_ERROR BEGIN_END_ACTIVE
-
-rule = 2944
-alert = 1
-decoder =
-
-[Uninteresting nouveau error.]
-log 1 fail = Jul 18 09:21:57 localhost kernel: nouveau E[ PGRAPH][0000:0f:00.0] DATA_ERROR
-
-rule = 2944
-alert = 1
-decoder =
-
-[Incorrect chain/target/match.]
-log 3 fail = Jul 18 10:51:43 localhost NetworkManager[1366]: <warn> (enp1s0) firewall zone remove failed: (32) COMMAND_FAILED: '/sbin/iptables -D INPUT_ZONES -t filter -i enp1s0 -g IN_public' failed: ipta
-bles: No chain/target/match by that name.
-
-rule = 2941
-alert = 3
-decoder = NetworkManager
-
-[rsyslog may be dropping messages due to rate-limiting.]
-log 1 fail = Feb 5 13:07:52 plugh rsyslogd-2177: imuxsock begins to drop messages from pid 12105 due to rate-limiting
-
-rule = 2945
-alert = 4
-decoder =
-
-[Non-standard syslog-ng format with year.]
-log 1 fail = 2015 2015 Nov 13 13:40:01 ether rsyslogd-2177: imuxsock begins to drop messages from pid 17840 due to rate-limiting
-
-rule = 2945
-alert = 4
-decoder =
-
-[useradd failed]
-log 1 fail = May 4 18:21:10 collectd useradd[15178]: failed adding user 'ansible', data deleted
-
-rule = 5905
-alert = 0
-decoder =
-
+++ /dev/null
-[Sysmon EventID#1 - Suspicious svchost process]
-log 1 pass = 2014 Dec 20 14:29:48 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 2:29 PM ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image: C:\Windows\system32\svchost.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log User: WIN-U93G48C7BOP\Administrator LogonGuid: {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage: C:\Windows\Explorer.EXE ParentCommandLine: C:\Windows\Explorer.EXE
-rule = 18501
-alert = 12
-decoder = Sysmon-EventID#1
-
-[Sysmon EventID#1 - non-Suspicious svchost process]
-log 1 pass = 2014 Dec 20 12:15:13 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 12:15 PM ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image: C:\Windows\system32\svchost.exe CommandLine: "C:\windows\system32\svchost.exe -k defragsvc" User: NT AUTHORITY\SYSTEM LogonGuid: {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage: C:\Windows\System32\services.exe ParentCommandLine: C:\Windows\System32\services.exe
-rule = 18502
-alert = 0
-decoder = Sysmon-EventID#1
-
-[Windows Event]
-2015 Mar 30 15:47:04 WinEvtLog: System: INFORMATION(1): Sysmon: UserName: SYSTEM-NAME: SYSTEM-NAME: Process Create: UtcTime: 3/30/2015 10:47:04.494 PM ProcessGuid: {7531FA7E-D268-5519-0000-00105DF81A06} ProcessId: 4388 Image: C:\WINDOWS\system32\cmd.exe CommandLine: "C:\windows\system32\cmd.exe" User: SYSTEM-NAME\UserName LogonGuid: {7531FA7E-CFE1-5519-0000-0020F62C1906} LogonId: 0x6192cf6 TerminalSessionId: 3 IntegrityLevel: no level HashType: SHA1 Hash: 254E37EC33C921C5AB253F14F9274F349B3CCC2D ParentProcessGuid: {7531FA7E-CFE2-5519-0000-0010CC5A1906} ParentProcessId: 1008 ParentImage: C:\WINDOWS\explorer.exe ParentCommandLine: C:\windows\Explorer.EXE
-rule = 18101
-alert = 0
-decoder = Sysmon-EventID#1
-
+++ /dev/null
-[Stale file handle.]
-log 3 fail = Jul 19 07:28:02 localhost systemd: Failed to mark scope session-1024.scope as abandoned : Stale file handle
-
-rule = 40701
-alert = 0
-decoder =
-
+++ /dev/null
-;[Can't assign requested address.]
-;log 1 pass = 2014-05-20T09:01:07.283219-04:00 arrakis unbound: [9405:0] notice: sendto failed: Can't assign requested address
-;
-;rule = 500100
-;alert = 2
-;decoder = unbound
-;
-;[DNS A request]
-;log 1 pass = 2014-07-14T14:00:02.814490-04:00 arrakis unbound: [2541:0] info: 127.0.0.1 talkgadget.google.com. A IN
-;
-;rule = 500101
-;alert = 0
-;decoder = unbound
-;
-;[Info grouping.]
-;log 1 pass = 2014-07-14T14:00:05.507848-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: 3 queries, 2 answers from cache, 1 recursions, 0 prefetch
-;
-;rule = 500002
-;alert = 1
-;decoder = unbound
-;
-;[Info grouping.]
-;log 1 pass = 2014-07-14T14:00:05.507955-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
-;
-;rule = 500002
-;alert = 1
-;decoder = unbound
-;
-
-
+++ /dev/null
-[CONNECT]
-log 1 pass = Wed Jul 27 18:32:27 2016 [pid 2] CONNECT: Client "fe80::baac:6fff:fe7d:d2e0"
-log 2 pass = Wed Jul 27 18:32:27 2016 [pid 2] CONNECT: Client "10.11.12.13"
-
-rule = 11401
-alert = 3
-decoder = vsftpd
-
-[LOGIN]
-log 1 pass = Mon Oct 24 11:32:53 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"
-log 2 pass = Mon Oct 24 11:32:53 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "fe80::baac:6fff:fe7d:d2e0"
-
-rule = 11403
-alert = 5
-decoder = vsftpd
-
+++ /dev/null
-# PARAMS USED BY OSSEC2BASED
-dbhost=localhost
-database=ossecbase
-debug=5
-dbport=3306
-dbpasswd=yourpassword
-dbuser=youruser
-daemonize=0
-sensor=centralserver
-hids_interface=ossec
-resolve=1
+++ /dev/null
-
---
--- Table structure for table `acid_event`
---
-
-CREATE TABLE `acid_event` (
- `sid` int(10) unsigned NOT NULL,
- `cid` int(10) unsigned NOT NULL,
- `signature` varchar(255) NOT NULL,
- `sig_name` varchar(255) default NULL,
- `sig_class_id` int(10) unsigned default NULL,
- `sig_priority` int(10) unsigned default NULL,
- `timestamp` datetime NOT NULL,
- `ip_src` int(10) unsigned default NULL,
- `ip_dst` int(10) unsigned default NULL,
- `ip_proto` int(11) default NULL,
- `layer4_sport` int(10) unsigned default NULL,
- `layer4_dport` int(10) unsigned default NULL,
- `username` varchar(255) default NULL,
- PRIMARY KEY (`sid`,`cid`),
- KEY `signature` (`signature`),
- KEY `sig_name` (`sig_name`),
- KEY `sig_class_id` (`sig_class_id`),
- KEY `sig_priority` (`sig_priority`),
- KEY `timestamp` (`timestamp`),
- KEY `ip_src` (`ip_src`),
- KEY `ip_dst` (`ip_dst`),
- KEY `ip_proto` (`ip_proto`),
- KEY `layer4_sport` (`layer4_sport`),
- KEY `layer4_dport` (`layer4_dport`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1;
-
--- --------------------------------------------------------
-
---
--- Table structure for table `data`
---
-
-CREATE TABLE `data` (
- `sid` int(10) unsigned NOT NULL,
- `cid` int(10) unsigned NOT NULL,
- `data_payload` text,
- PRIMARY KEY (`sid`,`cid`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1;
-
--- --------------------------------------------------------
-
---
--- Table structure for table `event`
---
-
-CREATE TABLE `event` (
- `sid` int(10) unsigned NOT NULL,
- `cid` int(10) unsigned NOT NULL,
- `signature` int(10) unsigned NOT NULL,
- `timestamp` datetime NOT NULL,
- PRIMARY KEY (`sid`,`cid`),
- KEY `sig` (`signature`),
- KEY `time` (`timestamp`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1;
-
--- --------------------------------------------------------
-
---
--- Table structure for table `sensor`
---
-
-CREATE TABLE `sensor` (
- `sid` int(10) unsigned NOT NULL auto_increment,
- `hostname` text,
- `interface` text,
- `filter` text,
- `detail` tinyint(4) default NULL,
- `encoding` tinyint(4) default NULL,
- `last_cid` int(10) unsigned NOT NULL,
- PRIMARY KEY (`sid`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=6 ;
-
--- --------------------------------------------------------
-
---
--- Table structure for table `signature`
---
-
-CREATE TABLE `signature` (
- `sig_id` int(10) unsigned NOT NULL auto_increment,
- `sig_name` varchar(255) NOT NULL,
- `sig_class_id` int(10) unsigned NOT NULL,
- `sig_priority` int(10) unsigned default NULL,
- `sig_rev` int(10) unsigned default NULL,
- `sig_sid` int(10) unsigned default NULL,
- `sig_gid` int(10) unsigned default NULL,
- PRIMARY KEY (`sig_id`),
- KEY `sign_idx` (`sig_name`(20)),
- KEY `sig_class_id_idx` (`sig_class_id`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=47 ;
+++ /dev/null
-<?php
-/* OSSEC 2 RSS script.
- * by Daniel B. Cid ( dcid @ ossec.net)
- *
- * Just upload it to any web-accessible directory, and make
- * sure the web server can access the OSSEC alerts log file.
- */
-
-
-$ossec_log = "/var/ossec/logs/alerts/alerts.log";
-if(!is_readable($ossec_log))
-{
- echo "ERROR: Unable to access $ossec_log\n";
- echo "*TIP: Make sure your web server can access that file. \n";
- exit(1);
-}
-
-$timelp = filemtime($ossec_log);
-$fh = fopen($ossec_log, "r");
-if(!$fh)
-{
- exit(1);
-}
-
-if(filesize($ossec_log) > 30000)
-{
- fseek($fh, -30000, SEEK_END);
- $line = fgets($fh, 4096);
-}
-
-
-$lastlines = array();
-$event = array();
-while($line = fgets($fh, 4096))
-{
- $line = trim($line);
- if($line == "")
- {
- continue;
- }
-
- if(strncmp($line, "** Alert ", 9) == 0)
- {
- if(strncmp($event, "** Alert ", 9) == 0)
- {
- array_push($lastlines, $event);
- }
- unset($event);
- $event = array();
- $event[] = htmlspecialchars($line);
- }
- else
- {
- $event[] = htmlspecialchars($line);
- }
-}
-fclose($fh);
-
-$lastlines = array_reverse($lastlines);
-$myhost = gethostname();
-if($myhost === FALSE)
-{
- $myhost = "";
-}
-
-echo '<?xml version="1.0" encoding="UTF-8"?>
-<?xml-stylesheet href="/css/rss.css" type="text/css"?>
-<rss version="2.0">
-<channel>
-<title>OSSEC '.$myhost.' RSS Feed</title>
-<link>http://ossec.net</link>
-<description>OSSEC RSS Feed for '.$myhost.'</description>
-<language>en-us</language>
-<lastBuildDate>'.date("r", $timelp).'</lastBuildDate>
-<pubDate>'.date("r", $timelp).'</pubDate>
-<copyright>(C) OSSEC.net 2008-2011</copyright>
-<generator>OSSEC.net RSS feed</generator>
-<ttl>30</ttl>
-<webMaster>dcid@ossec.net</webMaster>
-
-<image>
- <title>OSSEC Alert Feed</title>
- <url>http://www.ossec.net/img/ossec_logo.jpg</url>
- <link>http://ossec.net</link>
-</image>
-';
-
-foreach($lastlines as $myentry)
-{
-echo $myentry;
-
- if(preg_match("/^.. Alert (\d+)\./", $myentry[0], $regs, PREG_OFFSET_CAPTURE, 0))
- {
- $myunixtime = $regs[1][0];
- }
- else
- {
- continue;
- }
-
-
- echo '
- <item>
- <title>'.$myentry[2]." ,from ".substr($myentry[1], 20).'</title>
- <link>http://ossec.net</link>
- <guid isPermaLink="false">'.$myentry[0].'</guid>
- <description><![CDATA[';
-
- foreach($myentry as $myline){ echo $myline."<br />\n"; }
-
- echo '
- ]]></description>
- <pubDate>'.date("r", $myunixtime).'</pubDate>
- </item>
- ';
-}
-
-echo '
-</channel>
-</rss>
-';
-
-
-?>
+++ /dev/null
-OSSEC report tool 0.1
-Licensed under GPL
-Contributor Meir Michanie
-ossec_report_contrib.pl [-h|--help] # This text you read now
-ossec_report_contrib.pl [-r|--report] # prints a report for each element
-ossec_report_contrib.pl [-s|--summary] # prints a summary report
-ossec_report_contrib.pl [-t|--top] #prints the top list
-
-How To:
-=======
-
-ossec_report_contrib.pl OSSEC report tool 0.1
-ossec_report_contrib.pl is a GNU style program.
-It reads from STDIN and write to stdout. This gives you the advantage to use it in pipes.
-i.e.
-cat ossec-alerts-05.log | ossec_report_contrib.pl -r | mail root -s 'OSSEC detailed report'
-cat ossec-alerts-05.log | ossec_report_contrib.pl -s | mail root -s 'OSSEC summary report'
-cat <log file> | ossec_report_contrib.pl -t <key> | head -n 15 (for top 15)
-cat <log file> | ossec_report_contrib.pl -s (for summary)
-
-Crontab entry:
-58 23 * * * (cat ossec-alerts-05.log | ossec_report_contrib.pl -s)
-
-
-The <key> could be any one of the variables used in ossec log:
-mail,alerthost,datasource,rule,level,description,srcip,user.
+++ /dev/null
-#!/usr/bin/python
-# OSSEC Rules list
-# Simple script to get a short brief of every rule in OSSEC rules folder
-# Written Feb 25, 2016 and released under the GNU/GPLv2 license ##
-# By pedro@wazuh.com @ Wazuh, Inc.
-
-import sys
-import re
-import os
-
-rules_directory = "/var/ossec/rules/"
-
-def GetRulesList(fulldir, filename):
- rule_detected = 0
- rule_description = 0
- level = ""
- sidid = ""
- description = ""
- pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"')
- pattern_description = re.compile(r'<description>(.+?)</description>')
- pattern_endrule = re.compile(r'</rule>')
- try:
- with open(fulldir) as f:
- lines = f.readlines()
- for line in lines:
- if rule_detected == 0:
- match = re.findall(pattern_idlevel, line)
- if match:
- rule_detected = 1
- sidid = match[0][0]
- level = match[0][1]
- else:
- if rule_description == 0:
- match = re.findall(pattern_description, line)
- if match:
- rule_description = 1
- description = match[0]
- if rule_description == 1:
- match = re.findall(pattern_endrule, line)
- if match:
- print "%s - Rule %s - Level %s -> %s" % (filename,sidid,level,description)
- rule_detected = 0
- rule_description = 0
- level = ""
- sidid = ""
- description = ""
- except EnvironmentError:
- print ("Error: OSSEC rules directory does not appear to exist")
-
-if __name__ == "__main__":
- print ("Reading rules from directory %s") % (rules_directory)
- for root, directories, filenames in os.walk(rules_directory):
- for filename in filenames:
- if filename[-4:] == ".xml":
- GetRulesList(os.path.join(root,filename), filename)
+++ /dev/null
-use DBI;
-use strict;
-package ossecmysql;
-
-sub new(){
- my $type = shift;
- my %conf=@_;
- my $self={};
- my $flag;
- $self->{database}=$conf{database};
- $self->{dbhost}=$conf{dbhost};
- $self->{dbport}=$conf{dbport};
- $self->{dbuser}=$conf{dbuser};
- $self->{dbpasswd}=$conf{dbpasswd};
-
- $self->{dsn} = "DBI:mysql:database=$self->{database};host=$self->{dbhost};port=$self->{dbport}";
- $self->{dbh} = DBI->connect($self->{dsn}, $self->{dbuser},$self->{dbpasswd});
- bless $self, $type;
-}
-sub fetchrecord(){
- my $self= shift ;
- my ($rows)=@_;
- my ($pointer,$numrows,$fields)=(${$rows}[0],${$rows}[1],${$rows}[2]);
- my @result;
- return if $pointer == $numrows;
- for (my $i=0; $i < $fields; $i ++){
- my $field= @{$rows}[($pointer * $fields) + 3 + $i ];
- push (@result, $field);
- }
- ${$rows}[0] ++;
-
- return @result;
-}
-sub fetchrows(){
- my $self = shift ;
- my ($query)=shift;
- my @params= @_;
- my @rows;
- my $numFields;
- my $numRows;
- $numRows=$numFields=0;
- $self->{sth}=$self->{dbh}->prepare($query);
- $self->{sth}->execute(@params) ;
- $numRows = $self->{sth}->rows;
- my @row=();
- return @rows unless $numRows>0;
- $numFields = $self->{sth}->{'NUM_OF_FIELDS'};
- push (@rows,0,$numRows,$numFields);
- while(@row=$self->{sth}->fetchrow_array){
- push (@rows,@row);
- }
-
- $self->{sth}->finish;
- return @rows;
-
-}
-
-sub execute(){
- my $self = shift ;
- my $flag;
- my ($query)=shift;
- my @params= @_;
- my @rows= ();
- my $numFields;
- my $numRows;
- $numRows=$numFields=0;
- $self->{sth} = $self->{dbh}->prepare($query);
- return $self->{sth}->execute(@params) ;
-}
-
-sub lastid(){
- my $self = shift ;
- return $self->{sth}->{mysql_insertid};
-}
-1
+++ /dev/null
-#!/bin/sh
-
-# Rename an OSSEC agent (must be run on both agent and server)
-
-# Sanity checks
-
-if [ $# -ne 2 ]; then
- echo Usage: $0 old-name new-name
- exit 1
-fi
-
-if ! [ -e /etc/ossec-init.conf ]; then
- echo ossec-init.conf not found. Exiting...
- exit 1
-fi
-
-. /etc/ossec-init.conf
-KEYFILE=$DIRECTORY/etc/client.keys
-
-# Get the IP address from the key file
-IPADDR=`grep -w "${1}" $KEYFILE | cut -d " " -f 3`
-if [ -z ${IPADDR} ]; then
- echo Agent ${1} not found. Exiting...
- exit 1
-fi
-
-# stop OSSEC
-/var/ossec/bin/ossec-control stop
-
-# Update the key record
-sed -i $KEYFILE -e "s/${1}/${2}/"
-
-# Rename files and directories (manager)
-
-cd $DIRECTORY/queue
-
-if [ -e "agent-info/${1}-${IPADDR}" ]; then
- mv "agent-info/${1}-${IPADDR}" \
- "agent-info/${2}-${IPADDR}"
-fi
-
-if [ -e "diff/${1}" ]; then
- mv "diff/${1}" \
- "diff/${2}"
-fi
-
-if [ -e "rootcheck/(${1}) ${IPADDR}->rootcheck" ]; then
- mv "rootcheck/(${1}) ${IPADDR}->rootcheck" \
- "rootcheck/(${2}) ${IPADDR}->rootcheck"
-fi
-
-if [ -e "syscheck/(${1}) ${IPADDR}->syscheck" ]; then
- mv "syscheck/(${1}) ${IPADDR}->syscheck" \
- "syscheck/(${2}) ${IPADDR}->syscheck"
-fi
-
-if [ -e "syscheck/.(${1}) ${IPADDR}->syscheck.cpt" ]; then
- mv "syscheck/.(${1}) ${IPADDR}->syscheck.cpt" \
- "syscheck/.(${2}) ${IPADDR}->syscheck.cpt"
-fi
-
-# Restart OSSEC
-/var/ossec/bin/ossec-control start
+++ /dev/null
-#!/bin/sh
-
-# Renumber (change IP address) an OSSEC agent (must be run on both agent
-# and server)
-
-# Sanity checks
-
-if [ $# -ne 2 ]; then
- echo Usage: $0 agent-name new-IP-address
- exit 1
-fi
-
-if ! [ -e /etc/ossec-init.conf ]; then
- echo ossec-init.conf not found. Exiting...
- exit 1
-fi
-
-. /etc/ossec-init.conf
-KEYFILE=$DIRECTORY/etc/client.keys
-
-# Get the IP address from the key file
-IPADDR=`grep -w "${1}" $KEYFILE | cut -d " " -f 3`
-if [ -z ${IPADDR} ]; then
- echo Agent ${1} not found. Exiting...
- exit 1
-fi
-
-# stop OSSEC
-/var/ossec/bin/ossec-control stop
-
-# Update the key record
-sed -i $KEYFILE -e "s/${IPADDR}/${2}/"
-
-# Rename files and directories (manager)
-
-cd $DIRECTORY/queue
-
-if [ -e "agent-info/${1}-${IPADDR}" ]; then
- mv "agent-info/${1}-${IPADDR}" \
- "agent-info/${1}-${2}"
-fi
-
-if [ -e "rootcheck/(${1}) ${IPADDR}->rootcheck" ]; then
- mv "rootcheck/(${1}) ${IPADDR}->rootcheck" \
- "rootcheck/(${1}) ${2}->rootcheck"
-fi
-
-if [ -e "syscheck/(${1}) ${IPADDR}->syscheck" ]; then
- mv "syscheck/(${1}) ${IPADDR}->syscheck" \
- "syscheck/(${1}) ${2}->syscheck"
-fi
-
-if [ -e "syscheck/.(${1}) ${IPADDR}->syscheck.cpt" ]; then
- mv "syscheck/.(${1}) ${IPADDR}->syscheck.cpt" \
- "syscheck/.(${1}) ${2}->syscheck.cpt"
-fi
-
-# Restart OSSEC
-/var/ossec/bin/ossec-control start
+++ /dev/null
-## Ossec-agent SELinux module
-SELinux module provides additional security protection for ossec application
-
-## Installation
-1. Run semodule -i ossec\_agent.pp.bz2 on a running SELinux installation
-2. Run restorecon -R /var/ossec
-3. Restart ossec agent via systemd/init/etc
-4. Check if it get right context ( ps -AZ )
-
-You should do chcon manually if your put ossec installation in different place, see .fc file for details
-
-## Configuration
-Nothing to configure :)
-
-## Bug reports & contribution
-Contact: ivan.agarkov@gmail.com
-
+++ /dev/null
-/var/ossec/bin/agent-auth -- system_u:object_r:ossec_admin_exec_t:s0
-/var/ossec/bin/manage_client -- system_u:object_r:ossec_admin_exec_t:s0
-/var/ossec/bin/ossec-client.sh -- system_u:object_r:ossec_admin_exec_t:s0
-/var/ossec/bin/ossec-configure -- system_u:object_r:ossec_admin_exec_t:s0
-/var/ossec/bin/ossec-control system_u:object_r:ossec_admin_exec_t:s0
-/var/ossec/bin/ossec-fix-id.sh -- system_u:object_r:ossec_admin_exec_t:s0
-
-/var/ossec/bin/ossec-logcollector system_u:object_r:ossec_logcollector_exec_t:s0
-/var/ossec/bin/client-logcollector system_u:object_r:ossec_logcollector_exec_t:s0
-/var/ossec/bin/client-syscheckd system_u:object_r:ossec_syscheck_exec_t:s0
-/var/ossec/bin/ossec-agentd -- system_u:object_r:ossec_agent_exec_t:s0
-/var/ossec/bin/ossec-syscheckd system_u:object_r:ossec_syscheck_exec_t:s0
-/var/ossec/bin/ossec-execd -- system_u:object_r:ossec_exec_exec_t:s0
-
-/var/ossec system_u:object_r:usr_t:s0
-/var/ossec/bin system_u:object_r:bin_t:s0
-/var/ossec/agentless(/.*)? system_u:object_r:bin_t:s0
-/var/ossec/active-response(/.*)? system_u:object_r:bin_t:s0
-/var/ossec/etc(/.*)? system_u:object_r:ossec_conf_t:s0
-/var/ossec/queue(/.*)? system_u:object_r:ossec_queue_t:s0
-/var/ossec/logs(/.*)? system_u:object_r:ossec_log_t:s0
-/var/ossec/tmp(/.*)? system_u:object_r:ossec_tmp_t:s0
-/var/ossec/var(/.*)? system_u:object_r:ossec_var_t:s0
+++ /dev/null
-## <summary></summary>
+++ /dev/null
-policy_module(ossec_agent, 1.0.4)
-# selinux module for OSSEC (tm) agent
-# (C) Ivan Agarkov, 2017
-# exec file types
-type ossec_agent_exec_t;
-type ossec_exec_exec_t;
-type ossec_logcollector_exec_t;
-type ossec_syscheck_exec_t;
-type ossec_admin_exec_t;
-# data file types
-type ossec_log_t; # logs/
-type ossec_conf_t; # /etc
-type ossec_queue_t; # /queue
-type ossec_tmp_t; # /tmp
-type ossec_var_t; # /var
-# process attributes
-attribute ossec_process;
-# process types
-type ossec_agent_t, ossec_process;
-type ossec_exec_t, ossec_process;
-type ossec_logcollector_t, ossec_process;
-type ossec_syscheck_t, ossec_process;
-type ossec_admin_t;
-
-# types definitions
-init_daemon_domain(ossec_agent_t, ossec_agent_exec_t)
-init_daemon_domain(ossec_logcollector_t, ossec_logcollector_exec_t)
-init_daemon_domain(ossec_syscheck_t, ossec_syscheck_exec_t)
-init_daemon_domain(ossec_exec_t, ossec_exec_exec_t)
-application_domain(ossec_admin_t, ossec_admin_exec_t)
-
-files_type(ossec_queue_t)
-files_type(ossec_var_t)
-logging_log_file(ossec_log_t)
-files_config_file(ossec_conf_t)
-files_tmp_file(ossec_tmp_t)
-# type transition for all
-files_tmp_filetrans(ossec_process, ossec_tmp_t, {file dir lnk_file})
-filetrans_pattern(ossec_process, ossec_queue_t, ossec_queue_t, {file dir lnk_file sock_file})
-filetrans_pattern(ossec_process, ossec_var_t, ossec_var_t, {file dir lnk_file })
-filetrans_pattern(ossec_process, ossec_conf_t, ossec_conf_t, {file dir lnk_file })
-filetrans_pattern(ossec_process, ossec_tmp_t, ossec_tmp_t, {file dir lnk_file })
-# allow ossec agent to read & edit all
-read_files_pattern(ossec_process, ossec_conf_t, ossec_conf_t)
-admin_pattern(ossec_process, ossec_queue_t, ossec_queue_t)
-
-admin_pattern(ossec_process, ossec_log_t, ossec_log_t)
-admin_pattern(ossec_process, ossec_var_t, ossec_var_t)
-optional_policy(`
- gen_require(`
- type passwd_file_t, etc_t;
- ')
- read_files_pattern(ossec_process, etc_t, passwd_file_t)
-')
-allow ossec_process ossec_process:unix_dgram_socket all_unix_dgram_socket_perms;
-sysnet_dns_name_resolve(ossec_process)
-allow ossec_process self:capability { dac_override setgid setuid sys_chroot };
-# for agent
-admin_pattern(ossec_agent_t, ossec_conf_t, ossec_conf_t)
-admin_pattern(ossec_agent_t, ossec_tmp_t, ossec_tmp_t)
-
-# logcollector read all logs
-logging_read_all_logs(ossec_logcollector_t)
-logging_read_audit_log(ossec_logcollector_t)
-# syscheck read all file
-files_read_all_files(ossec_syscheck_t)
-allow ossec_syscheck_t self:process setsched;
-allow ossec_syscheck_t self:capability sys_nice;
-# admin policy
-admin_pattern(ossec_admin_t, ossec_conf_t, ossec_conf_t)
-admin_pattern(ossec_admin_t, ossec_queue_t, ossec_queue_t)
-admin_pattern(ossec_admin_t, ossec_var_t, ossec_var_t)
-# allow to kill
-allow ossec_admin_t ossec_process:process { signal sigkill ptrace sigstop getattr setrlimit noatsecure };
-# for different roles
-optional_policy(`
- gen_require(`
- type unconfined_t;
- role unconfined_r;
- ')
- role unconfined_r types ossec_admin_t;
- domtrans_pattern(unconfined_t, ossec_admin_exec_t, ossec_admin_t)
-')
-optional_policy(`
- gen_require(`
- type sysadm_t;
- role sysadm_r;
- ')
- role sysadm_r types ossec_admin_t;
- domtrans_pattern(sysadm_t, ossec_admin_exec_t, ossec_admin_t)
-')
-optional_policy(`
- gen_require(`
- type staff_t;
- role staff_r;
- ')
- role staff_r types ossec_admin_t;
- domtrans_pattern(staff_t, ossec_admin_exec_t, ossec_admin_t)
-')
-
+++ /dev/null
-# preloaded-vars.conf, Daniel B. Cid (dcid @ ossec.net).
-#
-# RPM: server/local/agent version, 1.2, 2007.07.23
-#
-#
-# Use this file to customize your installations.
-# It will make the install.sh script pre-load some
-# specific options to make it run automatically
-# or with less questions.
-
-# PLEASE NOTE:
-# When we use "n" or "y" in here, it should be changed
-# to "n" or "y" in the language your are doing the
-# installation. For example, in portuguese it would
-# be "s" or "n".
-
-
-# USER_LANGUAGE defines to language to be used.
-# It can be "en", "br", "tr", "it", "de" or "pl".
-# In case of an invalid language, it will default
-# to English "en"
-USER_LANGUAGE="en" # For english
-#USER_LANGUAGE="br" # For portuguese
-
-
-# If USER_NO_STOP is set to anything, the confirmation
-# messages are not going to be asked.
-USER_NO_STOP="y"
-
-
-# USER_INSTALL_TYPE defines the installation type to
-# be used during install. It can only be "local",
-# "agent" or "server".
-#USER_INSTALL_TYPE="local"
-USER_INSTALL_TYPE="agent"
-#USER_INSTALL_TYPE="server"
-
-
-# USER_DIR defines the location to install ossec
-USER_DIR="/var/ossec"
-
-
-# If USER_DELETE_DIR is set to "y", the directory
-# to install OSSEC will be removed if present.
-USER_DELETE_DIR="y"
-
-
-# If USER_ENABLE_ACTIVE_RESPONSE is set to "n",
-# active response will be disabled.
-USER_ENABLE_ACTIVE_RESPONSE="n"
-
-
-# If USER_ENABLE_SYSCHECK is set to "y",
-# syscheck will be enabled. Set to "n" to
-# disable it.
-USER_ENABLE_SYSCHECK="y"
-
-
-# If USER_ENABLE_ROOTCHECK is set to "y",
-# rootcheck will be enabled. Set to "n" to
-# disable it.
-USER_ENABLE_ROOTCHECK="y"
-
-
-# If USER_UPDATE is set to anything, the update
-# installation will be done.
-#USER_UPDATE="y"
-
-# If USER_UPDATE_RULES is set to anything, the
-# rules will also be updated.
-USER_UPDATE_RULES="y"
-
-# If USER_BINARYINSTALL is set, the installation
-# is not going to compile the code, but use the
-# binaries from ./bin/
-#USER_BINARYINSTALL="x"
-
-
-### Agent Installation variables. ###
-
-# USER_AGENT_SERVER_IP specifies the IP address of the
-# ossec server. Only used on agent installations.
-USER_AGENT_SERVER_IP="127.0.0.1"
-
-
-
-### Server/Local Installation variables. ###
-
-# USER_ENABLE_EMAIL enables or disables email alerting.
-USER_ENABLE_EMAIL="n"
-
-# USER_EMAIL_ADDRESS defines the destination e-mail of the alerts.
-#USER_EMAIL_ADDRESS="dcid@test.ossec.net"
-
-# USER_EMAIL_SMTP defines the SMTP server to send the e-mails.
-#USER_EMAIL_SMTP="test.ossec.net"
-
-
-# USER_ENABLE_SYSLOG enables or disables remote syslog.
-USER_ENABLE_SYSLOG="n"
-
-
-# USER_ENABLE_FIREWALL_RESPONSE enables or disables
-# the firewall response.
-USER_ENABLE_FIREWALL_RESPONSE="n"
-
-
-# Enable PF firewall (OpenBSD, FreeBSD and Darwin only)
-USER_ENABLE_PF="n"
-
-
-# PF table to use (OpenBSD, FreeBSD and Darwin only).
-#USER_PF_TABLE="ossec_fwtable"
-
-
-# USER_WHITE_LIST is a list of IPs or networks
-# that are going to be set to never be blocked.
-#USER_WHITE_LIST="192.168.2.1 192.168.1.0/24"
-
-
-#### exit ? ###
+++ /dev/null
-#!/usr/bin/perl -w
-
-#
-# find /var/ossec/ -exec ./getattr.pl {} \;
-#
-
-use File::stat;
-
-my %UID;
-my %GUID;
-
-$filename = shift || die "\nsyntax: $0 <file|directory>\n\n";
-
-get_uid();
-get_gid();
-
-$sb = stat($filename);
-
-die "\nUID $sb->uid doesn't exist?! ($filename)\n\n" if (! exists($UID[$sb->uid]));
-die "\nGID $sb->uid doesn't exist?! ($filename)\n\n" if (! exists($GID[$sb->gid]));
-
-if ( -d $filename ) { ### directory
- print '%dir ' . $filename . "\n";
-} elsif ( -f $filename ) { ### file
- print $filename . "\n";
-} else {
- die("\nI can't handle: $filename\n\n");
-}
-
-# %attr(550, root, ossec) /var/ossec/etc
-
-printf "%%attr(%03o, %s, %s) %s\n",
- $sb->mode & 07777,
- $UID[$sb->uid], $GID[$sb->gid], $filename;
-
-#printf "%s: perm %04o, owner: %s, group: %s \n",
-# $filename, $sb->mode & 07777,
-# $UID[$sb->uid], $GID[$sb->gid];
-
-sub get_uid
-{
- open(FP,'</etc/passwd') || die "\nCan't open /etc/passwd\n\n";
-
- while ($line = <FP>) {
- ($name,$id) = (split(/:/,$line,))[0,2];
- $UID[$id] = $name;
- }
- close(FP);
-}
-
-sub get_gid
-{
- open(FP,'</etc/group') || die "\nCan't open /etc/group\n\n";
-
- while ($line = <FP>) {
- ($name,$id) = (split(/:/,$line,))[0,2];
- $GID[$id] = $name;
- }
- close(FP);
-}
-
+++ /dev/null
-# preloaded-vars.conf, Daniel B. Cid (dcid @ ossec.net).
-#
-# RPM: server/local/agent version, 1.2, 2007.07.23
-#
-#
-# Use this file to customize your installations.
-# It will make the install.sh script pre-load some
-# specific options to make it run automatically
-# or with less questions.
-
-# PLEASE NOTE:
-# When we use "n" or "y" in here, it should be changed
-# to "n" or "y" in the language your are doing the
-# installation. For example, in portuguese it would
-# be "s" or "n".
-
-
-# USER_LANGUAGE defines to language to be used.
-# It can be "en", "br", "tr", "it", "de" or "pl".
-# In case of an invalid language, it will default
-# to English "en"
-USER_LANGUAGE="en" # For english
-#USER_LANGUAGE="br" # For portuguese
-
-
-# If USER_NO_STOP is set to anything, the confirmation
-# messages are not going to be asked.
-USER_NO_STOP="y"
-
-
-# USER_INSTALL_TYPE defines the installation type to
-# be used during install. It can only be "local",
-# "agent" or "server".
-USER_INSTALL_TYPE="local"
-#USER_INSTALL_TYPE="agent"
-#USER_INSTALL_TYPE="server"
-
-
-# USER_DIR defines the location to install ossec
-USER_DIR="/var/ossec"
-
-
-# If USER_DELETE_DIR is set to "y", the directory
-# to install OSSEC will be removed if present.
-USER_DELETE_DIR="y"
-
-
-# If USER_ENABLE_ACTIVE_RESPONSE is set to "n",
-# active response will be disabled.
-USER_ENABLE_ACTIVE_RESPONSE="n"
-
-
-# If USER_ENABLE_SYSCHECK is set to "y",
-# syscheck will be enabled. Set to "n" to
-# disable it.
-USER_ENABLE_SYSCHECK="y"
-
-
-# If USER_ENABLE_ROOTCHECK is set to "y",
-# rootcheck will be enabled. Set to "n" to
-# disable it.
-USER_ENABLE_ROOTCHECK="y"
-
-
-# If USER_UPDATE is set to anything, the update
-# installation will be done.
-#USER_UPDATE="y"
-
-# If USER_UPDATE_RULES is set to anything, the
-# rules will also be updated.
-USER_UPDATE_RULES="y"
-
-# If USER_BINARYINSTALL is set, the installation
-# is not going to compile the code, but use the
-# binaries from ./bin/
-#USER_BINARYINSTALL="x"
-
-
-### Agent Installation variables. ###
-
-# USER_AGENT_SERVER_IP specifies the IP address of the
-# ossec server. Only used on agent installations.
-#USER_AGENT_SERVER_IP="1.2.3.4"
-
-
-
-### Server/Local Installation variables. ###
-
-# USER_ENABLE_EMAIL enables or disables email alerting.
-USER_ENABLE_EMAIL="n"
-
-# USER_EMAIL_ADDRESS defines the destination e-mail of the alerts.
-#USER_EMAIL_ADDRESS="dcid@test.ossec.net"
-
-# USER_EMAIL_SMTP defines the SMTP server to send the e-mails.
-#USER_EMAIL_SMTP="test.ossec.net"
-
-
-# USER_ENABLE_SYSLOG enables or disables remote syslog.
-USER_ENABLE_SYSLOG="n"
-
-
-# USER_ENABLE_FIREWALL_RESPONSE enables or disables
-# the firewall response.
-USER_ENABLE_FIREWALL_RESPONSE="n"
-
-
-# Enable PF firewall (OpenBSD, FreeBSD and Darwin only)
-USER_ENABLE_PF="n"
-
-
-# PF table to use (OpenBSD, FreeBSD and Darwin only).
-#USER_PF_TABLE="ossec_fwtable"
-
-
-# USER_WHITE_LIST is a list of IPs or networks
-# that are going to be set to never be blocked.
-#USER_WHITE_LIST="192.168.2.1 192.168.1.0/24"
-
-
-#### exit ? ###
+++ /dev/null
-#!/bin/bash
-
-rpm -e ossec-hids-server-FC7
-rpm -e ossec-hids-local-FC7
-rpm -e ossec-hids-agent-FC7
-
-rm -fr /var/ossec/
-
-for A in ossec ossecm ossecr ; do /usr/sbin/userdel -r $A ; done
-
-/usr/sbin/groupdel ossec
-
-/sbin/chkconfig ossec off
-/sbin/chkconfig --del ossec
-
-# Remove init.d file
-[ -f /etc/init.d/ossec ] && rm /etc/init.d/ossec
-
-
+++ /dev/null
-# preloaded-vars.conf, Daniel B. Cid (dcid @ ossec.net).
-#
-# RPM: server/local/agent version, 1.2, 2007.07.23
-#
-#
-# Use this file to customize your installations.
-# It will make the install.sh script pre-load some
-# specific options to make it run automatically
-# or with less questions.
-
-# PLEASE NOTE:
-# When we use "n" or "y" in here, it should be changed
-# to "n" or "y" in the language your are doing the
-# installation. For example, in portuguese it would
-# be "s" or "n".
-
-
-# USER_LANGUAGE defines to language to be used.
-# It can be "en", "br", "tr", "it", "de" or "pl".
-# In case of an invalid language, it will default
-# to English "en"
-USER_LANGUAGE="en" # For english
-#USER_LANGUAGE="br" # For portuguese
-
-
-# If USER_NO_STOP is set to anything, the confirmation
-# messages are not going to be asked.
-USER_NO_STOP="y"
-
-
-# USER_INSTALL_TYPE defines the installation type to
-# be used during install. It can only be "local",
-# "agent" or "server".
-#USER_INSTALL_TYPE="local"
-#USER_INSTALL_TYPE="agent"
-USER_INSTALL_TYPE="server"
-
-
-# USER_DIR defines the location to install ossec
-USER_DIR="/var/ossec"
-
-
-# If USER_DELETE_DIR is set to "y", the directory
-# to install OSSEC will be removed if present.
-USER_DELETE_DIR="y"
-
-
-# If USER_ENABLE_ACTIVE_RESPONSE is set to "n",
-# active response will be disabled.
-USER_ENABLE_ACTIVE_RESPONSE="n"
-
-
-# If USER_ENABLE_SYSCHECK is set to "y",
-# syscheck will be enabled. Set to "n" to
-# disable it.
-USER_ENABLE_SYSCHECK="y"
-
-
-# If USER_ENABLE_ROOTCHECK is set to "y",
-# rootcheck will be enabled. Set to "n" to
-# disable it.
-USER_ENABLE_ROOTCHECK="y"
-
-
-# If USER_UPDATE is set to anything, the update
-# installation will be done.
-#USER_UPDATE="y"
-
-# If USER_UPDATE_RULES is set to anything, the
-# rules will also be updated.
-USER_UPDATE_RULES="y"
-
-# If USER_BINARYINSTALL is set, the installation
-# is not going to compile the code, but use the
-# binaries from ./bin/
-#USER_BINARYINSTALL="x"
-
-
-### Agent Installation variables. ###
-
-# USER_AGENT_SERVER_IP specifies the IP address of the
-# ossec server. Only used on agent installations.
-#USER_AGENT_SERVER_IP="1.2.3.4"
-
-
-
-### Server/Local Installation variables. ###
-
-# USER_ENABLE_EMAIL enables or disables email alerting.
-USER_ENABLE_EMAIL="n"
-
-# USER_EMAIL_ADDRESS defines the destination e-mail of the alerts.
-#USER_EMAIL_ADDRESS="dcid@test.ossec.net"
-
-# USER_EMAIL_SMTP defines the SMTP server to send the e-mails.
-#USER_EMAIL_SMTP="test.ossec.net"
-
-
-# USER_ENABLE_SYSLOG enables or disables remote syslog.
-USER_ENABLE_SYSLOG="n"
-
-
-# USER_ENABLE_FIREWALL_RESPONSE enables or disables
-# the firewall response.
-USER_ENABLE_FIREWALL_RESPONSE="y"
-
-
-# Enable PF firewall (OpenBSD, FreeBSD and Darwin only)
-USER_ENABLE_PF="n"
-
-
-# PF table to use (OpenBSD, FreeBSD and Darwin only).
-#USER_PF_TABLE="ossec_fwtable"
-
-
-# USER_WHITE_LIST is a list of IPs or networks
-# that are going to be set to never be blocked.
-#USER_WHITE_LIST="192.168.2.1 192.168.1.0/24"
-
-
-#### exit ? ###
+++ /dev/null
-#!/bin/sh
-
-
-## Run this from src/
-## Do not add the "v" before the version number
-
-OLDVERSION=${1}
-NEWVERSION=${2}
-
-if [ "X${OLDVERSION}" == "X" ]; then
- echo "You must provide the version numbers"
- echo "version_bump.sh x.0.0 x.1.0"
- exit 1
-fi
-
-if [ "X${NEWVERSION}" == "X" ]; then
- echo "You must provide the version numbers"
- echo "version_bump.sh x.0.0 x.1.0"
- exit 1
-fi
-
-echo "v${NEWVERSION}" > src/VERSION
-
-# OSSEC init scripts
-sed -i -e "s/VERSION=\"v${OLDVERSION}/VERSION=\"v${NEWVERSION}/" src/init/ossec-client.sh
-sed -i -e "s/VERSION=\"v${OLDVERSION}/VERSION=\"v${NEWVERSION}/" src/init/ossec-local.sh
-sed -i -e "s/VERSION=\"v${OLDVERSION}/VERSION=\"v${NEWVERSION}/" src/init/ossec-server.sh
-
-# Win32 files
-sed -i -e "s/VERSION \"${OLDVERSION}/VERSION \"${NEWVERSION}/" src/win32/ossec-installer.nsi
-sed -i -e "s/Agent v${OLDVERSION}/Agent v${NEWVERSION}/" src/win32/help.txt
-
-# misc
-sed -i -e "s/OSSEC v${OLDVERSION}/OSSEC v${NEWVERSION}/" INSTALL
-sed -i -e "s/OSSEC v${OLDVERSION}/OSSEC v${NEWVERSION}/" README.md
-sed -i -e "s/OSSEC v${OLDVERSION}/OSSEC v${NEWVERSION}/" CONFIG
-sed -i -e "s/OSSEC v${OLDVERSION}/OSSEC v${NEWVERSION}/" BUGS
-
-# update defs.h
-sed -i -e "s/v${OLDVERSION}/v${NEWVERSION}/" src/headers/defs.h
-
-# Update CONFIG
-
+++ /dev/null
-import zmq
-
-context = zmq.Context()
-s = context.socket(zmq.SUB)
-s.connect("tcp://localhost:11999")
-s.setsockopt(zmq.SUBSCRIBE, "")
-while 1:
- d = s.recv()
- print d
+++ /dev/null
-This package was debianized by Dinko Korunic <kreator@CARNet.hr> on
-Mon, 01 Mar 2010 17:37:28 +0100.
-
-It was downloaded from http://www.ossec.net/
-
-Upstream Authors: Daniel B. Cid
-
-Copyright:
-
- Copyright (C) 2010 Trend Micro Inc. All rights reserved.
-
- OSSEC HIDS is a free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License (version 2) as
- published by the FSF - Free Software Foundation.
-
- Note that this license applies to the source code, as well as
- decoders, rules and any other data file included with OSSEC (unless
- otherwise specified).
-
- For the purpose of this license, we consider an application to constitute a
- "derivative work" or a work based on this program if it does any of the
- following (list not exclusive):
-
- * Integrates source code/data files from OSSEC.
- * Includes OSSEC copyrighted material.
- * Includes/integrates OSSEC into a proprietary executable installer.
- * Links to a library or executes a program that does any of the above.
-
- This list is not exclusive, but just a clarification of our interpretation
- of derived works. These restrictions only apply if you actually redistribute
- OSSEC (or parts of it).
-
- We don't consider these to be added restrictions on top of the GPL,
- but just a clarification of how we interpret "derived works" as it
- applies to OSSEC. This is similar to the way Linus Torvalds has
- announced his interpretation of how "derived works" applies to Linux kernel
- modules. Our interpretation refers only to OSSEC - we don't speak
- for any other GPL products.
-
- OSSEC HIDS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- FITNESS FOR A PARTICULAR PURPOSE.
- See the GNU General Public License Version 3 below for more details.
-
-
-On Debian systems, a copy of the GNU General Public License Version 3 may be
-found in /usr/share/common-licenses/GPL-3.
+++ /dev/null
-OSSEC v0.9
-Copyright (C) 2009 Trend Micro Inc.
-
-
-OSSEC Logging
-
-== Introduction ==
-
-Ossec supports three types of logs. Alert logging, firewall
-logging and event (archiving) logging.
-
-Every message received is treated as an event.
-Any log message, integrity report, system information will be treated
-as such. Event logging is very expensive for the system because
-it will archive every event. However, they can be usefull to get
-the big picture if some attack happens.
-
-Alert logging is the most useful one. An alert is generated when
-an event is matched against one of the detection rules. In addition
-to the logging, OSSEC can also generate e-mail notifications or
-execute external commands for them.
-
-
-== Event logging ==
-
-Inside the OSSEC default log directory (by default /var/ossec/logs)
-there is an entry for "archives" (/var/ossec/logs/archives). Inside this
-directory, all events will be stored by date.
-For example, all events received on May 22 of 2004, will be stored on:
-
-/var/ossec/logs/archives/2004/May/events-22.log
-
-After each day, a hash will be created for this specific day at
-
-/var/ossec/logs/archives/2004/May/events-22.log.md5
-
-This hash will be the hash of the file from the day 22 plus the hash
-from the day 21.
-
-The hash from the day 1, will be the hash from the day 31 (or 30 or 28)
-from the previous month.
-
-This will ensure that no log will be modified. Also, for this to happen,
-all the logs (since the first day) will need to be modified.
-
-
-== Alert logging ==
-
-There will be a "alerts" directory on the OSSEC default logging directory.
-It will be organized on the same way the event logging is. Please read
-above to understand it.
-
-
+++ /dev/null
-OSSEC v0.9
-Copyright (C) 2009 Trend Micro Inc.
-
-
-How do the server manager the agents.
-
--The server will open port 1514 (by default) and listen for
- messages from the clients. Only the IP of the clients will be
- allowed.
-
--Every 10 minutes, the client will send an status notification
- to the server. This status message contain some information
- about the agent system and information about the files it
- has on the shared directory.
-
--The server will receive the status message, update the agent
- status file and check if it has any file to be sent to the
- agent. If it has, it will connect to the agent and send
- the file.
-
--Every message will be encrypted.
+++ /dev/null
-OSSEC
-Copyright (C) 2009 Trend Micro Inc.
-
-
-** Nmap correlation **
-
-Ossec can read nmap grepable output files to use as a
-correlation tool and also to alert based on host information
-changes. Follow the step by step below on how to configure
-ossec:
-
-
-1- Add the nmap output file on ossec.conf (generally
- at /var/ossec/etc/ossec.conf):
-
-<ossec_config>
- <localfile>
- <log_format>nmapg</log_format>
- <location>/var/log/nmap-out.log</location>
- </localfile>
-</ossec_config>
-
-
-2- If the file does not exist, touch it:
-
-ossec-test# touch /var/log/nmap-out.log
-
-
-3- Restart ossec:
-
-ossec-test# /var/ossec/bin/ossec-control restart
-
-
-4- Run your nmap scans (example scanning 192.168.2.0/24 network):
-
-ossec-test# nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255
-
-
-
-*** Example of alert when a new host is found:
-
-** Alert 1152058913.238: mail
-2006 Jul 04 20:21:53 /var/log/nmap-out.log
-Rule: 15 (level 8) -> 'New host information added.'
-Src IP: (none)
-User: (none)
-Host: 192.168.2.10, open ports: 21(tcp) 22(tcp) 80(tcp) 113(tcp) 514(udp) 1514(udp) 4500(udp)
-
-
-*** Example of alert when a new a host information is changed:
-
-** Alert 1152058983.487: mail
-2006 Jul 04 20:23:03 /var/log/nmap-out.log
-Rule: 15 (level 8) -> 'Host information changed.'
-Src IP: (none)
-User: (none)
-Host: 192.168.2.1, open ports: 54(udp) 8080(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp)
-Previously open ports: 53(udp) 80(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp)
-
+++ /dev/null
-Rootkit detection techniques used by the OSSEC HIDS
-by Daniel B. Cid, daniel.cid@gmail.com
-
-
-Starting on version 0.4, the OSSEC HIDS will perform
-rootkit detection on every system where the agent is
-installed. The rootcheck (rootkit detection engine) will
-be executed every X minutes (user specified --by default
-every 2 hours) to detect any possible rootkit installed.
-Used witht the log analysis and the integrity checking
-engine, it will become a very powerful monitoring solution
-(the OSSEC HIDS performs log analysis and integrity
-checking since version 0.1).
-
-Other feature included on version 0.4 is that the analysis
-server will automatically forward the rootkit detection
-signatures to the agents, reducing the administration
-overhead for the system admin. The agents and server will
-keep contact every 10 minutes and if the server is
-updated with a new signature file, it will forward them
-to all configured agents. Take a look at the management
-documentation for more information.
-
-The rootcheck will perform the following steps on the
-system trying to find rootkits:
-
-
-1- Read the rootkit_files.txt which contains a big database
- of rootkits and files used by them. It will try to stats,
- fopen and opendir each specified file. We use all these
- system calls, because some kernel-level rootkits, hide
- files from some system calls. The more system calls we
- try, the better the detection. This method is more like
- an anti-virus rule that needs to be updated constantly.
- The chances of false-positives are small, but false
- negatives can be produced by modifying the rootkits.
-
-2- Read the rootkit_trojans.txt which contains a database
- of signatures of files trojaned by rootkits. This
- technique of modifying binaries with trojaned versions
- was commonly used by most of the popular rootkits
- available. This detection method will not find any
- kernel level rootkit or any unknown rootkit.
-
-3- Scan the /dev directory looking for anomalies. The /dev
- should only have device files and the Makedev script.
- A lot of rootkits use the /dev to hide files. This
- technique can detect even non-public rootkits.
-
-4- Scan the whole filesystem looking for unusual files and
- permission problems. Files owned by root, with written
- permission to others are very dangerous and the rootkit
- detection will look for them. Suid files, hidden directories
- and files will also be inspected.
-
-5- Look for the presence of hidden processes. We use getsid()
- and kill() to check if any pid is being used or not. If
- the pid is being used, but "ps" can't see it, it is the
- indication of kernel-level rootkit or a trojaned version
- of "ps". We also verify the output of kill and getsid that
- should be the same.
-
-6- Look for the presence of hidden ports. We use bind() to
- check every tcp and udp port on the system. If we can't
- bind to the port (it's being used), but netstat does not
- show it, we probably have a rootkit installed.
-
-7- Scan all interfaces on the system and look for the ones
- with "promisc" mode enabled. If the interface is in promiscuous
- mode, the output of "ifconfig" should show that. If not,
- we probably have a rootkit installed.
-
-
-EOF
+++ /dev/null
-# ossec Rules ids.
-#
-# Ossec official rules should be under some of these
-# assignments.
-#
-# Local rules should go from 100000 to 120000.
-#
-# Every rule will also have a revision attribute (if modified).
-# *default revision is 0 (when first added).
-
-00000 - 00999 Internally reserved for ossec
-01000 - 01999 General syslog
-02100 - 02299 NFS
-02300 - 02499 Xinetd
-02500 - 02699 Access control
-02700 - 02729 Mail/procmail
-02800 - 02829 Smartd
-02830 - 02859 Crond
-02860 - 02899 Mount/Automount
-
-03100 - 03299 Sendmail
-03300 - 03499 Postfix
-03500 - 03599 Spamd
-03600 - 03699 Imapd
-03700 - 03799 MailScanner
-
-04100 - 04299 Generic Firewall
-04300 - 04499 Cisco PIX Firewall
-04500 - 04699 Netscreen Firewall
-
-05100 - 05299 Kernels (Linux, Unix, etc)
-05300 - 05399 Su
-05400 - 05499 sudo
-05500 - 05599 Pam unix
-05600 - 05699 Telnetd
-05700 - 05899 sshd
-05900 - 05999 Adduser or user deletion.
-
-07100 - 07199 Tripwire
-07200 - 07299 Arpwatch
-07300 - 07399 Symantec Anti Virus
-
-09100 - 09199 PPTP
-09200 - 09299 Squid syslog
-09300 - 09399 Horde IMP
-
-10100 - 10199 FTS
-
-11100 - 11199 FTPd
-11200 - 11299 ProFTPD
-11300 - 11399 Pure-FTPD
-11400 - 11499 vs-FTPD
-
-12100 - 12299 Named (bind DNS)
-
-13100 - 13299 Samba (smbd)
-
-14100 - 14199 Racoon SSL
-14200 - 14299 Cisco VPN Concentrator
-
-17100 - 17399 Policy
-
-18100 - 18499 Windows system
-18500 - 18650 Sysmon rules
-18651 - 18750 MS IPSec rules
-20100 - 20299 IDS
-20300 - 20499 IDS (Snort specific)
-20500 - 20509 Windows PowerShell
-
-30100 - 30999 Apache error log
-31100 - 31199 Web access log
-
-31501 - 32000 Web Appsec rules
-
-35000 - 35999 Squid
-
-40100 - 40499 Attack patterns
-40500 - 40599 Privilege escalation
-
-40600 - 40699 Scan patterns
-40700 - 40899 Systemd
-40900 - 40999 Firewalld
-
-51500 - 51999 OpenBSD rules
-52000 - 52499 Apparmor rules
-52500 - 53199 clam av rules
-53200 - 53499 nsd rules
-53500 - 53299 opensmtpd rules
-53300 - 53399 owncloud rules
-53400 - 53500 proxmox ve rules
-53501 - 53550 OpenSMTPd rules
-53551 - 53599 dnsmasq
-53600 - 53625 linux usb detection rules
-53626 - 53630 ms usb detection rules
-53631 - 53699 ms firewall rules
-53700 - 53749 PSAD rules
-53750 - 53799 unbound rules
-53800 - 53825 Kaspersky Endpoint Security 10 for Linux rules
-53826 - 53829 MHN - Dionaea
-53830 - 53840 MHN - Cowrie
-56000 - 56200 FreeBSD rules
-
-100000 - 109999 User defined rules
-
+++ /dev/null
-OSSEC HIDS v0.9
-Copyright (C) 2009 Trend Micro Inc.
-
-
-
---- Rules Classification ---
-
-
--- Classification --
-
-The rules are classified in multiple levels. From the lowest (00) to the maximum
-level 16. Some levels are not used right now. Other levels can be added between
-them or after them.
-
-**The rules will be read from the highest to the lowest level. **
-
-00 - Ignored - No action taken. Used to avoid false positives. These rules
- are scanned before all the others. They include events with no
- security relevance.
-01 - None -
-02 - System low priority notification - System notification or
- status messages. They have no security relevance.
-03 - Successful/Authorized events - They include successful login attempts,
- firewall allow events, etc.
-04 - System low priority error - Errors related to bad configurations or
- unused devices/applications. They have no security relevance and
- are usually caused by default installations or software testing.
-05 - User generated error - They include missed passwords, denied
- actions, etc. By itself they have no security relevance.
-06 - Low relevance attack - They indicate a worm or a virus that have
- no affect to the system (like code red for apache servers, etc).
- They also include frequently IDS events and frequently errors.
-07 - "Bad word" matching. They include words like "bad", "error", etc.
- These events are most of the time unclassified and may have
- some security relevance.
-08 - First time seen - Include first time seen events. First time
- an IDS event is fired or the first time an user logged in.
- If you just started using OSSEC HIDS these messages will
- probably be frequently. After a while they should go away.
- It also includes security relevant actions (like the starting
- of a sniffer or something like that).
-09 - Error from invalid source - Include attempts to login as
- an unknown user or from an invalid source. May have security
- relevance (specially if repeated). They also include errors
- regarding the "admin" (root) account.
-10 - Multiple user generated errors - They include multiple bad
- passwords, multiple failed logins, etc. They may indicate an
- attack or may just be that a user just forgot his credentials.
-11 - Integrity checking warning - They include messages regarding
- the modification of binaries or the presence of rootkits (by
- rootcheck). If you just modified your system configuration
- you should be fine regarding the "syscheck" messages. They
- may indicate a successful attack. Also included IDS events
- that will be ignored (high number of repetitions).
-12 - High importancy event - They include error or warning messages
- from the system, kernel, etc. They may indicate an attack against
- a specific application.
-13 - Unusual error (high importance) - Most of the times it matches a
- common attack pattern.
-14 - High importance security event. Most of the times done with
- correlation and it indicates an attack.
-15 - Severe attack - No chances of false positives. Immediate
- attention is necessary.
-
-
-== Rules Group ==
-
--We can specify groups for specific rules. It's used for active
-response reasons and for correlation.
-- We currently use the following groups:
-
-- invalid_login
-- authentication_success
-- authentication_failed
-- connection_attempt
-- attacks
-- adduser
-- sshd
-- ids
-- firewall
-- squid
-- apache
-- syslog
-
-
-
-== Rules Config ==
-
-http://www.ossec.net/en/manual.html#rules
-
+++ /dev/null
-ossec-hids: possible-gpl-code-linked-with-openssl
-ossec-hids: non-etc-file-marked-as-conffile var/ossec/rules/local_rules.xml
-ossec-hids: non-etc-file-marked-as-conffile var/ossec/etc/ossec.conf
-ossec-hids: non-etc-file-marked-as-conffile var/ossec/etc/internal_options.conf
-ossec-hids: non-standard-dir-in-var var/ossec/
-ossec-hids: file-in-unusual-dir var/ossec/*
+++ /dev/null
-#!/bin/sh
-# Disable an account by setting "passwd -l" or chuser
-# Requirements: System with a passwd that supports -l and -u
-# or a system with chuser (AIX)
-# Expect: username (can't be "root")
-# Authors: Ahmet Ozturk and Daniel B. Cid
-# Last modified: Jan 19, 2005
-
-
-UNAME=`uname`
-PASSWD="/usr/bin/passwd"
-CHUSER="/usr/bin/chuser"
-ACTION=$1
-USER=$2
-IP=$3
-
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-PWD=`pwd`
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
-
-
-if [ "x${USER}" = "x" ]; then
- echo "$0: [ add | delete ] <username>"
- exit 1;
-elif [ "x${USER}" = "xroot" ]; then
- echo "$0: Invalid username."
- exit 1;
-fi
-
-
-# We should run on linux and on SunOS the passwd -u/-l
-if [ "X${UNAME}" = "XLinux" -o "X${UNAME}" = "XSunOS" ]; then
- # Checking if passwd is present
- ls ${PASSWD} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
- fi
-
- CMD=${PASSWD}
- if [ "x${ACTION}" = "xadd" ]; then
- ARGS="-l"
- elif [ "x${ACTION}" = "xdelete" ]; then
- ARGS="-u"
- else
- echo "$0: invalid action: ${ACTION}"
- exit 1;
- fi
-
-
-# On AIX, we run CHUSER
-elif [ "X${UNAME}" = "XAIX" ]; then
- # Checking if chuser is present
- ls ${CHUSER} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
- fi
-
- CMD=${CHUSER}
-
- # Disabling an account
- if [ "x${ACTION}" = "xadd" ]; then
- ARGS="account_locked=true"
- # Unblock the account
- elif [ "x${ACTION}" = "xdelete" ]; then
- ARGS="account_locked=false"
- # Invalid action
- else
- echo "$0: invalid action: ${ACTION}"
- exit 1;
- fi
-
-
-# We only support Linux, SunOS and AIX
-else
- exit 0;
-fi
-
-
-# Execute the command
-${CMD} ${ARGS} ${USER}
-
-exit 1;
-
+++ /dev/null
-#!/bin/sh
-# Adds an IP to the iptables drop list (if linux)
-# Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd)
-# Adds an IP to the ipsec drop list (if aix)
-# Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec
-# Expect: srcip
-# Author: Ahmet Ozturk (ipfilter and IPSec)
-# Author: Daniel B. Cid (iptables)
-# Author: cgzones
-# Last modified: Oct 04, 2012
-
-UNAME=`uname`
-ECHO="/bin/echo"
-GREP="/bin/grep"
-IPTABLES=""
-IP4TABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-IPFILTER="/sbin/ipf"
-if [ "X$UNAME" = "XSunOS" ]; then
- IPFILTER="/usr/sbin/ipf"
-fi
-GENFILT="/usr/sbin/genfilt"
-LSFILT="/usr/sbin/lsfilt"
-MKFILT="/usr/sbin/mkfilt"
-RMFILT="/usr/sbin/rmfilt"
-ARG1=""
-ARG2=""
-RULEID=""
-ACTION=$1
-USER=$2
-IP=$3
-PWD=`pwd`
-LOCK="${PWD}/fw-drop"
-LOCK_PID="${PWD}/fw-drop/pid"
-IPV4F="/proc/sys/net/ipv4/ip_forward"
-IPV6F="/proc/sys/net/ipv6/conf/all/forwarding"
-
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-filename=$(basename "$0")
-
-LOG_FILE="${PWD}/../logs/active-responses.log"
-
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
-
-
-# Checking for an IP
-if [ "x${IP}" = "x" ]; then
- echo "$0: <action> <username> <ip>"
- exit 1;
-fi
-
-case "${IP}" in
- *:* ) IPTABLES=$IP6TABLES;;
- *.* ) IPTABLES=$IP4TABLES;;
- * ) echo "`date` Unable to run active response (invalid IP: '${IP}')." >> ${LOG_FILE} && exit 1;;
-esac
-
-# This number should be more than enough (even if a hundred
-# instances of this script is ran together). If you have
-# a really loaded env, you can increase it to 75 or 100.
-MAX_ITERATION="50"
-
-# Lock function
-lock()
-{
- i=0;
- # Providing a lock.
- while [ 1 ]; do
- mkdir ${LOCK} > /dev/null 2>&1
- MSL=$?
- if [ "${MSL}" = "0" ]; then
- # Lock acquired (setting the pid)
- echo "$$" > ${LOCK_PID}
- return;
- fi
-
- # Getting currently/saved PID locking the file
- C_PID=`cat ${LOCK_PID} 2>/dev/null`
- if [ "x" = "x${S_PID}" ]; then
- S_PID=${C_PID}
- fi
-
- # Breaking out of the loop after X attempts
- if [ "x${C_PID}" = "x${S_PID}" ]; then
- i=`expr $i + 1`;
- fi
-
- sleep $i;
-
- i=`expr $i + 1`;
-
- # So i increments 2 by 2 if the pid does not change.
- # If the pid keeps changing, we will increments one
- # by one and fail after MAX_ITERACTION
-
- if [ "$i" = "${MAX_ITERATION}" ]; then
- kill="false"
- for pid in `pgrep -f "${filename}"`; do
- if [ "x${pid}" = "x${C_PID}" ]; then
- # Unlocking and exiting
- kill -9 ${C_PID}
- echo "`date` Killed process ${C_PID} holding lock." >> ${LOG_FILE}
- kill="true"
- unlock;
- i=0;
- S_PID="";
- break;
- fi
- done
-
- if [ "x${kill}" = "xfalse" ]; then
- echo "`date` Unable kill process ${C_PID} holding lock." >> ${LOG_FILE}
- # Unlocking and exiting
- unlock;
- exit 1;
- fi
- fi
- done
-}
-
-# Unlock function
-unlock()
-{
- rm -rf ${LOCK}
-}
-
-
-
-# Blocking IP
-if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
- echo "$0: invalid action: ${ACTION}"
- exit 1;
-fi
-
-
-
-# We should run on linux
-if [ "X${UNAME}" = "XLinux" ]; then
- if [ "x${ACTION}" = "xadd" ]; then
- ARG1="-I INPUT -s ${IP} -j DROP"
- ARG2="-I FORWARD -s ${IP} -j DROP"
- else
- ARG1="-D INPUT -s ${IP} -j DROP"
- ARG2="-D FORWARD -s ${IP} -j DROP"
- fi
-
- # Checking if iptables is present
- if [ ! -x ${IPTABLES} ]; then
- IPTABLES="/usr"${IPTABLES}
- if [ ! -x ${IPTABLES} ]; then
- echo "$0: can not find iptables"
- exit 0;
- fi
- fi
-
- # Executing and exiting
- COUNT=0;
- lock;
- while [ 1 ]; do
- ${IPTABLES} ${ARG1}
- RES=$?
- if [ $RES = 0 ]; then
- break;
- else
- COUNT=`expr $COUNT + 1`;
- echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
- sleep $COUNT;
-
- if [ $COUNT -gt 4 ]; then
- break;
- fi
- fi
- done
-
- COUNT=0;
- while [ 1 ]; do
- #
- # Looking for IPV4 and IPV6 FORWARD
- #
- if [ -e "$IPV4F" ]
- then
- IPV4KEY="$(cat "$IPV4F")"
- else
- IPV4KEY="0"
- fi
- if [ -e "$IPV6F" ]
- then
- IPV6KEY="$(cat "$IPV6F")"
- else
- IPV6KEY="0"
- fi
-
- if [ "$IPV4KEY" = "0" ] && [ "$IPV6KEY" = "0" ]
- then
- break
- fi
-
- ${IPTABLES} ${ARG2}
- RES=$?
- if [ $RES = 0 ]; then
- break;
- else
- COUNT=`expr $COUNT + 1`;
- echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
- sleep $COUNT;
-
- if [ $COUNT -gt 4 ]; then
- break;
- fi
- fi
- done
- unlock;
-
- exit 0;
-
-# FreeBSD, SunOS or NetBSD with ipfilter
-elif [ "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XSunOS" -o "X${UNAME}" = "XNetBSD" ]; then
-
- # Checking if ipfilter is present
- ls ${IPFILTER} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
- fi
-
- # Checking if echo is present
- ls ${ECHO} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
- fi
-
- if [ "x${ACTION}" = "xadd" ]; then
- ARG1="\"@1 block out quick from any to ${IP}\""
- ARG2="\"@1 block in quick from ${IP} to any\""
- IPFARG="${IPFILTER} -f -"
- else
- ARG1="\"@1 block out quick from any to ${IP}\""
- ARG2="\"@1 block in quick from ${IP} to any\""
- IPFARG="${IPFILTER} -rf -"
- fi
-
- # Executing it
- eval ${ECHO} ${ARG1}| ${IPFARG}
- eval ${ECHO} ${ARG2}| ${IPFARG}
-
- exit 0;
-
-# AIX with ipsec
-elif [ "X${UNAME}" = "XAIX" ]; then
-
- # Checking if genfilt is present
- ls ${GENFILT} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
- fi
-
- # Checking if lsfilt is present
- ls ${LSFILT} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
- fi
- # Checking if mkfilt is present
- ls ${MKFILT} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
- fi
-
- # Checking if rmfilt is present
- ls ${RMFILT} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
- fi
-
- if [ "x${ACTION}" = "xadd" ]; then
- ARG1=" -v 4 -a D -s ${IP} -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -w B -D \"Access Denied by OSSEC-HIDS\""
- #Add filter to rule table
- eval ${GENFILT} ${ARG1}
-
- #Deactivate and activate the filter rules.
- eval ${MKFILT} -v 4 -d
- eval ${MKFILT} -v 4 -u
- else
- # removing a specific rule is not so easy :(
- eval ${LSFILT} -v 4 -O | ${GREP} ${IP} |
- while read -r LINE
- do
- RULEID=`${ECHO} ${LINE} | cut -f 1 -d "|"`
- let RULEID=${RULEID}+1
- ARG1=" -v 4 -n ${RULEID}"
- eval ${RMFILT} ${ARG1}
- done
- #Deactivate and activate the filter rules.
- eval ${MKFILT} -v 4 -d
- eval ${MKFILT} -v 4 -u
- fi
-
-else
- exit 0;
-fi
+++ /dev/null
-#!/bin/sh
-# Adds an IP to the firewalld drop list
-# Requirements: Linux with firewalld
-# Expect: srcip
-# Author: Daniel B. Cid (iptables)
-# Author: cgzones
-# Author: ChristianBeer
-# Last modified: Apr 10, 2015
-
-UNAME=`uname`
-ECHO="/bin/echo"
-GREP="/bin/grep"
-FWDCMD="/bin/firewall-cmd"
-RULE=""
-ARG1=""
-# ARG2 can be used to specify the zone where the rich rule should be added otherwise it adds it to the default zone
-ARG2=""
-#ARG2="--zone=external"
-RULEID=""
-ACTION=$1
-USER=$2
-IP=$3
-PWD=`pwd`
-LOCK="${PWD}/fw-drop"
-LOCK_PID="${PWD}/fw-drop/pid"
-
-
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-filename=$(basename "$0")
-
-LOG_FILE="${PWD}/../logs/active-responses.log"
-
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
-
-
-# Checking for an IP
-if [ "x${IP}" = "x" ]; then
- echo "$0: <action> <username> <ip>"
- exit 1;
-fi
-
-case "${IP}" in
- *:* ) RULE="rule family='ipv6' source address='${IP}' drop";;
- *.* ) RULE="rule family='ipv4' source address='${IP}' drop";;
- * ) echo "`date` Unable to run active response (invalid IP: '${IP}')." >> ${LOG_FILE} && exit 1;;
-esac
-
-# This number should be more than enough (even if a hundred
-# instances of this script is ran together). If you have
-# a really loaded env, you can increase it to 75 or 100.
-MAX_ITERATION="50"
-
-# Lock function
-lock()
-{
- i=0;
- # Providing a lock.
- while [ 1 ]; do
- mkdir ${LOCK} > /dev/null 2>&1
- MSL=$?
- if [ "${MSL}" = "0" ]; then
- # Lock acquired (setting the pid)
- echo "$$" > ${LOCK_PID}
- return;
- fi
-
- # Getting currently/saved PID locking the file
- C_PID=`cat ${LOCK_PID} 2>/dev/null`
- if [ "x" = "x${S_PID}" ]; then
- S_PID=${C_PID}
- fi
-
- # Breaking out of the loop after X attempts
- if [ "x${C_PID}" = "x${S_PID}" ]; then
- i=`expr $i + 1`;
- fi
-
- sleep $i;
-
- i=`expr $i + 1`;
-
- # So i increments 2 by 2 if the pid does not change.
- # If the pid keeps changing, we will increments one
- # by one and fail after MAX_ITERACTION
-
- if [ "$i" = "${MAX_ITERATION}" ]; then
- kill="false"
- for pid in `pgrep -f "${filename}"`; do
- if [ "x${pid}" = "x${C_PID}" ]; then
- # Unlocking and exiting
- kill -9 ${C_PID}
- echo "`date` Killed process ${C_PID} holding lock." >> ${LOG_FILE}
- kill="true"
- unlock;
- i=0;
- S_PID="";
- break;
- fi
- done
-
- if [ "x${kill}" = "xfalse" ]; then
- echo "`date` Unable kill process ${C_PID} holding lock." >> ${LOG_FILE}
- # Unlocking and exiting
- unlock;
- exit 1;
- fi
- fi
- done
-}
-
-# Unlock function
-unlock()
-{
- rm -rf ${LOCK}
-}
-
-
-
-# Blocking IP
-if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
- echo "$0: invalid action: ${ACTION}"
- exit 1;
-fi
-
-
-
-# We should run on linux
-if [ "X${UNAME}" = "XLinux" ]; then
- if [ "x${ACTION}" = "xadd" ]; then
- ARG1="--add-rich-rule="
- else
- ARG1="--remove-rich-rule="
- fi
-
- # Checking if firewall-cmd is present
- if [ ! -x ${FWDCMD} ]; then
- FWDCMD="/usr"${FWDCMD}
- if [ ! -x ${FWDCMD} ]; then
- echo "$0: can not find firewall-cmd"
- exit 1;
- fi
- fi
-
- # Executing and exiting
- COUNT=0;
- lock;
- while [ 1 ]; do
- ${FWDCMD} ${ARG1}"${RULE}" ${ARG2} >/dev/null
- RES=$?
- if [ $RES = 0 ]; then
- break;
- else
- COUNT=`expr $COUNT + 1`;
- echo "`date` Unable to run (firewall-cmd returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
- sleep $COUNT;
-
- if [ $COUNT -gt 4 ]; then
- break;
- fi
- fi
- done
- unlock;
-
- exit 0;
-else
- exit 0;
-fi
+++ /dev/null
-#!/bin/sh
-# Adds an IP to the /etc/hosts.deny file
-# Requirements: sshd and other binaries with tcp wrappers support
-# Expect: srcip
-# Author: Daniel B. Cid
-# Last modified: Nov 09, 2005
-
-ACTION=$1
-USER=$2
-IP=$3
-
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-PWD=`pwd`
-LOCK="${PWD}/host-deny-lock"
-LOCK_PID="${PWD}/host-deny-lock/pid"
-UNAME=`uname`
-
-
-# This number should be more than enough (even if a hundred
-# instances of this script is ran together). If you have
-# a really loaded env, you can increase it to 75 or 100.
-MAX_ITERATION="50"
-
-
-# Lock function
-lock()
-{
- i=0;
- # Providing a lock.
- while [ 1 ]; do
- mkdir ${LOCK} > /dev/null 2>&1
- MSL=$?
- if [ "${MSL}" = "0" ]; then
- # Lock acquired (setting the pid)
- echo "$$" > ${LOCK_PID}
- return;
- fi
-
- # Getting currently/saved PID locking the file
- C_PID=`cat ${LOCK_PID} 2>/dev/null`
- if [ "x" = "x${S_PID}" ]; then
- S_PID=${C_PID}
- fi
-
- # Breaking out of the loop after X attempts
- if [ "x${C_PID}" = "x${S_PID}" ]; then
- i=`expr $i + 1`;
- fi
-
- sleep $i;
-
- i=`expr $i + 1`;
-
- # So i increments 2 by 2 if the pid does not change.
- # If the pid keeps changing, we will increments one
- # by one and fail after MAX_ITERACTION
- if [ "$i" = "${MAX_ITERATION}" ]; then
- echo "`date` Unable to execute. Locked: $0" \
- >> ${PWD}/ossec-hids-responses.log
-
- # Unlocking and exiting
- unlock;
- exit 1;
- fi
- done
-}
-
-# Unlock function
-unlock()
-{
- rm -rf ${LOCK}
-}
-
-
-# Logging the call
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
-
-
-# IP Address must be provided
-if [ "x${IP}" = "x" ]; then
- echo "$0: Missing argument <action> <user> (ip)"
- exit 1;
-fi
-
-
-# Checking for invalid entries (lacking "." or ":", etc)
-echo "${IP}" | egrep "\.|\:" > /dev/null 2>&1
-if [ ! $? = 0 ]; then
- echo "`date` Invalid ip/hostname entry: ${IP}" >> ${PWD}/../logs/active-responses.log
- exit 1;
-fi
-
-
-# Adding the ip to hosts.deny
-if [ "x${ACTION}" = "xadd" ]; then
- # Looking for duplication
- IPKEY=$(grep -w "${IP}" /etc/hosts.deny)
- if [ ! -z "$IPKEY" ]; then
- echo "IP ${IP} already exists on host.deny..." >> ${PWD}/../logs/active-responses.log
- exit 1
- fi
- lock;
- echo "${IP}" | grep "\:" > /dev/null 2>&1
- if [ $? = 0 ]; then
- IP="[${IP}]"
- fi
- if [ "X$UNAME" = "XFreeBSD" ]; then
- echo "ALL : ${IP} : deny" >> /etc/hosts.allow
- else
- echo "ALL:${IP}" >> /etc/hosts.deny
- fi
- unlock;
- exit 0;
-
-
-# Deleting from hosts.deny
-elif [ "x${ACTION}" = "xdelete" ]; then
- lock;
- TMP_FILE=`mktemp ${PWD}/ossec-hosts.XXXXXXXXXX`
- if [ "X${TMP_FILE}" = "X" ]; then
- # Cheap fake tmpfile, but should be harder then no random data
- TMP_FILE="${PWD}/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
- fi
- echo "${IP}" | grep "\:" > /dev/null 2>&1
- if [ $? = 0 ]; then
- IP="\[${IP}\]"
- fi
- if [ "X$UNAME" = "XFreeBSD" ]; then
- cat /etc/hosts.allow | grep -v "ALL : ${IP} : deny$"> ${TMP_FILE}
- mv ${TMP_FILE} /etc/hosts.allow
- else
- cat /etc/hosts.deny | grep -v "ALL:${IP}$"> ${TMP_FILE}
- cat ${TMP_FILE} > /etc/hosts.deny
- rm ${TMP_FILE}
- fi
- unlock;
- exit 0;
-
-
-# Invalid action
-else
- echo "$0: invalid action: ${ACTION}"
-fi
-
-exit 1;
+++ /dev/null
-#!/bin/sh
-# Custom OSSEC block / Easily modifiable for custom responses (touch a file, insert to db, etc).
-# Expect: srcip
-# Author: Daniel B. Cid
-# Last modified: Feb 16, 2013
-
-ACTION=$1
-USER=$2
-IP=$3
-
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-PWD=`pwd`
-
-
-# Logging the call
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
-
-
-# IP Address must be provided
-if [ "x${IP}" = "x" ]; then
- echo "$0: Missing argument <action> <user> (ip)"
- exit 1;
-fi
-
-
-# Custom block (touching a file inside /ipblock/IP)
-if [ "x${ACTION}" = "xadd" ]; then
- if [ ! -d /ipblock ]; then
- mkdir /ipblock
- fi
- touch "/ipblock/${IP}"
-elif [ "x${ACTION}" = "xdelete" ]; then
- rm -f "/ipblock/${IP}"
-
-# Invalid action
-else
- echo "$0: invalid action: ${ACTION}"
-fi
-
-exit 1;
+++ /dev/null
-#!/bin/sh
-# Adds an IP to the IPFW drop list.
-# Only works with IPFW.
-# We use TABLE 00001. If you use this table for anything else,
-# please change it here.
-# Expect: srcip
-# Author: Rafael Capovilla - under @ ( at ) underlinux.com.br
-# Author: Daniel B. Cid - dcid @ ( at ) ossec.net
-# Last modified: May 07, 2006
-
-UNAME=`uname`
-IPFW="/sbin/ipfw"
-ARG1=""
-ARG2=""
-ACTION=$1
-USER=$2
-IP=$3
-TABLE_ID=00001
-
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-PWD=`pwd`
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
-
-
-# Checking for an IP
-if [ "x${IP}" = "x" ]; then
- echo "$0: <action> <username> <ip>"
- exit 1;
-fi
-
-
-
-# Blocking IP
-if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
- echo "$0: Invalid action: ${ACTION}"
- exit 1;
-fi
-
-
-# We should run on FreeBSD
-# We always use table 00001 and rule id 00001.
-if [ "X${UNAME}" = "XFreeBSD" ]; then
- ls ${IPFW} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
- fi
-
- # Check if our table is set
- ${IPFW} show | grep "^00001" | grep "table(1)" >/dev/null 2>&1
- if [ ! $? = 0 ]; then
- # We need to add the table
- ${IPFW} -q 00001 add deny ip from table\(${TABLE_ID}\) to any
- ${IPFW} -q 00001 add deny ip from any to table\(${TABLE_ID}\)
- fi
-
-
- # Executing and exiting
- ${IPFW} -q table ${TABLE_ID} ${ACTION} ${IP}
-
- exit 0;
-fi
-
-
-# Not FreeBSD
-exit 1;
+++ /dev/null
-#!/bin/sh
-# Adds an IP to the IPFW drop list.
-# Only works with IPFW.
-# Expect: srcip
-# Author: Rafael Capovilla - under @ ( at ) underlinux.com.br
-# Author: Daniel B. Cid - dcid @ ( at ) ossec.net
-# Author: Charles W. Kefauver ckefauver @ ( at ) ibacom.es
-# changed for Mac OS X compatibility
-# Last modified: August 14, 2006
-
-UNAME=`uname`
-IPFW="/sbin/ipfw"
-ARG1=""
-ARG2=""
-ACTION=$1
-USER=$2
-IP=$3
-
-# warning do NOT add leading 0 in SET_ID
-SET_ID=2
-
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-PWD=`pwd`
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
-
-
-# Checking for an IP
-if [ "x${IP}" = "x" ]; then
- echo "$0: <action> <username> <ip>"
- exit 1;
-fi
-
-# Blocking IP
-if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
- echo "$0: Invalid action: ${ACTION}"
- exit 1;
-fi
-
-
-# We should run on Darwin
-if [ "X${UNAME}" = "XDarwin" ]; then
- ls ${IPFW} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
- fi
-
-
- # Executing and exiting
- if [ "x${ACTION}" = "xadd" ]; then
- #${IPFW} set disable ${SET_ID}
- ${IPFW} -q add set ${SET_ID} deny ip from ${IP} to any
- ${IPFW} -q add set ${SET_ID} deny ip from any to ${IP}
- ${IPFW} -q set enable ${SET_ID}
- exit 0;
- fi
-
- if [ "x${ACTION}" = "xdelete" ]; then
- #${IPFW} -S show | grep "set ${SET_ID}" | grep "${IP}" >/dev/null 2>&1
- #get list of ipfw rules ID to delete
- RULES_TO_DELETE=`${IPFW} -S show | grep "set ${SET_ID}" | grep "${IP}" | awk '{print $1}'`
-
- for RULE_ID in ${RULES_TO_DELETE}
- do
- ${IPFW} -q delete ${RULE_ID}
- done
-
- exit 0;
- fi
-
- exit 0;
-fi
-
-
-# Not Darwin
-exit 1;
-
+++ /dev/null
-#!/bin/sh
-# Author: Gianni D'Aprile
-
-GREP=`which grep`
-
-ACTION=$1
-USER=$2
-IP=$3
-
-# Finding path
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-PWD=`pwd`
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
-
-NPFCTL=/sbin/npfctl
-
-if [ ! -x ${NPFCTL} ]; then
- echo "$0: NPF not present."
- echo "$0: NPF not present." >> ${PWD}/ossec-hids-responses.log
- exit 0;
-fi
-
-NPF_ACTIVE=`${NPFCTL} show | grep "filtering:" | ${GREP} -c active`
-
-if [ "x1" != "x${NPF_ACTIVE}" ]; then
- echo "$0: NPF not active."
- echo "$0: NPF not active." >> ${PWD}/ossec-hids-responses.log
- exit 0;
-fi
-
-NPF_OSSEC_READY=`${NPFCTL} show | ${GREP} -c "table <ossec_blacklist>"`
-
-if [ "x1" != "x${NPF_OSSEC_READY}" ]; then
- echo "$0: NPF not configured."
- echo "$0: NPF not configured." >> ${PWD}/ossec-hids-responses.log
- exit 0;
-fi
-
-# Checking for an IP
-if [ "x${IP}" = "x" ]; then
- echo "$0: <action> <username> <ip>"
- exit 1;
-fi
-
-case "x${ACTION}" in
-
- # Blocking IP
- xadd)
-
- ${NPFCTL} table ossec_blacklist add ${IP} >/dev/null 2>&1
- exit 0
-
- ;;
-
- # Unblocking IP
- xdelete)
-
- ${NPFCTL} table ossec_blacklist del ${IP} >/dev/null 2>&1
- exit 0
-
- ;;
-
- # No matching action
- *)
-
- echo "$0: invalid action: ${ACTION}"
- echo "$0: invalid action: ${ACTION}" >> ${PWD}/ossec-hids-responses.log
- exit 1
-
- ;;
-
-esac
+++ /dev/null
-#!/bin/bash -x
-
-# Change these values!
-# APIKEY Your pagerduty api key
-
-APIKEY="xxxxxxx"
-# Checking user arguments
-if [ "x$1" = "xdelete" ]; then
- exit 0;
-fi
-ALERTID=$4
-RULEID=$5
-LOCAL=`dirname $0`;
-ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1`
-ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2`
-
-# Logging
-cd $LOCAL
-cd ../
-PWD=`pwd`
-echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
-ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`
-
-ALERTLOG= ${PWD}/../logs/alerts/alerts.log
-
-postfile=`mktemp`
-
-echo '{ "service_key": "'$APIKEY'", "incident_key": "Alert: '$ALERTTIME' / Rule: '$RULEID'", "event_type": "trigger", "description": "OSSEC Alert: '$ALERTLAST'", "client": "OSSEC IDS", "client_url": "http://dcid.me/ossec", "details": { "location": "'$HOSTNAME'", "Rule":"'$RULEID'", "Description":"'$ALERTFULL'", "Log":"'$ALERTLOG'"} } ' > $postfile
-
-curl -H "Content-type: application/json" -X POST --data @$postfile "https://events.pagerduty.com/generic/2010-04-15/create_event.json"
+++ /dev/null
-#!/bin/sh
-
-# Change these values!
-# SLACKUSER user who posts notifications
-# CHANNEL which channel it should be posted
-# SITE is the URL provided by the Slack's WebHook, something like:
-# https://hooks.slack.com/services/TOKEN"
-SLACKUSER=""
-CHANNEL=""
-SITE=""
-SOURCE="ossec2slack"
-
-# Checking user arguments
-if [ "x$1" = "xdelete" ]; then
- exit 0;
-fi
-ALERTID=$4
-RULEID=$5
-LOCAL=`dirname $0`;
-
-# Logging
-cd $LOCAL
-cd ../
-PWD=`pwd`
-echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
-ALERTTITLE=`grep -A 1 "$ALERTID" ${PWD}/../logs/alerts/alerts.log | tail -1`
-ALERTTEXT=`grep -A 10 "$ALERTID" ${PWD}/../logs/alerts/alerts.log | grep -v "Src IP: " | grep -v "User: " | grep "Rule: " -A 4 | sed '/^$/Q' | cut -c -139 | sed 's/\"//g'`
-
-LEVEL=`echo "${ALERTTEXT}" | head -1 | grep "(level [0-9]*)" | sed 's/^.*(level \([0-9]*\)).*$/\1/'`
-COLOR="#D3D3D3"
-if [ "${LEVEL}" ]
-then
- [ "${LEVEL}" -ge 4 ] && COLOR="#FFCC00"
- [ "${LEVEL}" -ge 7 ] && COLOR="#FF9966"
- [ "${LEVEL}" -ge 12 ] && COLOR="#CC3300"
-fi
-
-PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "attachments": [ {"fallback": "'"$( printf "${ALERTTITLE}\n${ALERTTEXT}" )"'", "title": "'"${ALERTTITLE}"'", "text": "'"${ALERTTEXT}"'", "color": "'"${COLOR}"'"} ]}'
-
-ls "`which curl`" > /dev/null 2>&1
-if [ ! $? = 0 ]; then
- ls "`which wget`" > /dev/null 2>&1
- if [ $? = 0 ]; then
- wget --keep-session-cookies --post-data="${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log
- exit 0;
- fi
-else
- curl -s -X POST --data-urlencode "payload=${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log
- exit 0;
-fi
-
-echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../logs/active-responses.log
-exit 1;
+++ /dev/null
-#!/bin/sh
-# Tweeter an alert - copy at /var/ossec/active-response/bin/ossec-tweeter.sh
-# Author: Daniel Cid
-
-
-# Change these values!
-TWITTERUSER=""
-TWITTERPASS=''
-DIRECTMSGUSER=""
-SOURCE="ossec2tweeter"
-
-
-
-# Checking user arguments
-if [ "x$1" = "xdelete" ]; then
- exit 0;
-fi
-ALERTID=$4
-RULEID=$5
-LOCAL=`dirname $0`;
-ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1`
-ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2`
-
-
-
-# Logging
-cd $LOCAL
-cd ../
-PWD=`pwd`
-echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
-ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139`
-
-
-
-# Checking if we are sending direct message or not.
-if [ "x" = "x$DIRECTMSGUSER" ]; then
- SITE="http://twitter.com/statuses/update.xml"
- REQUESTUSER=""
- REQUESTMSG="status=$ALERTFULL"
-else
- SITE="http://twitter.com/direct_messages/new.xml"
- REQUESTUSER="user=$DIRECTMSGUSER&"
- REQUESTMSG="text=$ALERTFULL"
-fi
-
-
-ls "`which curl`" > /dev/null 2>&1
-if [ ! $? = 0 ]; then
- ls "`which wget`" > /dev/null 2>&1
- if [ $? = 0 ]; then
- wget --keep-session-cookies --http-user=$TWITTERUSER --http-password=$TWITTERPASS --post-data="source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE 2>>${PWD}/../logs/active-responses.log
- exit 0;
- fi
-else
- curl -u "$TWITTERUSER:$TWITTERPASS" -d "source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE 2>>${PWD}/../logs/active-responses.log
- exit 0;
-fi
-
-echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../logs/active-responses.log
-exit 1;
+++ /dev/null
-#!/bin/sh
-# Author: Rafael M. Capovilla
-# Last modified: Daniel B. Cid
-
-UNAME=`uname`
-GREP="/usr/bin/grep"
-PFCTL="/sbin/pfctl"
-PFCTL_RULES="/etc/pf.conf"
-PFCTL_TABLE="ossec_fwtable"
-ARG1=""
-ARG2=""
-CHECKTABLE=""
-ACTION=$1
-USER=$2
-IP=$3
-
-# Getting pf rules file.
-if [ ! -f $PFCTL_RULES ]; then
- echo "The pf rules file $PFCTL_RULES does not exist"
- exit 1
-fi
-
-# Checking if ossec table is configured
-CHECKTABLE=`cat ${PFCTL_RULES} | $GREP $PFCTL_TABLE`
-if [ -z "$CHECKTABLE" ]; then
- echo "Table $PFCTL_TABLE does not exist"
- exit 1
-fi
-
-# Finding path
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-PWD=`pwd`
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
-
-# Checking for an IP
-if [ "x${IP}" = "x" ]; then
- echo "$0: <action> <username> <ip>"
- exit 1;
-fi
-
-# Blocking IP
-if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
- echo "$0: invalid action: ${ACTION}"
- echo "$0: invalid action: ${ACTION}" >> ${PWD}/ossec-hids-responses.log
- exit 1;
-fi
-
-# OpenBSD and FreeBSD pf
-if [ "X${UNAME}" = "XOpenBSD" -o "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XDarwin" ]; then
-
- # Checking if pfctl is present
- ls ${PFCTL} > /dev/null 2>&1
- if [ ! $? = 0 ]; then
- echo "$0: PF not configured."
- echo "$0: PF not configured." >> ${PWD}/ossec-hids-responses.log
- exit 0;
- fi
-
- # Checking if we have pf config file
- if [ -e ${PFCTL_RULES} ]; then
-
- #Checking if we got the table to add the bad guys
- if [ "x${PFCTL_TABLE}" = "x" ]; then
- echo "$0: PF not configured."
- echo "$0: PF not configured." >> ${PWD}/ossec-hids-responses.log
- exit 0;
- else
- if [ "x${ACTION}" = "xadd" ]; then
- ARG1="-t $PFCTL_TABLE -T add ${IP}"
- ARG2="-k ${IP}"
- else
- ARG1="-t $PFCTL_TABLE -T delete ${IP}"
- fi
- fi
- else
- exit 0;
- fi
-
- #Executing it
- ${PFCTL} ${ARG1} > /dev/null 2>&1
- ${PFCTL} ${ARG2} > /dev/null 2>&1
- exit 0;
-
-else
- exit 0;
-fi
+++ /dev/null
-#!/bin/sh
-# Restarts ossec.
-# Requirements: none
-# Author: Daniel B. Cid
-
-ACTION=$1
-USER=$2
-IP=$3
-
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-PWD=`pwd`
-UNAME=`uname`
-
-
-# Logging the call
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
-
-
-
-# Adding the ip to hosts.deny
-if [ "x${ACTION}" = "xadd" ]; then
- ${PWD}/../bin/ossec-control restart
- exit 0;
-
-
-# Deleting from hosts.deny
-elif [ "x${ACTION}" = "xdelete" ]; then
- exit 0;
-
-
-# Invalid action
-else
- echo "$0: invalid action: ${ACTION}"
-fi
-
-exit 1;
+++ /dev/null
-#!/bin/sh
-# Adds an IP to null route
-# Requirements: ip route
-# Expect: srcip
-# Author: Ivan Lotina
-# Modifyed script host-deny from Daniel B. Cid
-# Last modified: Feb 16, 2007
-
-ACTION=$1
-USER=$2
-IP=$3
-
-LOCAL=`dirname $0`;
-cd $LOCAL
-cd ../
-PWD=`pwd`
-LOCK="${PWD}/host-deny-lock"
-LOCK_PID="${PWD}/host-deny-lock/pid"
-
-UNAME=`uname`
-
-# Logging the call
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
-
-
-# IP Address must be provided
-if [ "x${IP}" = "x" ]; then
- echo "$0: Missing argument <action> <user> (ip)"
- exit 1;
-fi
-
-# Match the loopback address to the version of the provided IP address
-LOOPBACK=127.0.0.1
-echo "${IP}" | grep "\:" > /dev/null 2>&1
-if [ $? = 0 ]; then
- LOOPBACK=::1
-fi
-
-# Adding the ip to null route
-if [ "x${ACTION}" = "xadd" ]; then
- if [ "X${UNAME}" = "XLinux" ]; then
- route add ${IP} reject
- exit 0;
- fi
-
- if [ "X${UNAME}" = "XFreeBSD" ]; then
- route -q add ${IP} $LOOPBACK -blackhole
- exit 0;
- fi
-
-# Deleting from null route
-# be carefull not to remove your default route
-elif [ "x${ACTION}" = "xdelete" ]; then
- if [ "X${UNAME}" = "XLinux" ]; then
- route del ${IP} reject
- exit 0;
- fi
-
- if [ "X${UNAME}" = "XFreeBSD" ]; then
- route -q delete ${IP} $LOOPBACK -blackhole
- exit 0;
- fi
-
-# Invalid action
-else
- echo "$0: invalid action: ${ACTION}"
-fi
-
-exit 1;
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-if {$argc <= 1} {
- send_user "\nERROR: ssh_integrity_check <hostname> <arguments>\n";
- exit 1;
-}
-
-# NOTE: this script must be called from within /var/ossec for it to work
-set passlist "agentless/.passlist"
-set sshsrc "agentless/ssh.exp"
-set susrc "agentless/su.exp"
-set sshloginsrc "agentless/sshlogin.exp"
-set sshnopasssrc "agentless/ssh_nopass.exp"
-set hostname [lindex $argv 0]
-set args [lrange $argv 1 end]
-set pass "x"
-set use_su " "
-set use_sudo " "
-set addpass "x"
-set timeout 20
-
-# Do script test
-if {[string compare $hostname "test"] == 0} {
- if {[string compare $args "test"] == 0} {
- exit 0;
- }
-}
-
-# Check if the hostname (first argument) is an option
-if {[string compare $hostname "use_su"] == 0} {
- set use_su "su;"
- set hostname [lindex $argv 1]
- set args [lrange $argv 2 end]
-}
-# Check if the hostname (first argument) is an option
-if {[string compare $hostname "use_sudo"] == 0} {
- set use_sudo "sudo sh;"
- set hostname [lindex $argv 1]
- set args [lrange $argv 2 end]
-}
-
-# Read the password list
-if [catch {
- set in [open "$passlist" r]
-} loc_error] {
- send_user "\nERROR: Password list not present (use \"register_host\" first).\n"
- exit 1;
-}
-
-while {[gets $in line] != -1} {
- set me [string first "|" $line]
- set me2 [string last "|" $line]
- set length [string length $line]
-
- if {$me == -1} {
- continue;
- }
- if {$me2 == -1} {
- continue;
- }
- if {$me == $me2} {
- continue;
- }
-
- set me [expr $me-1]
- set me2 [expr $me2-1]
-
- set host_list [string range $line 0 $me]
- set me [expr $me+2]
- set pass_list [string range $line $me $me2]
- set me2 [expr $me2+2]
- set addpass_list [string range $line $me2 $length]
-
- if {[string compare $host_list $hostname] == 0} {
- set pass "$pass_list"
- set addpass "$addpass_list"
- break
- }
-}
-close $in
-
-
-if {[string compare $pass "x"] == 0} {
- send_user "\nERROR: Password for '$hostname' not found.\n"
- exit 1;
-}
+++ /dev/null
-#!/bin/sh
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-MYNAME="register_host.sh"
-MYPASS=".passlist"
-
-# Check the location
-ls -la $MYNAME > /dev/null 2>&1
-if [ ! $? = 0 ]; then
- LOCALDIR=`dirname $0`;
- cd ${LOCALDIR}
-
- ls -la $MYNAME > /dev/null 2>&1
- if [ ! $? = 0 ]; then
- echo "ERROR: You must run this script from the same directory."
- exit 1;
- fi
-fi
-
-# Arguments
-if [ "x$1" = "x" -o "x$1" = "xhelp" -o "x$1" = "x-h" ]; then
- echo "$0 options:"
- echo " add <user@host> [<passwd>] (<additional_pass>)"
- echo " list (passwords)"
- exit 0;
-fi
-
-if [ "x$1" = "xlist" ]; then
- echo "*Available hosts: "
- if [ "x$2" = "xpasswords" ]; then
- cat $MYPASS | sort | uniq;
- else
- cat $MYPASS | cut -d "|" -f 1 | sort | uniq;
- fi
- exit 0;
-
-elif [ "x$1" = "xadd" ]; then
- if [ "x$2" = "x" ]; then
- echo "ERROR: Missing hostname name.";
- echo "ex: $0 add <user@host> [<passwd>] (<additional_pass>)";
- exit 1;
- fi
-
- grep "$2|" $MYPASS > /dev/null 2>&1
- if [ $? = 0 ]; then
- echo "ERROR: Host '$2' already added.";
- exit 1;
- fi
-
- # Check if the password was supplied
- if [ "x$3" = "x" ]; then
- echo "Please provide password for host $2."
- echo -n "Password: ";
- stty -echo
- read INPASS
- stty echo
-
- echo "Please provide additional password for host $2 (<enter> for empty)."
- echo -n "Password: ";
- stty -echo
- read ADDPASS
- stty echo
- else
- INPASS=$3
- ADDPASS=$4
- fi
-
- echo "$2|$INPASS|$ADDPASS" >> $MYPASS;
- if [ ! $? = 0 ]; then
- echo "ERROR: Unable to creating entry (echo failed)."
- exit 1;
- fi
- chmod 744 $MYPASS
- echo "*Host $2 added."
-
-else
- echo "ERROR: Invalid argument.";
- exit 1;
-
-fi
-
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-if {[string compare $pass "NOPASS"] == 0} {
- source $sshnopasssrc
- return
-}
-
-expect {
- "WARNING: REMOTE HOST" {
- send_user "\nERROR: RSA host key for '$hostname' has changed. Unable to access.\n"
- exit 1;
- }
- "*sure you want to continue connecting*" {
- send "yes\r"
- expect "*assword:*" {
- send "$pass\r"
- source $sshloginsrc
- }
- }
- "ssh: connect to host*" {
- send_user "\nERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "no address associated with name" {
- send_user "\nERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Connection refused*" {
- send_user "\nERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Connection closed by remote host*" {
- send_user "\nERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*assword:*" {
- send "$pass\r"
- source $sshloginsrc
- }
- timeout {
- send_user "\nERROR: Timeout while connecting to host: $hostname . \n"
- exit 1;
- }
-}
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-if {$argc < 1} {
- send_user "ERROR: ssh_asa-fwsmconfig_diff <hostname> <commands>\n";
- send_user "ERROR: Must be run from /var/ossec\n";
- exit 1;
-}
-
-# NOTE: this script must be called from within /var/ossec for it to work
-set passlist "agentless/.passlist"
-set hostname [lindex $argv 0]
-set commands [lrange $argv 1 end]
-set pass "x"
-set addpass "x"
-set timeout 20
-
-if {[string compare $hostname "test"] == 0} {
- if {[string compare $commands "test"] == 0} {
- exit 0;
- }
-}
-
-# Read the password list
-if [catch {
- set in [open "$passlist" r]
-} loc_error] {
- send_user "ERROR: Password list not present (use \"register_host\" first).\n"
- exit 1;
-}
-
-while {[gets $in line] != -1} {
- set me [string first "|" $line]
- set me2 [string last "|" $line]
- set length [string length $line]
-
- if {$me == -1} {
- continue;
- }
- if {$me2 == -1} {
- continue;
- }
- if {$me == $me2} {
- continue;
- }
-
- set me [expr $me-1]
- set me2 [expr $me2-1]
-
- set host_list [string range $line 0 $me]
- set me [expr $me+2]
- set pass_list [string range $line $me $me2]
- set me2 [expr $me2+2]
- set addpass_list [string range $line $me2 $length]
-
- if {[string compare $host_list $hostname] == 0} {
- set pass "$pass_list"
- set addpass "$addpass_list"
- break
- }
-}
-close $in
-
-if {[string compare $pass "x"] == 0} {
- send_user "ERROR: Password for '$hostname' not found.\n"
- exit 1;
-}
-
-# SSH to the box and pass the directories to check
-if [catch {
- spawn ssh -c des $hostname
-} loc_error] {
- send_user "ERROR: Opening connection: $loc_error.\n"
- exit 1;
-}
-
-expect {
- "WARNING: REMOTE HOST" {
- send_user "ERROR: RSA host key for '$hostname' has changed. Unable to access.\n"
- exit 1;
- }
- "*sure you want to continue connecting*" {
- send "yes\r"
- expect "* password:*" {
- send "$pass\r"
-
- expect {
- "Permission denied" {
- send_user "ERROR: Incorrect password to remote host: $hostname .\n"
- exit 1;
- }
- timeout {
- send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n"
- exit 1;
- }
- "*>" {
- send_user "\nINFO: Starting.\n"
- }
- }
- }
- }
- "ssh: connect to host*" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "no address associated with name" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Connection refused*" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Connection closed by remote host*" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "* password:*" {
- send "$pass\r"
-
- expect {
- "Permission denied" {
- send_user "ERROR: Incorrect password to remote host: $hostname .\n"
- exit 1;
- }
- timeout {
- send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n"
- exit 1;
- }
- "*>" {
- send_user "INFO: Starting.\n"
- }
- }
- }
- timeout {
- send_user "ERROR: Timeout while connecting to host: $hostname . \n"
- exit 1;
- }
-}
-
-# Go into enable mode
-send "enable\r"
-expect {
- "Password:" {
- send "$addpass\r"
-
- expect {
- "*asswor*" {
- send_user "ERROR: Incorrect enable password to remote host: $hostname .\n"
- exit 1;
- }
- "*rror in authenticatio*" {
- send_user "ERROR: Incorrect enable password to remote host: $hostname .\n"
- exit 1;
- }
- timeout {
- send_user "ERROR: Timeout while going to enable mode on host: $hostname .\n"
- exit 1;
- }
- "*#" {
- send_user "ok on enable pass\n"
- }
- }
- }
- timeout {
- send_user "ERROR: Timeout while running enable on host: $hostname .\n"
- exit 1;
- }
-}
-
-# Send commands
-set timeout 60
-send_user "\nSTORE: now\n"
-
-send "term pager 0\r"
-
-# Exclude uptime from the output
-send "show version | grep -v Configuration last| up\r"
-send "show running-config\r"
-send "$commands\r"
-send "exit\r"
-
-expect {
- timeout {
- send_user "ERROR: Timeout while running commands on host: $hostname .\n"
- exit 1;
- }
- eof {
- send_user "\nINFO: Finished.\n"
- exit 0;
- }
-}
-
-send_user "ERROR: Unable to finish properly.\n"
-exit 1;
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-if {$argc < 1} {
- send_user "ERROR: ssh_pixconfig_diff <hostname> <commands>\n";
- exit 1;
-}
-
-# NOTE: this script must be called from within /var/ossec for it to work
-set passlist "agentless/.passlist"
-set hostname [lindex $argv 0]
-set commands [lrange $argv 1 end]
-set pass "x"
-set addpass "x"
-set timeout 20
-
-if {[string compare $hostname "test"] == 0} {
- if {[string compare $commands "test"] == 0} {
- exit 0;
- }
-}
-
-# Read the password list
-if [catch {
- set in [open "$passlist" r]
-} loc_error] {
- send_user "ERROR: Password list not present (use \"register_host\" first).\n"
- exit 1;
-}
-
-while {[gets $in line] != -1} {
- set me [string first "|" $line]
- set me2 [string last "|" $line]
- set length [string length $line]
-
- if {$me == -1} {
- continue;
- }
- if {$me2 == -1} {
- continue;
- }
- if {$me == $me2} {
- continue;
- }
-
- set me [expr $me-1]
- set me2 [expr $me2-1]
-
- set host_list [string range $line 0 $me]
- set me [expr $me+2]
- set pass_list [string range $line $me $me2]
- set me2 [expr $me2+2]
- set addpass_list [string range $line $me2 $length]
-
- if {[string compare $host_list $hostname] == 0} {
- set pass "$pass_list"
- set addpass "$addpass_list"
- break
- }
-}
-close $in
-
-if {[string compare $pass "x"] == 0} {
- send_user "ERROR: Password for '$hostname' not found.\n"
- exit 1;
-}
-
-# SSH to the box and pass the directories to check
-if [catch {
- spawn ssh $hostname
-} loc_error] {
- send_user "ERROR: Opening connection: $loc_error.\n"
- exit 1;
-}
-
-expect {
- "WARNING: REMOTE HOST" {
- send_user "ERROR: RSA host key for '$hostname' has changed. Unable to access.\n"
- exit 1;
- }
- "*sure you want to continue connecting*" {
- send "yes\r"
- expect "* password:*" {
- send "$pass\r"
-
- expect {
- "Permission denied" {
- send_user "ERROR: Incorrect password to remote host: $hostname .\n"
- exit 1;
- }
- timeout {
- send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n"
- exit 1;
- }
- "*>" {
- send_user "\nINFO: Starting.\n"
- }
- }
- }
- }
- "ssh: connect to host*" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "no address associated with name" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Connection refused*" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Connection closed by remote host*" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "* password:*" {
- send "$pass\r"
-
- expect {
- "Permission denied" {
- send_user "ERROR: Incorrect password to remote host: $hostname .\n"
- exit 1;
- }
- timeout {
- send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n"
- exit 1;
- }
- "*>" {
- send_user "INFO: Starting.\n"
- }
- }
- }
- timeout {
- send_user "ERROR: Timeout while connecting to host: $hostname . \n"
- exit 1;
- }
-}
-
-if {[string compare $addpass ""] != 0} {
- # Go into enable mode
- send "enable\r"
- expect {
- "Password:" {
- send "$addpass\r"
-
- expect {
- "*asswor*" {
- send_user "ERROR: Incorrect enable password to remote host: $hostname .\n"
- exit 1;
- }
- "*rror - incorrect password*" {
- send_user "ERROR: Incorrect enable password to remote host: $hostname .\n"
- exit 1;
- }
- timeout {
- send_user "ERROR: Timeout while going to enable mode on host: $hostname .\n"
- exit 1;
- }
- "*#" {
- send_user "ok on enable pass\n"
- }
- }
- }
- timeout {
- send_user "ERROR: Timeout while running enable on host: $hostname .\n"
- exit 1;
- }
- }
-}
-
-# Send commands
-set timeout 60
-send_user "\nSTORE: now\n"
-
-send "skip-page-display\r"
-
-# Exclude uptime from the output
-send "sh run\r"
-send "$commands\r"
-send "exit\rexit\r"
-
-expect {
- timeout {
- send_user "ERROR: Timeout while running commands on host: $hostname .\n"
- exit 1;
- }
- eof {
- send_user "\nINFO: Finished.\n"
- exit 0;
- }
-}
-
-send_user "ERROR: Unable to finish properly.\n"
-exit 1;
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-# Main script
-source "agentless/main.exp"
-
-# SSH to the box and pass the directories to check
-if [catch {
- spawn ssh $hostname
-} loc_error] {
- send_user "ERROR: Opening connection: $loc_error.\n"
- exit 1;
-}
-
-source $sshsrc
-source $susrc
-
-set timeout 600
-send_user "INFO: Starting.\n"
-send_user "\nSTORE: now\n"
-send "$args\r"
-send "exit\r"
-
-expect {
- timeout {
- send_user "ERROR: Timeout while running commands on host: $hostname .\n"
- exit 1;
- }
- eof {
- send_user "\nINFO: Finished.\n"
- exit 0;
- }
-}
-
-exit 0;
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-# Main script
-source "agentless/main.exp"
-
-# SSH to the box and pass the directories to check
-if [catch {
- spawn ssh $hostname
-} loc_error] {
- send_user "\nERROR: Opening connection: $loc_error.\n"
- exit 1;
-}
-
-source $sshsrc
-source $susrc
-
-set timeout 600
-send "for i in `find $args 2>/dev/null`;do tail \$i >/dev/null 2>&1 && md5=`md5 \$i | cut -d \"=\" -f 2|cut -d \" \" -f 2` && sha1=`sha1 \$i | cut -d \"=\" -f 2|cut -d \" \" -f 2` && echo FWD: `stat -f \"%Dz:%Dp:%Du:%Dg\" \$i`:\$md5:\$sha1 \$i; done; exit\r"
-send "exit\r"
-
-expect {
- timeout {
- send_user "\nERROR: Timeout while running commands on host: $hostname .\n"
- exit 1;
- }
- eof {
- send_user "\nINFO: Finished.\n"
- exit 0;
- }
-}
-
-exit 0;
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-# Main script
-source "agentless/main.exp"
-
-# SSH to the box and pass the directories to check
-if [catch {
- spawn ssh $hostname
-} loc_error] {
- send_user "ERROR: Opening connection: $loc_error.\n"
- exit 1;
-}
-
-source $sshsrc
-source $susrc
-
-set timeout 600
-send "unset HISTFILE echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do tail \$i >/dev/null 2>&1 && md5=`md5sum \$i | cut -d \" \" -f 1` && sha1=`sha1sum \$i | cut -d \" \" -f 1` && echo FWD: `stat --printf \"%s:%a:%u:%g\" \$i`:\$md5:\$sha1 \$i; done; exit\r"
-send "exit\r"
-
-expect {
- timeout {
- send_user "ERROR: Timeout while running commands on host: $hostname .\n"
- exit 1;
- }
- eof {
- send_user "\nINFO: Finished.\n"
- exit 0;
- }
-}
-
-exit 0;
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-expect {
- "WARNING: REMOTE HOST" {
- send_user "\nERROR: RSA host key for '$hostname' has changed. Unable to access.\n"
- exit 1;
- }
- "*sure you want to continue connecting*" {
- send "yes\r"
- source $sshnopasssrc
- return
- }
- "ssh: connect to host*" {
- send_user "\nERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "no address associated with name" {
- send_user "\nERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Connection refused*" {
- send_user "\nERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Connection closed by remote host*" {
- send_user "\nERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "* password:*" {
- send_user "\nERROR: Public key authentication failed to host: $hostname .\n"
- exit 1
- }
- "*\\\$" {
- send_user "\nINFO: Started.\n"
- }
- "*#" {
- send_user "\nINFO: Started.\n"
- }
- timeout {
- send_user "\nERROR: Timeout while connecting to host: $hostname . \n"
- exit 1;
- }
-}
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-if {$argc < 1} {
- send_user "ERROR: ssh_pixconfig_diff <hostname> <commands>\n";
- exit 1;
-}
-
-# NOTE: this script must be called from within /var/ossec for it to work
-set passlist "agentless/.passlist"
-set hostname [lindex $argv 0]
-set commands [lrange $argv 1 end]
-set pass "x"
-set addpass "x"
-set timeout 20
-
-if {[string compare $hostname "test"] == 0} {
- if {[string compare $commands "test"] == 0} {
- exit 0;
- }
-}
-
-# Read the password list
-if [catch {
- set in [open "$passlist" r]
-} loc_error] {
- send_user "ERROR: Password list not present (use \"register_host\" first).\n"
- exit 1;
-}
-
-while {[gets $in line] != -1} {
- set me [string first "|" $line]
- set me2 [string last "|" $line]
- set length [string length $line]
-
- if {$me == -1} {
- continue;
- }
- if {$me2 == -1} {
- continue;
- }
- if {$me == $me2} {
- continue;
- }
-
- set me [expr $me-1]
- set me2 [expr $me2-1]
-
- set host_list [string range $line 0 $me]
- set me [expr $me+2]
- set pass_list [string range $line $me $me2]
- set me2 [expr $me2+2]
- set addpass_list [string range $line $me2 $length]
-
- if {[string compare $host_list $hostname] == 0} {
- set pass "$pass_list"
- set addpass "$addpass_list"
- break
- }
-}
-close $in
-
-if {[string compare $pass "x"] == 0} {
- send_user "ERROR: Password for '$hostname' not found.\n"
- exit 1;
-}
-
-# SSH to the box and pass the directories to check
-if [catch {
- spawn ssh -c des $hostname
-} loc_error] {
- send_user "ERROR: Opening connection: $loc_error.\n"
- exit 1;
-}
-
-expect {
- "WARNING: REMOTE HOST" {
- send_user "ERROR: RSA host key for '$hostname' has changed. Unable to access.\n"
- exit 1;
- }
- "*sure you want to continue connecting*" {
- send "yes\r"
- expect "* password:*" {
- send "$pass\r"
-
- expect {
- "Permission denied" {
- send_user "ERROR: Incorrect password to remote host: $hostname .\n"
- exit 1;
- }
- timeout {
- send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n"
- exit 1;
- }
- "*>" {
- send_user "\nINFO: Starting.\n"
- }
- }
- }
- }
- "ssh: connect to host*" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "no address associated with name" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Connection refused*" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Connection closed by remote host*" {
- send_user "ERROR: Unable to connect to remote host: $hostname .\n"
- exit 1;
- }
- "*Password:*" {
- send "$pass\r"
-
- expect {
- "Permission denied" {
- send_user "ERROR: Incorrect password to remote host: $hostname .\n"
- exit 1;
- }
- timeout {
- send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n"
- exit 1;
- }
- "*>" {
- send_user "INFO: Starting.\n"
- }
- }
- }
- timeout {
- send_user "ERROR: Timeout while connecting to host: $hostname . \n"
- exit 1;
- }
-}
-
-# Go into enable mode
-send "enable\r"
-expect {
- "Password:" {
- send "$addpass\r"
-
- expect {
- "*asswor*" {
- send_user "ERROR: Incorrect enable password to remote host: $hostname .\n"
- exit 1;
- }
- "*rror in authenticatio*" {
- send_user "ERROR: Incorrect enable password to remote host: $hostname .\n"
- exit 1;
- }
- timeout {
- send_user "ERROR: Timeout while going to enable mode on host: $hostname .\n"
- exit 1;
- }
- "*#" {
- send_user "ok on enable pass\n"
- }
- }
- }
- timeout {
- send_user "ERROR: Timeout while running enable on host: $hostname .\n"
- exit 1;
- }
-}
-
-# Send commands
-set timeout 60
-send_user "\nSTORE: now\n"
-
-send "no pager\r"
-send "term len 0\r"
-send "terminal pager 0\r"
-
-# Exclude uptime from the output
-send "show version | grep -v Configuration last| up\r"
-send "show running-config\r"
-send "$commands\r"
-send "exit\r"
-
-expect {
- timeout {
- send_user "ERROR: Timeout while running commands on host: $hostname .\n"
- exit 1;
- }
- eof {
- send_user "\nINFO: Finished.\n"
- exit 0;
- }
-}
-
-send_user "ERROR: Unable to finish properly.\n"
-exit 1;
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-expect {
- "Permission denied" {
- send_user "\nERROR: Incorrect password to remote host: $hostname .\n"
- exit 1;
- }
- eof {
- send_user "\nERROR: EOF while logging to host: $hostname .\n"
- exit 0;
- }
- timeout {
- send_user "\nERROR: Timeout while running on host: $hostname .\n"
- exit 1;
- }
- "*\\\$" {
- send_user "\nINFO: Started.\n"
- }
- "*#" {
- send_user "\nINFO: Started.\n"
- }
-}
+++ /dev/null
-#!/usr/bin/env expect
-
-# Agentless monitoring
-#
-# Copyright (C) 2009 Trend Micro Inc.
-# All rights reserved.
-#
-# This program is a free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License (version 2) as published by the FSF - Free Software
-# Foundation.
-
-# If su was chosen
-set timeout 10
-if {[string compare $use_su "su;"] == 0} {
-
- # Run su command
- send "\rsu\r"
-
- expect {
- "Password:" {
- send "$addpass\r"
- }
- timeout {
- send_user "\nERROR: Unable to run su.\n"
- exit 1;
- }
- }
-
- expect {
- "Permission denied" {
- send_user "\nERROR: Incorrect su password to host: $hostname .\n"
- exit 1;
- }
- "Password:" {
- send_user "\nERROR: Incorrect su password to host: $hostname .\n"
- exit 1;
- }
- "Sorry" {
- send_user "\nERROR: Incorrect su password to remote host: $hostname .\n"
- exit 1;
- }
- eof {
- send_user "\nERROR: EOF while running su on host: $hostname .\n"
- exit 1;
- }
- timeout {
- send_user "\nERROR: Timeout while running on host: $hostname .\n"
- exit 1;
- }
- "*#" {
- send_user "\nINFO: su accepted.\n"
- }
- }
-}
+++ /dev/null
-#!/bin/sh
-# ossec-control This shell script takes care of starting
-# or stopping ossec-hids
-# Author: Daniel B. Cid <daniel.cid@gmail.com>
-
-LOCAL=`dirname $0`;
-cd ${LOCAL}
-PWD=`pwd`
-DIR=`dirname $PWD`;
-
-
-### Do not modify below here ###
-NAME="OSSEC HIDS"
-VERSION="v3.3.0"
-DAEMONS="ossec-logcollector ossec-syscheckd ossec-agentd ossec-execd"
-
-[ -f /etc/ossec-init.conf ] && . /etc/ossec-init.conf
-
-## Locking for the start/stop
-LOCK="${DIR}/var/start-script-lock"
-LOCK_PID="${LOCK}/pid"
-
-# This number should be more than enough (even if it is
-# started multiple times together). It will try for up
-# to 10 attempts (or 10 seconds) to execute.
-MAX_ITERATION="10"
-
-checkpid()
-{
- for i in ${DAEMONS}; do
- for j in `cat ${DIR}/var/run/${i}*.pid 2>/dev/null`; do
- ps -p $j |grep ossec >/dev/null 2>&1
- if [ ! $? = 0 ]; then
- echo "Deleting PID file '${DIR}/var/run/${i}-${j}.pid' not used..."
- rm ${DIR}/var/run/${i}-${j}.pid
- fi
- done
- done
-}
-
-lock()
-{
- i=0;
-
- # Providing a lock.
- while [ 1 ]; do
- mkdir ${LOCK} > /dev/null 2>&1
- MSL=$?
- if [ "${MSL}" = "0" ]; then
- # Lock acquired (setting the pid)
- echo "$$" > ${LOCK_PID}
- return;
- fi
-
- # Waiting 1 second before trying again
- sleep 1;
- i=`expr $i + 1`;
-
- # If PID is not present, speed things a bit.
- kill -0 `cat ${LOCK_PID}` >/dev/null 2>&1
- if [ ! $? = 0 ]; then
- # Pid is not present.
- i=`expr $i + 1`;
- fi
-
- # We tried 10 times to acquire the lock.
- if [ "$i" = "${MAX_ITERATION}" ]; then
- # Unlocking and executing
- unlock;
- mkdir ${LOCK} > /dev/null 2>&1
- echo "$$" > ${LOCK_PID}
- return;
- fi
- done
-}
-
-unlock()
-{
- rm -rf ${LOCK}
-}
-
-help()
-{
- # Help message
- echo "Usage: $0 {start|stop|reload|restart|status}";
- exit 1;
-}
-
-status()
-{
- RETVAL=0
- for i in ${DAEMONS}; do
- pstatus ${i};
- if [ $? = 0 ]; then
- RETVAL=1
- echo "${i} not running..."
- else
- echo "${i} is running..."
- fi
- done
- exit $RETVAL
-}
-
-testconfig()
-{
- # We first loop to check the config.
- for i in ${SDAEMONS}; do
- ${DIR}/bin/${i} -t;
- if [ $? != 0 ]; then
- echo "${i}: Configuration error. Exiting"
- unlock;
- exit 1;
- fi
- done
-}
-
-# Start function
-start()
-{
- SDAEMONS="ossec-execd ossec-agentd ossec-logcollector ossec-syscheckd"
-
- echo "Starting $NAME $VERSION..."
- lock;
- checkpid;
-
- # We actually start them now.
- for i in ${SDAEMONS}; do
- pstatus ${i};
- if [ $? = 0 ]; then
- ${DIR}/bin/${i};
- if [ $? != 0 ]; then
- echo "${i} did not start";
- unlock;
- exit 1;
- fi
-
- echo "Started ${i}..."
- else
- echo "${i} already running..."
- fi
- done
-
- # After we start we give 2 seconds for the daemons
- # to internally create their PID files.
- sleep 2;
- unlock;
- echo "Completed."
-}
-
-pstatus()
-{
- pfile=$1;
-
- # pfile must be set
- if [ "X${pfile}" = "X" ]; then
- return 0;
- fi
-
- ls ${DIR}/var/run/${pfile}*.pid > /dev/null 2>&1
- if [ $? = 0 ]; then
- for j in `cat ${DIR}/var/run/${pfile}*.pid 2>/dev/null`; do
- ps -p $j |grep ossec >/dev/null 2>&1
- if [ ! $? = 0 ]; then
- echo "${pfile}: Process $j not used by ossec, removing .."
- rm -f ${DIR}/var/run/${pfile}-$j.pid
- continue;
- fi
-
- kill -0 $j > /dev/null 2>&1
- if [ $? = 0 ]; then
- return 1;
- fi
- done
- fi
-
- return 0;
-}
-
-stopa()
-{
- lock;
- checkpid;
- for i in ${DAEMONS}; do
- pstatus ${i};
- if [ $? = 1 ]; then
- echo "Killing ${i} .. ";
-
- kill `cat ${DIR}/var/run/${i}*.pid`;
- else
- echo "${i} not running ..";
- fi
-
- rm -f ${DIR}/var/run/${i}*.pid
- done
-
- unlock;
- echo "$NAME $VERSION Stopped"
-}
-
-### MAIN HERE ###
-
-case "$1" in
-start)
- testconfig
- start
- ;;
-stop)
- stopa
- ;;
-restart)
- testconfig
- stopa
- sleep 1;
- start
- ;;
-reload)
- DAEMONS="ossec-logcollector ossec-syscheckd ossec-agentd"
- stopa
- start
- ;;
-status)
- status
- ;;
-help)
- help
- ;;
-*)
- help
-esac
-
+++ /dev/null
-ossec-local.sh
\ No newline at end of file
+++ /dev/null
-#!/bin/sh
-# ossec-control This shell script takes care of starting
-# or stopping ossec-hids
-# Author: Daniel B. Cid <daniel.cid@gmail.com>
-
-# Getting where we are installed
-LOCAL=`dirname $0`;
-cd ${LOCAL}
-PWD=`pwd`
-DIR=`dirname $PWD`;
-PLIST=${DIR}/bin/.process_list;
-
-### Do not modify below here ###
-
-# Getting additional processes
-ls -la ${PLIST} > /dev/null 2>&1
-if [ $? = 0 ]; then
-. ${PLIST};
-fi
-
-NAME="OSSEC HIDS"
-VERSION="v3.3.0"
-DAEMONS="ossec-monitord ossec-logcollector ossec-syscheckd ossec-analysisd ossec-maild ossec-execd ${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON}"
-
-## Locking for the start/stop
-LOCK="${DIR}/var/start-script-lock"
-LOCK_PID="${LOCK}/pid"
-
-# This number should be more than enough (even if it is
-# started multiple times together). It will try for up
-# to 10 attempts (or 10 seconds) to execute.
-MAX_ITERATION="10"
-
-checkpid() {
- for i in ${DAEMONS}; do
- for j in `cat ${DIR}/var/run/${i}*.pid 2>/dev/null`; do
- ps -p $j |grep ossec >/dev/null 2>&1
- if [ ! $? = 0 ]; then
- echo "Deleting PID file '${DIR}/var/run/${i}-${j}.pid' not used..."
- rm ${DIR}/var/run/${i}-${j}.pid
- fi
- done
- done
-}
-
-lock() {
- i=0;
-
- # Providing a lock.
- while [ 1 ]; do
- mkdir ${LOCK} > /dev/null 2>&1
- MSL=$?
- if [ "${MSL}" = "0" ]; then
- # Lock acquired (setting the pid)
- echo "$$" > ${LOCK_PID}
- return;
- fi
-
- # Waiting 1 second before trying again
- sleep 1;
- i=`expr $i + 1`;
-
- # If PID is not present, speed things a bit.
- kill -0 `cat ${LOCK_PID}` >/dev/null 2>&1
- if [ ! $? = 0 ]; then
- # Pid is not present.
- i=`expr $i + 1`;
- fi
-
- # We tried 10 times to acquire the lock.
- if [ "$i" = "${MAX_ITERATION}" ]; then
- # Unlocking and executing
- unlock;
- mkdir ${LOCK} > /dev/null 2>&1
- echo "$$" > ${LOCK_PID}
- return;
- fi
- done
-}
-
-unlock()
-{
- rm -rf ${LOCK}
-}
-
-help()
-{
- # Help message
- echo ""
- echo "Usage: $0 {start|stop|restart|status|enable|disable}";
- exit 1;
-}
-
-# Enables additional daemons
-enable()
-{
- if [ "X$2" = "X" ]; then
- echo ""
- echo "Enable options: database, client-syslog, agentless, debug"
- echo "Usage: $0 enable [database|client-syslog|agentless|debug]"
- exit 1;
- fi
-
- if [ "X$2" = "Xdatabase" ]; then
- echo "DB_DAEMON=ossec-dbd" >> ${PLIST};
- elif [ "X$2" = "Xclient-syslog" ]; then
- echo "CSYSLOG_DAEMON=ossec-csyslogd" >> ${PLIST};
- elif [ "X$2" = "Xagentless" ]; then
- echo "AGENTLESS_DAEMON=ossec-agentlessd" >> ${PLIST};
- elif [ "X$2" = "Xdebug" ]; then
- echo "DEBUG_CLI=\"-d\"" >> ${PLIST};
- else
- echo ""
- echo "Invalid enable option."
- echo ""
- echo "Enable options: database, client-syslog, agentless, debug"
- echo "Usage: $0 enable [database|client-syslog|agentless|debug]"
- exit 1;
- fi
-}
-
-# Disables additional daemons
-disable()
-{
- if [ "X$2" = "X" ]; then
- echo ""
- echo "Disable options: database, client-syslog, agentless, debug"
- echo "Usage: $0 disable [database|client-syslog|agentless,debug]"
- exit 1;
- fi
-
- if [ "X$2" = "Xdatabase" ]; then
- echo "DB_DAEMON=\"\"" >> ${PLIST};
- elif [ "X$2" = "Xclient-syslog" ]; then
- echo "CSYSLOG_DAEMON=\"\"" >> ${PLIST};
- elif [ "X$2" = "Xagentless" ]; then
- echo "AGENTLESS_DAEMON=\"\"" >> ${PLIST};
- elif [ "X$2" = "Xdebug" ]; then
- echo "DEBUG_CLI=\"\"" >> ${PLIST};
- else
- echo ""
- echo "Invalid disable option."
- echo ""
- echo "Disable options: database, client-syslog, agentless, debug"
- echo "Usage: $0 disable [database|client-syslog|agentless|debug]"
- exit 1;
- fi
-}
-
-status()
-{
- RETVAL=0
- for i in ${DAEMONS}; do
- pstatus ${i};
- if [ $? = 0 ]; then
- RETVAL=1
- echo "${i} not running..."
- else
- echo "${i} is running..."
- fi
- done
- exit $RETVAL
-}
-
-testconfig()
-{
- # We first loop to check the config
- for i in ${SDAEMONS}; do
- ${DIR}/bin/${i} -t ${DEBUG_CLI};
- if [ $? != 0 ]; then
- echo "${i}: Configuration error. Exiting"
- unlock;
- exit 1;
- fi
- done
-}
-
-start()
-{
- SDAEMONS="${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON} ossec-maild ossec-execd ossec-analysisd ossec-logcollector ossec-syscheckd ossec-monitord"
-
- echo "Starting $NAME $VERSION..."
- echo | ${DIR}/bin/ossec-logtest > /dev/null 2>&1;
- if [ ! $? = 0 ]; then
- echo "ossec-analysisd: Configuration error. Exiting."
- exit 1;
- fi
-
- lock;
- checkpid;
-
- # We actually start them now.
- for i in ${SDAEMONS}; do
- pstatus ${i};
- if [ $? = 0 ]; then
- ${DIR}/bin/${i} ${DEBUG_CLI};
- if [ $? != 0 ]; then
- echo "${i} did not start correctly.";
- unlock;
- exit 1;
- fi
- echo "Started ${i}..."
- else
- echo "${i} already running..."
- fi
- done
-
- # After we start we give 2 seconds for the daemons
- # to internally create their PID files.
- sleep 2;
- unlock;
-
- ls -la "${DIR}/ossec-agent/" >/dev/null 2>&1
- if [ $? = 0 ]; then
- echo ""
- echo "Starting sub agent directory (for hybrid mode)"
- ${DIR}/ossec-agent/bin/ossec-control start
- fi
-
- echo "Completed."
-}
-
-pstatus()
-{
- pfile=$1;
-
- # pfile must be set
- if [ "X${pfile}" = "X" ]; then
- return 0;
- fi
-
- ls ${DIR}/var/run/${pfile}*.pid > /dev/null 2>&1
- if [ $? = 0 ]; then
- for j in `cat ${DIR}/var/run/${pfile}*.pid 2>/dev/null`; do
- ps -p $j |grep ossec >/dev/null 2>&1
- if [ ! $? = 0 ]; then
- echo "${pfile}: Process $j not used by ossec, removing .."
- rm -f ${DIR}/var/run/${pfile}-$j.pid
- continue;
- fi
-
- kill -0 $j > /dev/null 2>&1
- if [ $? = 0 ]; then
- return 1;
- fi
- done
- fi
-
- return 0;
-}
-
-stopa()
-{
- lock;
- checkpid;
- for i in ${DAEMONS}; do
- pstatus ${i};
- if [ $? = 1 ]; then
- echo "Killing ${i} .. ";
- kill `cat ${DIR}/var/run/${i}*.pid`;
- else
- echo "${i} not running ..";
- fi
- rm -f ${DIR}/var/run/${i}*.pid
- done
-
- unlock;
-
- ls -la "${DIR}/ossec-agent/" >/dev/null 2>&1
- if [ $? = 0 ]; then
- echo ""
- echo "Stopping sub agent directory (for hybrid mode)"
- ${DIR}/ossec-agent/bin/ossec-control stop
- fi
- echo "$NAME $VERSION Stopped"
-}
-
-### MAIN HERE ###
-
-case "$1" in
-start)
- testconfig
- start
- ;;
-stop)
- stopa
- ;;
-restart)
- testconfig
- stopa
- sleep 1;
- start
- ;;
-status)
- status
- ;;
-help)
- help
- ;;
-enable)
- enable $1 $2;
- ;;
-disable)
- disable $1 $2;
- ;;
-*)
- help
-esac
-
+++ /dev/null
-#!/bin/sh
-# ossec-control This shell script takes care of starting
-# or stopping ossec-hids
-# Author: Daniel B. Cid <daniel.cid@gmail.com>
-
-# Getting where we are installed
-LOCAL=`dirname $0`;
-cd ${LOCAL}
-PWD=`pwd`
-DIR=`dirname $PWD`;
-PLIST=${DIR}/bin/.process_list;
-
-### Do not modify below here ###
-
-# Getting additional processes
-ls -la ${PLIST} > /dev/null 2>&1
-if [ $? = 0 ]; then
-. ${PLIST};
-fi
-
-NAME="OSSEC HIDS"
-VERSION="v3.3.0"
-
-[ -f /etc/ossec-init.conf ] && . /etc/ossec-init.conf;
-
-DAEMONS="ossec-monitord ossec-logcollector ossec-remoted ossec-syscheckd ossec-analysisd ossec-maild ossec-execd ${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON}"
-
-## Locking for the start/stop
-LOCK="${DIR}/var/start-script-lock"
-LOCK_PID="${LOCK}/pid"
-
-# This number should be more than enough (even if it is
-# started multiple times together). It will try for up
-# to 10 attempts (or 10 seconds) to execute.
-MAX_ITERATION="10"
-
-checkpid()
-{
- for i in ${DAEMONS}; do
- for j in `cat ${DIR}/var/run/${i}*.pid 2>/dev/null`; do
- ps -p $j |grep ossec >/dev/null 2>&1
- if [ ! $? = 0 ]; then
- echo "Deleting PID file '${DIR}/var/run/${i}-${j}.pid' not used..."
- rm ${DIR}/var/run/${i}-${j}.pid
- fi
- done
- done
-}
-
-lock()
-{
- i=0;
-
- # Providing a lock.
- while [ 1 ]; do
- mkdir ${LOCK} > /dev/null 2>&1
- MSL=$?
- if [ "${MSL}" = "0" ]; then
- # Lock acquired (setting the pid)
- echo "$$" > ${LOCK_PID}
- return;
- fi
-
- # Waiting 1 second before trying again
- sleep 1;
- i=`expr $i + 1`;
-
- # If PID is not present, speed things a bit.
- kill -0 `cat ${LOCK_PID}` >/dev/null 2>&1
- if [ ! $? = 0 ]; then
- # Pid is not present.
- i=`expr $i + 1`;
- fi
-
- # We tried 10 times to acquire the lock.
- if [ "$i" = "${MAX_ITERATION}" ]; then
- # Unlocking and executing
- unlock;
- mkdir ${LOCK} > /dev/null 2>&1
- echo "$$" > ${LOCK_PID}
- return;
- fi
- done
-}
-
-unlock()
-{
- rm -rf ${LOCK}
-}
-
-help()
-{
- # Help message
- echo ""
- echo "Usage: $0 {start|stop|reload|restart|status|enable|disable}";
- exit 1;
-}
-
-# Enables additional daemons
-enable()
-{
- if [ "X$2" = "X" ]; then
- echo ""
- echo "Enable options: database, client-syslog, agentless, debug"
- echo "Usage: $0 enable [database|client-syslog|agentless|debug]"
- exit 1;
- fi
-
- if [ "X$2" = "Xdatabase" ]; then
- echo "DB_DAEMON=ossec-dbd" >> ${PLIST};
- elif [ "X$2" = "Xclient-syslog" ]; then
- echo "CSYSLOG_DAEMON=ossec-csyslogd" >> ${PLIST};
- elif [ "X$2" = "Xagentless" ]; then
- echo "AGENTLESS_DAEMON=ossec-agentlessd" >> ${PLIST};
- elif [ "X$2" = "Xdebug" ]; then
- echo "DEBUG_CLI=\"-d\"" >> ${PLIST};
- else
- echo ""
- echo "Invalid enable option."
- echo ""
- echo "Enable options: database, client-syslog, agentless, debug"
- echo "Usage: $0 enable [database|client-syslog|agentless|debug]"
- exit 1;
- fi
-}
-
-# Disables additional daemons
-disable()
-{
- if [ "X$2" = "X" ]; then
- echo ""
- echo "Disable options: database, client-syslog, agentless, debug"
- echo "Usage: $0 disable [database|client-syslog|agentless|debug]"
- exit 1;
- fi
-
- if [ "X$2" = "Xdatabase" ]; then
- echo "DB_DAEMON=\"\"" >> ${PLIST};
- elif [ "X$2" = "Xclient-syslog" ]; then
- echo "CSYSLOG_DAEMON=\"\"" >> ${PLIST};
- elif [ "X$2" = "Xagentless" ]; then
- echo "AGENTLESS_DAEMON=\"\"" >> ${PLIST};
- elif [ "X$2" = "Xdebug" ]; then
- echo "DEBUG_CLI=\"\"" >> ${PLIST};
- else
- echo ""
- echo "Invalid disable option."
- echo ""
- echo "Disable options: database, client-syslog, agentless, debug"
- echo "Usage: $0 disable [database|client-syslog|agentless|debug]"
- exit 1;
- fi
-}
-
-status()
-{
- RETVAL=0
- for i in ${DAEMONS}; do
- ## If ossec-maild is disabled, don't try to start it.
- if [ X"$i" = "Xossec-maild" ]; then
- grep "<email_notification>no<" ${DIR}/etc/ossec.conf >/dev/null 2>&1
- if [ $? = 0 ]; then
- continue
- fi
- fi
-
- pstatus ${i};
- if [ $? = 0 ]; then
- echo "${i} not running..."
- RETVAL=1
- else
- echo "${i} is running..."
- fi
- done
- exit $RETVAL
-}
-
-testconfig()
-{
- # We first loop to check the config.
- for i in ${SDAEMONS}; do
- ${DIR}/bin/${i} -t ${DEBUG_CLI};
- if [ $? != 0 ]; then
- echo "${i}: Configuration error. Exiting"
- unlock;
- exit 1;
- fi
- done
-}
-
-# Start function
-start()
-{
- SDAEMONS="${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON} ossec-maild ossec-execd ossec-analysisd ossec-logcollector ossec-remoted ossec-syscheckd ossec-monitord"
-
- echo "Starting $NAME $VERSION..."
- echo | ${DIR}/bin/ossec-logtest > /dev/null 2>&1;
- if [ ! $? = 0 ]; then
- echo "OSSEC analysisd: Testing rules failed. Configuration error. Exiting."
- exit 1;
- fi
- lock;
- checkpid;
-
- # We actually start them now.
- for i in ${SDAEMONS}; do
-
- ## If ossec-maild is disabled, don't try to start it.
- if [ X"$i" = "Xossec-maild" ]; then
- grep "<email_notification>no<" ${DIR}/etc/ossec.conf >/dev/null 2>&1
- if [ $? = 0 ]; then
- continue
- fi
- fi
-
- pstatus ${i};
- if [ $? = 0 ]; then
- ${DIR}/bin/${i} ${DEBUG_CLI};
- if [ $? != 0 ]; then
- echo "${i} did not start correctly.";
- unlock;
- exit 1;
- fi
-
- echo "Started ${i}..."
- else
- echo "${i} already running..."
- fi
- done
-
- # After we start we give 2 seconds for the daemons
- # to internally create their PID files.
- sleep 2;
- unlock;
- echo "Completed."
-}
-
-pstatus()
-{
- pfile=$1;
-
- # pfile must be set
- if [ "X${pfile}" = "X" ]; then
- return 0;
- fi
-
- ls ${DIR}/var/run/${pfile}*.pid > /dev/null 2>&1
- if [ $? = 0 ]; then
- for j in `cat ${DIR}/var/run/${pfile}*.pid 2>/dev/null`; do
- ps -p $j |grep ossec >/dev/null 2>&1
- if [ ! $? = 0 ]; then
- echo "${pfile}: Process $j not used by ossec, removing .."
- rm -f ${DIR}/var/run/${pfile}-$j.pid
- continue;
- fi
-
- kill -0 $j > /dev/null 2>&1
- if [ $? = 0 ]; then
- return 1;
- fi
- done
- fi
-
- return 0;
-}
-
-stopa()
-{
- lock;
- checkpid;
- for i in ${DAEMONS}; do
- pstatus ${i};
- if [ $? = 1 ]; then
- echo "Killing ${i} .. ";
-
- kill `cat ${DIR}/var/run/${i}*.pid`;
- else
- echo "${i} not running ..";
- fi
- rm -f ${DIR}/var/run/${i}*.pid
- done
-
- unlock;
- echo "$NAME $VERSION Stopped"
-}
-
-### MAIN HERE ###
-
-case "$1" in
-start)
- testconfig
- start
- ;;
-stop)
- stopa
- ;;
-restart)
- testconfig
- stopa
- sleep 1;
- start
- ;;
-reload)
- DAEMONS="ossec-monitord ossec-logcollector ossec-remoted ossec-syscheckd ossec-analysisd ossec-maild ${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON}"
- stopa
- start
- ;;
-status)
- status
- ;;
-help)
- help
- ;;
-enable)
- enable $1 $2;
- ;;
-disable)
- disable $1 $2;
- ;;
-*)
- help
-esac
-
+++ /dev/null
-<!-- @(#) $Id: decoder.xml,v 1.166 2010/06/15 12:52:01 dcid Exp $
- - OSSEC log decoder.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!--
- - Allowed fields:
- - location - where the log came from (only on FTS)
- - srcuser - extracts the source username
- - dstuser - extracts the destination (target) username
- - user - an alias to dstuser (only one of the two can be used)
- - srcip - source ip
- - dstip - dst ip
- - srcport - source port
- - dstport - destination port
- - protocol - protocol
- - id - event id
- - url - url of the event
- - action - event action (deny, drop, accept, etc)
- - status - event status (success, failure, etc)
- - extra_data - Any extra data
- -->
-
-
-<!-- Pam decoder.
- - Will extract username and srcip whenever is possible.
- - Examples:
- - su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
- - su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
- - vsftpd(pam_unix)[25073]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.100.27.101
- - vsftpd(pam_unix)[25073]: check pass; user unknown
- - sshd(pam_unix)[16660]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=202.110.184.100 user=root
- - su(pam_unix)[14592]: session opened for user news by (uid=0)
- - su(pam_unix)[14592]: session closed for user news
- - sshd(pam_unix)[13025]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.70.129.207 user=nobody
- - sshd(pam_unix)[18987]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=languedoc-2-81-56-82-49.fbx.proxad.net user=root
- - sshd(pam_unix)[17365]: session opened for user test by (uid=508)
- - sshd(pam_unix)[1345]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=222.237.79.237 user=root
- - sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0
- euid=0 tty=ssh ruser= rhost=10.0.3.1 user=root
- - Nov 17 21:41:22 localhost su[8060]: (pam_unix) session opened for user root by (uid=0)
- - Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4
- - Sep 28 15:28:58 server login: pam_unix(login:session): session opened for user carl by LOGIN(uid=0)
- - Sep 28 15:35:18 server sshd[123]: pam_unix(sshd:session): session opened for user carl by (uid=0)
- - Mar 29 00:42:09 server saslauthd[1230]: pam_succeed_if(smtp:auth): error retrieving information about user demo
- -->
-<decoder name="pam">
- <program_name>(pam_unix)$</program_name>
-</decoder>
-
-<decoder name="pam">
- <program_name></program_name>
- <prematch>^pam_unix|^\(pam_unix\)|^pam_succeed_if</prematch>
-</decoder>
-
-<decoder name="pam-user">
- <parent>pam</parent>
- <prematch>^session \w+ </prematch>
- <regex offset="after_prematch">^for user (\S+)</regex>
- <order>user</order>
-</decoder>
-
-<!--XXXX<decoder name="pam-user2">
- <parent>pam</parent>
- <prematch>^session \S+ </prematch>
- <regex>for user (\S+)</regex>
- <order>user</order>
-</decoder>
--->
-
-<decoder name="pam-host-user">
- <parent>pam</parent>
- <prematch>rhost=\S+\s+user=\S+</prematch>
- <regex>rhost=(\S+)\s+user=(\S+)</regex>
- <order>srcip, user</order>
-</decoder>
-
-<decoder name="pam-ruser">
- <parent>pam</parent>
- <prematch> ruser</prematch>
- <regex offset="after_prematch">^=(\S+) </regex>
- <order>user</order>
-</decoder>
-
-<decoder name="pam-ruser">
- <parent>pam</parent>
- <regex> rhost=(\S+)</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="pam-host">
- <parent>pam</parent>
- <prematch> rhost</prematch>
- <regex offset="after_prematch">^=(\S+)</regex>
- <order>srcip</order>
-</decoder>
-
-
-<!-- SSH decoder.
- - Will extract username and srcip from the logs.
- - Only add to the FTS if the login was successful
- - If the login failed, just extract the username/srcip for correlation
- - Examples:
- - sshd[8813]: Accepted password for root from 192.168.10.1 port 1066 ssh2
- - sshd[2404]: Accepted password for root from 192.168.11.1 port 2011 ssh2
- - sshd[21405]: Accepted password for root from 192.1.1.1 port 6023 ssh2
- - sshd[21487]: Failed password for root from 192.168.1.1 port 1045 ssh2
- - sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2
- - sshd[12675]: Failed password for invalid user lala11 from x.x.x.x ..
- - sshd[12914]: Failed password for invalid user lala6 from ...
- - sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2
- - sshd[11259]: Invalid user abc from 127.0.0.1
- - "" Failed keyboard-interactive for root from 192.1.1.1 port 1066 ssh2
- - sshd[23857]: [ID 702911 auth.notice] User xxx, coming from zzzz,
- - authenticated.
- - sshd[23578]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!
- - sshd[61834]: reverse mapping checking getaddrinfo for sv.tvcm.ch
- - failed - POSSIBLE BREAKIN ATTEMPT!
- - sshd[3251]: User root not allowed because listed in DenyUsers
- - [Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication failure for username from 192.168.0.2] [Level 3] [UID -2] [GID -2] [Host Hostname]
- - [Time 2006.11.02 11:41:44 UTC] [Facility auth] [Sender sshd] [PID 800] [Message refused connect from 51.124.44.34] [Level 4] [UID -2] [GID -2] [Host test2-emac]
- - Apr 23 07:03:53 machinename sshd[29961]: User root from 12.3.4.5
- not allowed because not listed in AllowUsers
- - sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
- - Sep 4 23:58:33 junction sshd[9351]: fatal: Write failed: Broken pipe
- - Sep 18 14:58:47 ix sshd[11816]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
- - Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
- - Aug 10 08:38:40 junction sshd[20013]: error: connect_to 192.168.179 port 8080: failed
- - Jun 9 00:00:01 ix sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
- - Jan 26 11:57:26 ix sshd[14879]: error: connect to ix.example.com port 7777 failed: Connection refused
- - Oct 8 10:07:27 y sshd[7644]: debug1: attempt 2 failures 2
- - Oct 8 08:58:37 y sshd[6956]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
- - Oct 8 08:48:33 y sshd[6856]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
- - Oct 8 11:18:26 172.16.51.132 sshd[7618]: error: PAM: Module is unknown for ddp from 172.16.51.1
- - Jun 19 20:56:00 tiny sshd[11605]: fatal: Write failed: Host is down
- - Jun 11 06:32:17 gorilla sshd[28293]: fatal: buffer_get_bignum2: buffer error
- - Jun 11 06:32:17 gorilla sshd[28293]: error: buffer_get_bignum2_ret: negative numbers not supported
- - Apr 14 19:28:21 gorilla sshd[31274]: Connection closed by 192.168.1.33
- - Jun 22 12:01:13 junction sshd[11283]: Received disconnect from 212.14.228.46: 11: Bye Bye
- - Nov 9 07:40:25 ginaz sshd[5973]: error: setsockopt SO_KEEPALIVE: Connection reset by peer
- - Nov 2 12:08:27 192.168.17.7 sshd[9665]: fatal: Cannot bind any address.
- - Nov 2 12:11:40 192.168.17.7 sshd[9814]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
- - Nov 6 09:53:38 hagal sshd[697]: error: accept: Software caused connection abort
- - Nov 9 11:36:55 ecaz sshd[26967]: pam_succeed_if(sshd:auth): error retrieving information about user _z9xxbBW
- -->
-
-<decoder name="sshd">
- <program_name>^sshd</program_name>
-</decoder>
-
-<decoder name="sshd-success">
- <parent>sshd</parent>
- <prematch>^Accepted</prematch>
- <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex>
- <order>user, srcip</order>
- <fts>name, user, location</fts>
-</decoder>
-
-<decoder name="ssh-denied">
- <parent>sshd</parent>
- <prematch>^User \S+ from </prematch>
- <regex offset="after_parent">^User (\S+) from (\S+) </regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="sshd-success-solaris">
- <parent>sshd</parent>
- <prematch>^User </prematch>
- <regex offset="after_prematch">^(\S+), coming from (\S+), </regex>
- <order>user, srcip</order>
- <fts>name, user, location</fts>
-</decoder>
-
-<decoder name="ssh-kbd">
- <parent>sshd</parent>
- <prematch offset="after_parent">^Postponed keyboard-interactive|^Failed keyboard-interactive</prematch>
- <regex offset="after_prematch"> user (\S+) from (\S+) port (\d+) </regex>
- <order>user, srcip, srcport</order>
-</decoder>
-
-<decoder name="ssh-invfailed">
- <parent>sshd</parent>
- <prematch>^Failed \S+ for invalid user|^Failed \S+ for illegal user</prematch>
- <regex offset="after_prematch">from (\S+) port \d+ \w+$</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ssh-failed">
- <parent>sshd</parent>
- <prematch>^Failed \S+ </prematch>
- <regex offset="after_prematch">^for (\S+) from (\S+) port \d+</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="ssh-error">
- <parent>sshd</parent>
- <prematch>^error: PAM: Authentication \w+ </prematch>
- <regex offset="after_prematch">^for (\S+) from (\S+)$</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="ssh-pam-error">
- <parent>sshd</parent>
- <prematch>^error: PAM: </prematch>
- <regex offset="after_prematch">user (\S+) from (\S+)</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="ssh-reverse-mapping">
- <parent>sshd</parent>
- <prematch>^reverse mapping checking </prematch>
- <regex offset="after_prematch">^\w+ for \S+ [(\S+)] |^\w+ for (\S+) </regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ssh-invalid-user">
- <parent>sshd</parent>
- <prematch>^Invalid user|^Illegal user</prematch>
- <regex offset="after_prematch"> from (\S+)</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ssh-scan">
- <parent>sshd</parent>
- <prematch>^scanned from</prematch>
- <regex offset="after_prematch"> (\S+) </regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ssh-received">
- <parent>sshd</parent>
- <prematch>^Received disconnect </prematch>
- <regex offset="after_prematch">^from (\S+): |^from (\S+) </regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ssh-disconnected">
- <parent>sshd</parent>
- <prematch>^Disconnected from invalid user</prematch>
- <regex offset="after_prematch">\S+ (\S+) </regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ssh-connection">
- <parent>sshd</parent>
- <prematch>^Connection closed by </prematch>
- <regex offset="after_prematch">user (\S+) (\S+) </regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="ssh-negotiate">
- <parent>sshd</parent>
- <prematch>^Unable to negotiate with </prematch>
- <regex offset="after_prematch">^(\S+) port (\d+)</regex>
- <order>srcip, srcport</order>
-</decoder>
-
-<decoder name="ssh-protocol">
- <parent>sshd</parent>
- <prematch>^Protocol major versions differ for </prematch>
- <regex offset="after_prematch">^(\S+)</regex>
- <order>srcip</order>
-</decoder>
-
-<!--
-Jul 12 16:10:26 cloud sshd[14486]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 112.98.69.104 port 3533
-Jul 12 16:10:41 cloud sshd[14530]: Bad protocol version identification 'GET http://check2.zennolab.com/proxy.php HTTP/1.1' from 46.182.129.46 port 60866
-Jul 12 16:11:31 cloud sshd[14582]: Bad protocol version identification 'GET http://www.msftncsi.com/ncsi.txt HTTP/1.1' from 88.244.115.169 port 62240
-Jul 12 16:12:15 cloud sshd[14662]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 118.76.116.187 port 54513
-e.g. OpenSSH > 7.2:
-Sep 4 21:13:05 example sshd[12853]: Did not receive identification string from 192.168.0.1 port 33021
-e.g. OpenSSH <= 7.2:
-Sep 4 21:14:25 example sshd[18368]: Did not receive identification string from 192.168.0.1
--->
-
-<decoder name="ssh-scan2">
- <parent>sshd</parent>
- <prematch>^Did not receive identification |^Bad protocol version </prematch>
- <regex offset="after_prematch"> from (\S+)$| from (\S+) port (\d+)$</regex>
- <order>srcip,srcport</order>
-</decoder>
-
-<decoder name="ssh-osx-refuse">
- <parent>sshd</parent>
- <prematch>^refused connect </prematch>
- <regex offset="after_prematch">^from (\S+)$|^from \S+ \((\S+\w+)\)$|^from \S+ \((\S+::)\)$</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ssh-closed">
- <parent>sshd</parent>
- <prematch>^Connection closed </prematch>
- <regex offset="after_prematch">^by (\S+)$</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ssh-disconnect">
- <parent>sshd</parent>
- <prematch>^Received disconnect </prematch>
- <regex offset="after_prematch">^from (\S+):</regex>
- <order>srcip</order>
-</decoder>
-
-<!--XXX
-<decoder name="ssh-pam">
- <parent>sshd</parent>
- <prematch>PAM: Module</prematch>
- <regex>for (\S+) from (\S+)$</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="ssh-connect-to">
- <parent>sshd</parent>
- <prematch>connect_to</prematch>
- <regex>connect_to: (\S+) port (\d+):</regex>
- <order>dstip,dstport</order>
-</decoder>
--->
-
-<decoder name="sshd-ldap">
- <parent>sshd</parent>
- <prematch>^pam_ldap: </prematch>
- <regex>user "uid=(\S+),ou=\w+,dc=\w+,dc=\w+"</regex>
- <order>user</order>
-</decoder>
-
-<decoder name="sshd-negotiate">
- <parent>sshd</parent>
- <prematch offset="after_parent">fatal: Unable to negotiate with </prematch>
- <regex offset="after_prematch">^(\S+) port (\d+): |^(\S+): </regex>
- <order>srcip, srcport</order>
-</decoder>
-
-<decoder name="sshd-pam-host-user">
- <parent>sshd</parent>
- <prematch>rhost=\S+\s+user=\S+</prematch>
- <regex>rhost=(\S+)\s+user=(\S+)</regex>
- <order>srcip, user</order>
-</decoder>
-
-<!--
-<decoder name="sshd-invalid">
- <parent>sshd</parent>
- <prematch>^input_user_auth_request: </prematch>
- <regex offset="after_prematch"> user (\S+)</regex>
- <order>user</order>
-</decoder>
--->
-
-<decoder name="sshd-exceed">
- <parent>sshd</parent>
- <prematch> exceeded for </prematch>
- <regex offset="after_prematch">(\S+) from (\S+) port (\d+) </regex>
- <order>user, srcip, srcport</order>
-</decoder>
-
-
-<!-- Dropbear rules -->
-<decoder name="dropbear">
- <program_name>^dropbear</program_name>
-</decoder>
-
-<!--
-Jan 8 16:39:33 tp.lan dropbear[14824]: Bad password attempt for 'root' from 193.219.28.149:48629
--->
-
-<decoder name="dropbear-bad-password">
- <parent>dropbear</parent>
- <prematch>password</prematch>
- <regex offset="after_prematch">for '(\S+)' from (\S+):\d+$</regex>
- <order>dstuser, srcip</order>
-</decoder>
-
-<!--
-Jan 8 19:54:12 tp.lan dropbear[15197]: Login attempt for nonexistent user from 182.72.89.122:4328
--->
-
-<decoder name="dropbear-nonexist">
- <parent>dropbear</parent>
- <prematch>nonexistent</prematch>
- <regex offset="after_prematch">from (\S+):\d+$</regex>
- <order>srcip</order>
-</decoder>
-
-<!--
-Jan 8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with key md5 78:d6:41:ca:78:37:80:88:1d:15:0a:68:91:d1:4e:ad from 10.10.10.241:51737
--->
-
-<decoder name="dropbear-from">
- <parent>dropbear</parent>
- <regex>(\S+) for '(\S+)' with key \S+ (\S+) from (\S+):\d+$</regex>
- <order>status,dstuser,extra_data,srcip</order>
-</decoder>
-
-<!--
- - Telnet decoder
- - Will extract the srcip
- - Examples:
- - May 31 12:33:44 queen telnetd[9876]: warning: can't verify hostname:
- gethostbyname(131.1.satis-tl.ru) failed
- - May 29 21:12:18 queen telnetd[6474]: refused connect from 81.215.42.27
- - Jun 1 23:02:07 queen telnetd[62948]: connect from external.example.net
- - Jun 1 23:02:07 queen telnetd[62948]: ttloop: read: A connection with a remote socket was reset by that socket.
- - Jun 2 09:54:28 valhalla in.telnetd[19723]: [ID 927837 local2.info] connect from external.example.net
- - Jun 2 09:54:28 valhalla telnetd[19723]: [ID 485252 daemon.info] ttloop: peer died: Error 0
- -->
-<decoder name="telnetd">
- <program_name>^telnetd|^in.telnetd</program_name>
-</decoder>
-
-<decoder name="telnetd-ip">
- <parent>telnetd</parent>
- <regex>from (\S+)$</regex>
- <order>srcip</order>
-</decoder>
-
-
-
-<!--
- - rshd decoder
- - Example message:
- - Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port
- -->
-<decoder name="rshd">
- <program_name>^rshd$</program_name>
-</decoder>
-
-<decoder name="rshd-illegal-connection">
- <parent>rshd</parent>
- <regex>^Connection from (\S+) on illegal port$</regex>
- <order>srcip</order>
-</decoder>
-
-
-
-<!--
- - cimserver decoder
- - Example messages:
- - Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.
- - Dec 18 18:06:29 hostname cimserver[18575]: PGS17200: Authentication failed for user domain\jones_b.
- -->
-<decoder name="cimserver">
- <program_name>^cimserver$</program_name>
-</decoder>
-
-<decoder name="cimserver-failed-authentication">
- <parent>cimserver</parent>
- <prematch>^\w+: Authentication failed for user </prematch>
- <regex offset="after_prematch">^(\S+).$</regex>
- <order>user</order>
-</decoder>
-
-
-
-<!--
- - Samba decoder.
- - Will extract the username/srcip
- - Examples:
- - smbd[832]: Denied connection from (192.168.3.23)
- - smbd[832]: Connection denied from 0.0.0.0
- - smbd[17535]: Permission denied\-\- user not allowed to delete,
- pause, or resume print job. User name: ahmet. Printer name: prnq1.
- -->
-
-<decoder name="smbd">
- <program_name>^smbd</program_name>
-</decoder>
-
-<decoder name="smbd-user">
- <parent>smbd</parent>
- <prematch>User name:</prematch>
- <regex offset="after_prematch">^ (\S+).</regex>
- <order>user</order>
-</decoder>
-
-<decoder name="smbd-ip">
- <parent>smbd</parent>
- <regex> from \((\S+)\)</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="smbd-from">
- <parent>smbd</parent>
- <prematch> from (\S+)$</prematch>
- <regex> from (\S+)$</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="smbd-client">
- <parent>smbd</parent>
- <prematch>to client \S+.</prematch>
- <regex>to client (\S+). </regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="nmbd">
- <program_name>^nmbd</program_name>
-</decoder>
-
-
-<!-- Sudo decoder.
- - Will extract the username
- - Examples:
- - Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
- - Apr 27 15:25:08 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
- - Apr 14 10:59:01 enigma sudo: dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudit ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin
- - Apr 19 14:52:02 enigma sudo: dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid .
- - Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash
- -->
-<decoder name="sudo">
- <program_name>^sudo</program_name>
- <regex>^\s*(\S+)\s:\sTTY=\S+\s;\sPWD=(\S+)\s;\sUSER=(\S+)\s;\sCOMMAND=(\.+)$|</regex>
- <regex>^\s*(\S+)\s:\sTTY=\S+\s;\sPWD=(\S+)\s;\sUSER=(\S+)\s;\sTSID=\S+\s;\sCOMMAND=(\.+)$</regex>
- <order>dstuser,url,srcuser,status</order>
- <fts>name,dstuser,location</fts>
- <ftscomment>First time user executed the sudo command</ftscomment>
-</decoder>
-
-<!-- Su decoder.
- - Will extract the username.
- - Examples:
- - su[2921936]: failed: ttyq4 changing from ldap to root
- - su[234]: BAD SU ger to fwmaster on /dev/ttyp0
- - su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
- - su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
- - Jul 5 12:17:38 lili su[2702]: - pts/5 ab-dc-root
- - Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root
- - su[29149]: + pts/5 dcid:root
- - SU 07/23 01:24 + pts/4 lcid-root
- - Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1
- - 'su root' failed for chapman on /dev/pts/1
- -->
-<decoder name="su">
- <program_name>^su$</program_name>
-</decoder>
-
-<decoder name="su-detail">
- <parent>su</parent>
- <prematch>^'su </prematch>
- <regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex>
- <order>dstuser, srcuser</order>
- <fts>name, srcuser, location</fts>
-</decoder>
-
-<decoder name="su-ldap">
- <parent>su</parent>
- <prematch>pam_ldap</prematch>
- <regex>user "uid=(\S+),</regex>
- <order>user</order>
-</decoder>
-
-<decoder name="su">
- <prematch>^SU \S+ \S+ </prematch>
- <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex>
- <order>srcuser, dstuser</order>
- <fts>name, srcuser, location</fts>
-</decoder>
-
-<decoder name="su-failed">
- <parent>su</parent>
- <prematch>^FAILED SU </prematch>
- <regex offset="after_prematch">^\(to (\S+) (\S+) on</regex>
- <order>dstuser, srcuser</order>
-</decoder>
-
-<decoder name="su-detail2">
- <parent>su</parent>
- <prematch> </prematch>
- <regex>^BAD SU (\S+) to (\S+) on|</regex>
- <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex>
- <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex>
- <order>srcuser, dstuser</order>
- <fts>name, srcuser, location</fts>
-</decoder>
-
-
-
-<!-- ProFTPD decoder.
- - Will extract the username/srcip
- - Examples:
- - proftpd[26916]: hayaletgemi (85.101.218.135[85.101.218.135]) - ANON anonymous: Login successful.
- - proftpd[12564]: juf01 (pD9EE35B1.dip.t-dialin.net[217.238.53.177]) - USER jufu: Login successful
- - proftpd[30362] xx.yy.zz (aa.bb.cc[aa.bb.vv.dd]): USER backup: Login successful.
- - proftpd[2344]: refused connect from 192.168.1.2 (192.168.1.2)
- - proftpd[15181]: valhalla (crawl-66-249-66-80.googlebot.com[66.249.66.80]) - Connection from crawl-66-249-66-80.googlebot.com [66.249.66.80] denied.
- - proftpd[26169] server.example.net: Fatal: unable to open incoming connection: Der Socket ist nicht verbunden
- -->
-<decoder name="proftpd">
- <program_name>^proftpd</program_name>
-</decoder>
-
-<decoder name="proftpd-success">
- <parent>proftpd</parent>
- <prematch>: Login successful</prematch>
- <regex>^\S+ \(\S+[(\S+)]\)\s*\S \w+ (\S+): </regex>
- <regex>Login successful</regex>
- <order>srcip, user</order>
- <fts>name, user, srcip, location</fts>
-</decoder>
-
-<decoder name="proftpd-ip">
- <parent>proftpd</parent>
- <regex>^\S+ \(\S+[(\S+)]\)</regex>
- <order>srcip</order>
-</decoder>
-
-
-
-<!-- Pure-FTPd decoder.
- - Will extract the username/srcip whenever possible.
- - Samples by Peter Ahlert <peter@ifup.de> (thanks!)
- - Examples:
- - pure-ftpd-wrapper[926]: connect from 1.1.0.1 (1.1.0.1)
- - pure-ftpd: (?@1.1.0.1) [INFO] New connection from 1.1.0.1
- - pure-ftpd: (abcde@1.1.0.1) [INFO] Can't change directory to /.test: Permission denied
- - pure-ftpd: (abcde@1.1.0.1) [INFO] Logout.
- - pure-ftpd: (?@59.150.14.54) [WARNING] Authentication failed for user [newuser]
- -->
-<decoder name="pure-ftpd">
- <program_name>^pure-ftpd</program_name>
-</decoder>
-
-<decoder name="pure-ftpd-login">
- <parent>pure-ftpd</parent>
- <prematch>^\S+ [INFO] \S+ is now logged in</prematch>
- <regex>^\(?@(\S+)\) [INFO] (\S+) is now logged in</regex>
- <order>srcip, user</order>
- <fts>name, user, srcip, location</fts>
-</decoder>
-
-<decoder name="pure-ftpd-generic">
- <parent>pure-ftpd</parent>
- <regex>^\((\S+)@(\S+)\) [</regex>
- <order>user,srcip</order>
-</decoder>
-
-<!-- Pure-FTPd transfer log decoder
- - Examples from ossec-list:
- - example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220
- - example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220
- -->
-
-<decoder name="pure-transfer">
- <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d \S\d\d\d\d] "\w+ \S+" </prematch>
- <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$</regex>
- <order>extra_data,dstuser,action,url,status</order>
-</decoder>
-
-
-
-
-<!-- vsftpd decoder.
- - Will extract the srcip.
- - Examples:
- - Sun Jun 4 22:08:04 2006 [pid 21612] CONNECT: Client "192.168.2.10"
- - Sun Jun 4 22:08:39 2006 [pid 21611] [dcid] OK LOGIN: Client "192.168.2.10"
- - Sun Jun 4 22:09:22 2006 [pid 21622] CONNECT: Client "192.168.2.10"
- - Sun Jun 4 22:09:24 2006 [pid 21621] [lalal] FAIL LOGIN: Client "192.168.2.10"
- - Sat Jun 3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client "211.100.27.101"
- - Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec
- - Jul 13 12:31:20 www vsftpd: Sun Jul 13 10:31:20 2008 [pid 27528] [anonymous] FAIL LOGIN: Client "84.140.234.76"
- - Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"
- - Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"
- - Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"
-
-<decoder name="vsftpd">
- <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
- <regex offset="after_prematch">Client "(\S+)"$</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="vsftpd">
- <program_name>^vsftpd</program_name>
- <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
- <regex offset="after_prematch">Client "(\S+)"$</regex>
- <order>srcip</order>
-</decoder>
--->
-
-<!-- #####################################################
- Add by Omar MEZRAG - 0xFFFFFF
- ##################################################### -->
-
-<decoder name="vsftpd">
- <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
-</decoder>
-
-<decoder name="vsftpd">
- <program_name>^vsftpd</program_name>
- <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
-</decoder>
-
-<decoder name="vsftpd_login">
- <parent>vsftpd</parent>
- <prematch offset="after_parent"> LOGIN:</prematch>
- <regex offset="after_parent">[(\S+)] (\S+ LOGIN): Client "(\S+\w)"$</regex>
- <order>user,status,srcip</order>
-</decoder>
-
-<decoder name="vsftpd_connect">
- <parent>vsftpd</parent>
- <prematch offset="after_parent">^CONNECT:</prematch>
- <regex offset="after_parent">(CONNECT): Client "(\S+\w+)"$</regex>
- <order>action,srcip</order>
-</decoder>
-
-<decoder name="vsftpd_cmd">
- <parent>vsftpd</parent>
- <regex offset="after_parent">[(\S+)] (OK \S+): Client "(\S+)", "(\.+)"\.*</regex>
- <order>user,status,srcip,url</order>
-</decoder>
-
-<decoder name="vsftpd_default">
- <parent>vsftpd</parent>
- <regex offset="after_parent">Client "(\S+\w)"$</regex>
- <order>srcip</order>
-</decoder>
-
-
-<!-- FTPD decoder - Solaris, MacOS and Wu-ftpd).
- - Examples:
- - ftpd[811166]: refused connect from 88.225.42.182
- - in.ftpd[18561]: [ID 484914 daemon.notice] gethostbyaddr: nameservices.net. != 216.117.134.168
- - ftpd[31918]: FTPD: EXPORT file local , remote
- - Dec 21 12:21:20 hostname ftpd[323115]: login jones_b from client.example.org failed.
- -->
-<decoder name="ftpd">
- <program_name>^ftpd|^in.ftpd</program_name>
-</decoder>
-
-<decoder name="ftpd-mac-failure">
- <parent>ftpd</parent>
- <prematch>^Failed authentication from: \S+ |</prematch>
- <prematch>^repeated login failures from </prematch>
- <!--<regex offset="after_prematch">(\S+)</regex>-->
- <regex offset="after_prematch">^\S+ [(\S+)]$|^(\S+)</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ftpd-refused">
- <parent>ftpd</parent>
- <prematch>^FTP LOGIN REFUSED </prematch>
- <regex offset="after_prematch">[(\S+)]$</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ftpd-ip">
- <parent>ftpd</parent>
- <regex>from (\S+)$</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="ftpd-tru64">
- <parent>ftpd</parent>
- <prematch>^login \S+ from \S+ failed.</prematch>
- <regex>^login (\S+) from (\S+) failed.$</regex>
- <order>user, srcip</order>
-</decoder>
-
-
-
-<!-- Arpwatch decoder.
- - Will extract srcip/mac for "new station" messages.
- - Examples:
- - arpwatch: new station 192.168.1.103 0:11:43:5e:5d:80 eth0
- - arpwatch: bogon 172.16.150.149 0:2:b3:d6:e5:68 eth0
- - arpwatch: new station 192.168.2.10 0:c0:4f:78:32:be
- - arpwatch: pcap open re0: /dev/bpf0: Permission denied
- - arpwatch: reused old ethernet address 192.168.17.248 0:e:3b:a:cb:67 (0:1e:8c:72:b0:d0)
- -->
-<decoder name="arpwatch">
- <program_name>^arpwatch</program_name>
-</decoder>
-
-<decoder name="arpwatch-new">
- <parent>arpwatch</parent>
- <prematch>^new station |^bogon </prematch>
- <regex offset="after_prematch">^(\S+) (\S+)</regex>
- <order>srcip, extra_data</order>
- <fts>name, srcip, extra_data</fts>
-</decoder>
-
-
-
-<!-- MySQL decoder.
- - Examples:
- - MySQL log: 060516 22:38:46 mysqld started
- - MySQL log: 060516 22:38:46 mysqld ended
- - MySQL log: 070823 21:23:08 2 Query INSERT INTO signature(id, rule_id, level, description) VALUES (NULL, '18103','5','Windows error event.') ON DUPLICATE KEY UPDATE level='5'
- - 070824 11:33:51 6 Connect Access denied for user 'roota'@'localhost' (using password: YES)
- -->
-<decoder name="mysql_log">
- <prematch>^MySQL log:</prematch>
-</decoder>
-
-
-
-<!-- PostgreSQL decoder.
- - Examples:
- - [2007-08-31 18:37:09.454 ADT] 192.168.2.99: LOG: connection authorized: user=ossec_user database=ossecdb
- - [2007-08-31 18:37:15.525 ADT] 192.168.2.99: ERROR: relation "alert2" does not exist
- -->
-<decoder name="postgresql_log">
- <prematch>^[\d\d\d\d-\d\d-\d\d \S+ \w+] </prematch>
- <regex offset="after_prematch">^\S+ (\w+): </regex>
- <order>status</order>
-</decoder>
-
-
-
-<!-- Imapd decoder.
- - Will extract the username/srcip
- - Examples:
- - imapd[26888]: Login failed user=babadosfashion auth=babadosfashion host=bahiana.resenet.com.br [200.255.5.8]
- - imapd[21040]: Login failed user=root domain=(null) auth=root host=host29-141.poo
- l8249.interbusiness.it [82.49.141.29]
- - imapd[27113]: Authenticated user=badyy host=a.resenet.com.br [1.2.3.4]
- - imapd[27113]: Logout user=badyy host=a.resenet.com.br [1.2.3.4]
- -->
-<decoder name="imapd">
- <program_name>^imapd</program_name>
- <regex offset="after_prematch">user=(\S+) \.+ [(\S+)]$</regex>
- <order>user,srcip</order>
-</decoder>
-
-
-
-<!-- Vpopmail decoder. (by Ceg Ryan <cegryan ( at ) gmail.com>)
- - Examples:
- - vpopmail[32485]: vchkpw-pop3: password fail abc@example.com:x.x.x.x
- - vpopmail[32485]: vchkpw-2110 password fail abc@example.com:x.x.x.x
- - vchkpw-pop3: password fail (pass: 'test') user@my_domain:1.2.3.4
- - vpopmail[2100]: vchkpw-pop3: vpopmail user not found abc@example.com:x.x.x.x
- - vpopmail[4162]: vchkpw-pop3: vpopmail user not found support@:69.3.64.3
- -->
-<decoder name="vpopmail">
- <program_name>^vpopmail</program_name>
-</decoder>
-
-<decoder name="vpopmail-fail">
- <parent>vpopmail</parent>
- <prematch>^vchkpw-\S+: password fail</prematch>
- <regex offset="after_prematch"> (\S+)@\S+:(\S+)$</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="vpopmail-notfound">
- <parent>vpopmail</parent>
- <prematch>^vchkpw-\S+: vpopmail user not </prematch>
- <regex offset="after_prematch">^found (\S+):(\S+)$</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="vpopmail-empty">
- <parent>vpopmail</parent>
- <prematch>^vchkpw-\S+: null password </prematch>
- <regex offset="after_prematch">^given (\S+):(\S+)$</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="vpopmail-success">
- <parent>vpopmail</parent>
- <prematch>^vchkpw-\S+: \(\S+\) login </prematch>
- <regex offset="after_prematch">^success (\S+):(\S+)$</regex>
- <order>user, srcip</order>
-</decoder>
-
-
-
-<!-- VM-POP3 - Virtual Mail Pop3
- - Examples:
- -->
-<decoder name="vm-pop3d">
- <program_name>^vm-pop3d</program_name>
-</decoder>
-
-<decoder name="vm-pop3d-fail">
- <parent>vm-pop3d</parent>
- <prematch>^User '</prematch>
- <regex offset="after_prematch">^(\S+)' - \w+ auth, </regex>
- <regex>from=(\S+)$</regex>
- <order>user, srcip</order>
-</decoder>
-
-
-
-<!-- Courier decoder
- - Examples:
- - pop3d-ssl: LOGIN FAILED, ip=[::ffff:192.168.0.200]
- - courierpop3login: LOGIN, user=web10_mauricio, ip=[::ffff:192.168.0.100]
- - courierpop3login: LOGIN FAILED, ip=[::ffff:192.168.0.188]
- - imaplogin: DISCONNECTED, ip=[::ffff:127.0.0.1], time=0
- - Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]
- -->
-<decoder name="courier">
- <program_name>^pop3d|^courierpop3login|^imaplogin|^courier-pop3|^courier-imap</program_name>
-</decoder>
-
-<decoder name="courier-login">
- <parent>courier</parent>
- <prematch>^LOGIN, </prematch>
- <regex offset="after_prematch">^user=(\S+), ip=[(\S+)]$</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="courier-generic">
- <parent>courier</parent>
- <regex>, ip=[(\S+)]$</regex>
- <order>srcip</order>
-</decoder>
-
-
-
-<!-- Dovecot Decoder
- - Will extract username, srcip and dstip when available.
- - Jun 17 10:15:24 hostname dovecot: Dovecot v1.2.rc3 starting up (core dumps disabled)
- - Jun 17 10:15:24 hostname dovecot: Fatal: auth(default): Support not compiled in for passdb driver 'ldap'
- - Jun 17 10:15:24 hostname dovecot: Fatal: Auth process died too early - shutting down
- - dovecot: Jun 23 15:04:05 Info: imap-login: Login: user=<username>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.5 Authentication Failure:
- - Jan 11 03:42:09 hostname dovecot: auth-worker(default): sql(user@example.com,1.2.3.4): Password mismatch
- - dovecot: Jan 07 14:46:28 Warn: auth(default): userdb(username,::ffff:127.0.0.1): user not found from userdb
- - dovecot: Mar 13 15:25:07 Info: auth(default): pam(user@example.com,::ffff:1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
- - dovecot: Mar 13 15:25:07 Info: auth(default): passwd-file(user@example.com,::ffff:1.2.3.4): unknown user
- - Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user
- - Jan 11 03:42:09 hostname dovecot: auth(default): pam(user@example.com,1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
- - Jul 4 17:30:51 hostname dovecot[2992]: pop3-login: Disconnected: rip=1.2.3.4, lip=1.2.3.5
- - dovecot: Jun 23 15:04:06 Info: IMAP(username): Disconnected: Logged out bytes=59/566
- - dovecot: May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5, secured
- - Jan 30 09:37:55 hostname dovecot: pop3-login: Aborted login: user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5
- - Dec 19 17:40:57 ny dovecot: pop3-login: Disconnected (auth failed, 3 attempts in 51 secs): user=<thousands>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<tlMSaQZE/JttycjJ>
- - Dec 19 17:30:39 ny dovecot: imap-login: Disconnected: Inactivity (auth failed, 7 attempts in 176 secs): user=<32>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203,session=<7QTLPAZEXrhtycjJ>
- - Dec 19 17:38:54 ny dovecot: pop3-login: Disconnected: Inactivity during authentication (auth failed, 13 attempts in 179 secs): user=<thousands>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<feETWgZEzJltycjJ>
- - Dec 19 17:20:08 ny dovecot: imap-login: Aborted login (auth failed, 2 attempts in 18 secs): user=<test>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<i8uMIAZEDrdtycjJ>
--->
-
-<decoder name="dovecot">
- <program_name>^dovecot</program_name>
-</decoder>
-
-<decoder name="dovecot-success">
- <parent>dovecot</parent>
- <prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch>
- <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), mpid=\S+, (\S*)$</regex>
- <order>user, srcip, dstip, protocol</order>
-</decoder>
-
-<decoder name="dovecot-aborted">
- <parent>dovecot</parent>
- <prematch offset="after_parent">^\w\w\w\w-login: Aborted login</prematch>
- <regex offset="after_prematch">: user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), (\S*)$</regex>
- <order>user, srcip, dstip, protocol</order>
-</decoder>
-
-<decoder name="dovecot-fail">
- <parent>dovecot</parent>
- <prematch offset="after_parent">^auth\(default\)|auth-worker\(default\)</prematch>
- <regex offset="after_prematch">^: \S+\((\S+),(\S+)\)</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="dovecot-authfailed">
- <parent>dovecot</parent>
- <prematch offset="after_parent">^\w\w\w\w-login:</prematch>
- <regex offset="after_prematch">\(auth failed, \d+ attempts in \d+ secs\): user=\p(\S+)\p, method=\w+, rip=(\S+), lip=(\S+)</regex>
- <order>user,srcip,dstip</order>
-</decoder>
-
-<decoder name="dovecot-disconnect">
- <parent>dovecot</parent>
- <prematch offset="after_parent">^\w\w\w\w-login: Disconnected: </prematch>
- <regex offset="after_prematch">^rip=(\S+), lip=(\S+)</regex>
- <order>srcip, dstip</order>
-</decoder>
-
-<decoder name="dovecot-info">
- <program_name>^Info$|^Warn$</program_name>
-</decoder>
-
-<decoder name="imap-login-login">
- <parent>dovecot-info</parent>
- <prematch>imap-login</prematch>
- <regex offset="after_parent">Login: user=(\S+), method=\.+, rip=(\S+), lip=(\S+) </regex>
- <order>user, srcip, dstip</order>
-</decoder>
-
-<decoder name="dovecot-info-auth">
- <parent>dovecot-info</parent>
- <regex offset="after_parent">auth\(\.+\): \S+\((\S+),(\S+)\):</regex>
- <order>user, srcip</order>
-</decoder>
-
-
-<!-- Named decoder.
- - Will extract the srcip
- - Examples:
- - valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied
- - named[12637]: client 1.2.3.4#32769: query (cache) 'somedomain.com/MX/IN' denied
- - Oct 22 10:12:33 junction named[31687]: /etc/blocked.slave:9892: syntax error near ';'
- - Oct 22 10:12:33 junction named[31687]: reloading configuration failed: unexpected token
- -->
-<decoder name="named">
- <program_name>^named</program_name>
-</decoder>
-
-<decoder name="named-query">
- <parent>named</parent>
- <prematch>: query </prematch>
- <regex>client (\S+)#\d+\s*\S*: </regex>
- <order>srcip,url</order>
-</decoder>
-
-<decoder name="named-query">
- <parent>named</parent>
- <regex>query: (\S+) IN|query \S+ '(\S+)/</regex>
- <order>url</order>
-</decoder>
-
-<decoder name="named_client">
- <parent>named</parent>
- <prematch>^client </prematch>
- <regex offset="after_prematch">^(\S+)#</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="named_from">
- <parent>named</parent>
- <regex offset="after_parent"> from [(\S+)]</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="named-master">
- <parent>named</parent>
- <prematch> for master</prematch>
- <regex>for master (\S+):(\d+) \S+ \(source (\S+)#d+\)$</regex>
- <order>dstip,dstport,srcip</order>
-</decoder>
-
-
-<!-- Postfix decoder.
- - Will extract the srcip
- - Examples:
- - postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554
- <ce101@ce.metu.edu.tr>: Relay access denied; from=<kryonomm@yahoo.com>
- to=<e10445@jubiipost.dk> proto=SMTP helo=<SM01.net>
- - postfix/smtpd[27712]: NOQUEUE: reject: MAIL from localhost[127.0.0.1]: 452 Insufficient system storage
- -->
-
-<decoder name="postfix">
- <program_name>^postfix</program_name>
-</decoder>
-
-<decoder name="postfix-reject">
- <use_own_name>true</use_own_name>
- <parent>postfix</parent>
- <prematch>^NOQUEUE: reject: \w\w\w\w from </prematch>
- <regex offset="after_prematch">[(\S+)]:\d+: (\d+) |[(\S+)]:(\d+): |[(\S+)]: (\d+) |[(\S+)]:(\d+): </regex>
- <order>srcip,id</order>
-</decoder>
-
-<decoder name="postfix-sasl">
- <parent>postfix</parent>
- <prematch>^warning: \S+: SASL </prematch>
- <regex>^warning: \S+[(\S+)]:</regex>
- <order>srcip</order>
-</decoder>
-
-
-<!-- Sendmail decoder.
- - Will extract the srcip
- - Examples:
- - sendmail[15806618]: k1SN9pkK15806618: ruleset=check_mail, arg1=<rtreter@qffff.com>,
- - relay=dsl.static81215198185.ttnet.net.tr [81.215.198.185] (may be forged), reject=553 5.1.8
- - <rtreter@qffff.com>... Domain of sender address rtreter@qffff.com does not exist
- - sm-msp-queue[13484]: k5TKj6L5012934: to=root, ctladdr=root (0/0), delay=00:04:00, xdelay=00:00:00, mailer=relay, pri=120112, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
- - sendmail[7735]: [ID 801593 mail.notice] k856Hah0007735: ruleset=check_rcpt, arg1=<sc@sd.com>, relay=[216.22.33.7], reject=553 5.3.0 <sc@sd.com>... Spammer 216.22.33.7 usergl@displaytoward.net rejected by RBL:http://www.spamhaus.org/
- - sm-mta[23868]: k9BEQK0c023868: rejecting commands
- from [200.121.73.169] [200.121.73.169] due to pre-greeting traffic
- - sendmail[7818]: j6KKHo2d007818: rejecting commands from sv.e103gng.com [66.62.19.10] due to pre-greeting traffic
- -->
-<decoder name="sendmail-reject">
- <program_name>^sendmail|^sm-mta|^sm-msp-queue</program_name>
-</decoder>
-
-<decoder name="sendmail-pre-greeting">
- <parent>sendmail-reject</parent>
- <prematch>^\S+: rejecting commands from</prematch>
- <regex offset="after_prematch">^ \S+ [(\S+)]</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="sendmail-reject-nodns">
- <parent>sendmail-reject</parent>
- <prematch>relay=[</prematch>
- <regex offset="after_prematch">^(\S+)]</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="sendmail-reject-dns">
- <parent>sendmail-reject</parent>
- <prematch>relay=\S+ [</prematch>
- <regex offset="after_prematch">^(\S+)]</regex>
- <order>srcip</order>
-</decoder>
-
-
-
-
-<!-- SMF-SAV Sendmail Milter decoder.
- - Will extract the srcip
- - Examples:
- - smf-sav[513]: [ID 987462 mail.notice] sender check failed: <xkyjywqvophshu@mypersonalemail.com>, 125.133.22.112, [125.133.22.112], [00:00:01]
- - smf-sav[513]: [ID 407019 mail.info] sender check succeeded (cached): <asterisk-users-bounces@lists.digium.com>, 216.207.245.17, lists.digium.com
- - smf-sav[513]: [ID 987894 mail.notice] sender check tempfailed: <31363****-org@targetedpages.com>, 69.8.190.101, smtp101.tramailer.info, [00:00:05]
- - smf-sav[1883]: sender check tempfailed (cached): <k@vooC7b>, 87.103.236.97, [87.103.236.97]
- - smf-sav[1883]: sender check failed (cached): <clahaiclahai@email.iis.com.br
- >, 91.146.176.140, pool176-140.cable.tolna.net
- -->
-<decoder name="smf-sav-reject">
- <program_name>^smf-sav</program_name>
- <prematch>^sender check failed|</prematch>
- <prematch>^sender check tempfailed</prematch>
- <regex offset="after_prematch">^ \(cached\): \S+, (\S+),|</regex>
- <regex>^: \S+, (\S+),</regex>
- <order>srcip</order>
-</decoder>
-
-
-
-<!-- Mail scanner
- - Will extract the srcip/action
- - Examples:
- - MailScanner[24112]: Message k7B9Mc6b015925 from
- 68.171.145.34 (nilsenator@hotmail.com) to yyyyy.no is spam, SpamAssassin
- - May 3 16:28:40 jarjar MailScanner[4732]: Message k436SX2M005191 from
- 111.222.111.222 (david@our.domain.org) to our.domain.org is spam
- , SpamAssassin
- - MailScanner[5317]: Message k436dCIW005370 from
- 111.222.111.222 (david@our.domain.org) to another.domain.org is not s
- pam, SpamAssassin
- - MailScanner[29107]: Message j0EMandY027564 from xxx.xxx.xxx.xxx(xxxxx@xxxxx.ie) to xxxxx.ie is not spam
- -->
-<decoder name="mailscanner">
- <program_name>^MailScanner</program_name>
-</decoder>
-
-<decoder name="mailscanner-ip">
- <parent>mailscanner</parent>
- <prematch>^Message \S+ from </prematch>
- <regex offset="after_prematch">^(\S+) \S+ to \S+ is (\w+)</regex>
- <order>srcip, action</order>
-</decoder>
-
-
-<!-- OpenBSD smtpd decoders -->
-
-<decoder name="smtpd">
- <program_name>^smtpd</program_name>
-</decoder>
-
-<decoder name="smtpd-client">
- <parent>smtpd</parent>
- <prematch offset="after_parent">^client</prematch>
- <regex>^client (\S+) </regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="smtpd-relay">
- <parent>smtpd</parent>
- <prematch>relay=</prematch>
- <regex>relay=\S+ [(\S+)], </regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="smtpd-in">
- <parent>smtpd</parent>
- <prematch offset="after_parent">^smtp-in: </prematch>
- <regex offset="after_prematch">^(\S+) </regex>
- <order>status</order>
-</decoder>
-
-<decoder name="smtpd-in">
- <parent>smtpd</parent>
- <regex> => (\d+) </regex>
- <order>action</order>
-</decoder>
-
-
-<!-- Iptables decoder.
- - Will extract the srcip, dstip, srcport, dstport, protocol
- - Examples:
- - kernel: FIREWALL_OUT IN= OUT=eth0
- SRC=192.168.6.57 DST=216.161.248.225 LEN=40 TOS=0x00 PREC=0x00 TTL=64
- ID=18547 DF PROTO=TCP SPT=46388 DPT=37628 WINDOW=6930 RES=0x00 ACK RST
- URGn=0
- - kernel: IPTABLE IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:93:db:2e:b4:08:00
- SRC=10.4.11.40 DST=255.255.255.255 LEN=180 TOS=0x00 PREC=0x00 TTL=64
- ID=4753 PROTO=UDP SPT=49320 DPT=2222 LEN=160
- - kernel: [4475569.016000] IN= OUT=lo SRC=192.168.2.11 DST=192.168.2.11
- LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=49546 DF PROTO=TCP SPT=43068
- DPT=22 WINDOW=8192 RES=0x00 ACK URGP=0
- - Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=60200 PROTO=ICMP TYPE=8 CODE=0 ID=10466 SEQ=21229
- -->
-<decoder name="iptables">
- <program_name>^kernel</program_name>
-</decoder>
-
-<decoder name="iptables-1">
- <parent>iptables</parent>
- <type>firewall</type>
- <prematch>^[\d+.\d+] \S+ IN=</prematch>
-
- <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex>
- <regex> \.+ PROTO=(\w+) </regex>
- <order>action,srcip,dstip,protocol</order>
-</decoder>
-
-<decoder name="iptables-1">
- <parent>iptables</parent>
- <type>firewall</type>
- <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
- <order>srcport,dstport</order>
-</decoder>
-
-<decoder name="iptables-2">
- <parent>iptables</parent>
- <type>firewall</type>
- <prematch>^\S+ IN=</prematch>
-
- <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex>
- <regex>PROTO=(\w+) </regex>
- <order>action,srcip,dstip,protocol</order>
-</decoder>
-
-<decoder name="iptables-2">
- <parent>iptables</parent>
- <type>firewall</type>
- <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
- <order>srcport,dstport</order>
-</decoder>
-
-<decoder name="iptables-shorewall">
- <parent>iptables</parent>
- <type>firewall</type>
- <prematch>^Shorewall:\S+:</prematch>
-
- <regex offset="after_prematch">^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
- <regex>PROTO=(\w+) </regex>
- <order>action,srcip,dstip,protocol</order>
-</decoder>
-
-<decoder name="iptables-shorewall">
- <parent>iptables</parent>
- <type>firewall</type>
- <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
- <order>srcport,dstport</order>
-</decoder>
-
-<decoder name="iptables-shorewall2">
- <parent>iptables</parent>
- <type>firewall</type>
- <prematch>^\p\S+\p Shorewall:\S+:</prematch>
- <regex offset="after_prematch">^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
- <regex>PROTO=(\w+) </regex>
- <order>action,srcip,dstip,protocol</order>
-</decoder>
-
-
-<!-- Solaris IPFilter decoder.
- - Will extract the action, srcip, srcport, dstip, dstport
- - Examples:
- - ipmon[11523]: [ID 702911 local0.warning] 09:30:39.300795 3x ce0 @0:1
- b 10.4.0.25,43873 -> 10.4.122.243,22 PR tcp len 20 100 -AP IN
- - ipmon[11523]: [ID 702911 local0.warning] 09:31:53.285032 hme0 @0:1
- b 10.4.122.243,138 -> 255.255.255.255,138 PR udp len 20 229 IN mbcast
- - ipmon[11523]: [ID 702911 local0.notice] 09:30:40.398290 ce0 @0:14
- p 10.4.122.243,123 -> 10.4.122.16,123 PR udp len 20 76 K-S OUT
- -->
-<decoder name="ipfilter">
- <type>firewall</type>
- <program_name>^ipmon</program_name>
- <regex> (\w) (\S+),(\d+) -> </regex>
- <regex>(\S+),(\d+) PR (\w+) </regex>
- <order>action,srcip,srcport,dstip,dstport,protocol</order>
-</decoder>
-
-
-<!-- AIX IPSec decoder.
- - Will extract the action,srcip,dstip,protocol,srcport,dstport
- - Examples:
- - ipsec_logd: #:3 R:p I:10.0.0.99 S:10.0.0.82 D:10.0.0.99
- P:tcp/ack SP:50349 DP:22 R:l I:en0 F:n T:0 L:88
- - ipsec_logd: #:1 R:p O:10.0.0.99. S:10.0.0.99 D:10.0.0.25
- P:udp SP:2063 DP:53 R:l I:en0 F:n T:0 L:81
- -->
-<decoder name="aix-ipsec">
- <type>firewall</type>
- <program_name>^ipsec_logd</program_name>
- <regex> R:(\w) \w:\S+ S:(\S+) </regex>
- <regex>D:(\S+) P:(\S+) SP:(\d+) DP:(\d+) </regex>
- <order>action,srcip,dstip,protocol,srcport,dstport</order>
-</decoder>
-
-
-
-<!-- OpenBSD pf decoder (as a plugin - compiled).
- - Will extract the action,srcip,dstip,protocol,srcport,dstport
- - Examples:
- - Mar 30 15:33:26 enigma pf: Mar 30 15:32:33.483712 rule 2/(match) pass in on xl0: 140.211.166.3.6667 > 192.168.2.10.16290: P 7408:7677(269) ack 1773 win 2520 <nop,nop,timestamp 3960674784 2860123562> (DF)
- - Mar 30 15:47:05.522341 rule 4/(match) block in on lo0: 127.0.0.1.48784 > 127.0.0.1.23: S 1381529123:1381529123(0) win 16384 <mss 33184,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF) [tos 0x10]
- - Mar 30 15:54:22.171929 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 73
- - Mar 30 15:54:22.174412 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 89
-
- -->
-<decoder name="pf">
- <type>firewall</type>
- <program_name>^pf$</program_name>
- <plugin_decoder>PF_Decoder</plugin_decoder>
-</decoder>
-
-
-
-<!-- SonicWall decoder.
- - Will extract action, srcip, dstip, protocol, srcport and dstport
- - Examples:
- - Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000
- - Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN
- - id=firewall sn=00301E0526B1 time="2004-04-01 10:39:35"
- fw=67.32.44.2 pri=5 c=64 m=36 msg="TCP connection dropped" n=2686 src=67.101.200.27:4507:WAN dst=67.32.44.2:445:LAN rule=0
- -->
-<decoder name="sonicwall">
- <type>firewall</type>
- <prematch>^id=\w+ sn=\w+ time=\S+ \S+ fw=\S+ pri=\d </prematch>
- <plugin_decoder>SonicWall_Decoder</plugin_decoder>
-</decoder>
-
-
-
-<!-- Netscreen Firewall decoder.
- - Will extract the action,srcip,dstip,protocol,srcport,dstport
- - Examples:
- - Jan 1 10:02:11 xx ns5gt: NetScreen device_id=ns5gt [No Name]system-notification-00257(traffic): start_time="2006-01-01 10:09:38" duration=0 policy_id=310101 service=tcp/port:1526 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=38 src=10.1.2.3 dst=10.1.1.1 src_port=51350 dst_port=1426
- - <13>Mar 16 15:27:56 192.168.2.1 ns5gt: NetScreen device_id=ns5gt [No Name]system-notification-00257(traffic): start_time=\"2004-03-16 16:31:22\" duration=0 policy_id=310001 service=tcp/port:120 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=60 src=10.1.1.1 dst=10.1.2.1 src_port=32047 dst_port=22
- - Jun 2 11:24:16 fire00 sav00: NetScreen device_id=sav00 [Root]system-critical-00436: Large ICMP packet! From 210.232.20.7 to 148.100.114.126, proto 1 (zone Untrust, int ethernet1/2). Occurred 1 times. (2006-06-02 11:24:16)
- - NetScreen device_id=ns5gt [Root]system-critical-00027: Multiple login failures occurred for user netscreen from IP address 1.2.3.4:1567 (2004-10-07)
- -
- - ** Program name for netscreen is empty, since it is the hostname.
- -->
-<decoder name="netscreenfw">
- <program_name />
- <prematch>^NetScreen device_id</prematch>
-</decoder>
-
-<decoder name="netscreenfw-traffic">
- <parent>netscreenfw</parent>
- <type>firewall</type>
-
- <prematch offset="after_parent">system-notification-00257</prematch>
- <prematch>\(traffic\): </prematch>
-
- <regex offset="after_prematch"> proto=(\w+) \.+action=(\w+) </regex>
- <regex>\.+src=(\S+) dst=(\S+) src_port=(\d+) dst_port=(\d+)</regex>
- <order>protocol, action, srcip, dstip, srcport, dstport</order>
-</decoder>
-
-<decoder name="netscreenfw-critical">
- <parent>netscreenfw</parent>
- <prematch offset="after_parent">system-critical-\.+ from |</prematch>
- <prematch>system-alert-\.+ from |</prematch>
- <prematch>system-emergency-\.+ From </prematch>
-
- <regex offset="after_parent">system-(\w+)-(\d+): \.+ </regex>
- <regex>from\.+(\S+)</regex>
- <order>action, id, srcip</order>
-</decoder>
-
-<decoder name="netscreenfw-admin">
- <parent>netscreenfw</parent>
- <regex offset="after_parent">system-(\w+)-(\d+):</regex>
- <order>action, id</order>
-</decoder>
-
-
-<!-- Pix decoder.
- - Will extract the srcip, srcport, dstip and dstport whenever possible.
- - Examples:
- - %PIX-6-106015: Deny TCP (no connection) from 161.58.238.151/110 to a.b.c.d/3782 flags RST ACK
- - %PIX-2-106001: Inbound TCP connection denied from 165.139.46.7/3854 to 165.189.27.70/139 flags
- - %PIX-3-106010: Deny inbound tcp src outside:213.98.79.233/2620 dst dmz:213.98.254.145/135
- - %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.2.1/137
- dst outside:192.168.2.14/137
- - %PIX-3-106011: Deny inbound (No xlate) tcp src inside:10.100.7.43/80 dst
- inside:10.100.4.71/2285
- - %PIX-3-710003: TCP access denied by ACL from 216.39.220.130/54065 to outside:62.192.113.98/ssh
- - %PIX-7-710001: TCP access requested from X.X.X.X/1292 to outside:Y.Y.Y.Y/ssh
- - %PIX-7-710002: UDP access permitted from 33.33.33.4/943 to inside:33.33.33.15/snmp
- - %PIX-7-710005: UDP request discarded from <public IP of 525>/4500 to outside:192.168.69.137/4500
- - %PIX-2-106002 protocol Connection denied by outbound list acl_ID src inside_address dest outside_address
- - %PIX-2-106002: udp connection denied by outbound list 30 src 216.53.120.62 138 dest 169.132.10.82 138
- - %PIX-4-106023: Deny tcp src inside:111.11.11.1/2143 dst YYY:172.11.1.11/139 by access-group "inside_inbound"
- - %PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz
- - %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on
- interface vpn
- - %PIX-7-710002: TCP access permitted from 10.0.0.1/60749 to db:10.0.0.2/ssh
- - %PIX-6-305012: Teardown dynamic UDP translation from inside:1.1.1.1/12 to outside:1.2.1.2/11 duration 0:00:11.
- - %PIX-3-305005: No translation group found for icmp src outside:x.x.x.x dst inside:x.x.x.x (type 3, code 0)
- - %ASA-2-106001: Inbound TCP connection denied from 1.2.3.4/1234 to 213.207.99.248/445 flags SYN on interface outside (Message repeated 2 times)
- - %PIX-6-605005: Login permitted from 192.168.1.2/2953 to inside:192.168.1.1/telnet for user ""
- - %PIX-6-605004: Login denied from 192.168.2.10/32597 to outside:192.168.2.14/ssh for user "root"
- - %PIX-6-305011: Built dynamic UDP translation from inside:192.168.1.2/1026 to outside:192.168.2.14/1163
- - %PIX-6-305011: Built dynamic TCP translation from inside:192.168.1.3/54946 to outside:192.168.2.14/1033
- - %PIX-6-302015: Built outbound UDP connection 156 for outside:192.168.2.10/1514 (192.168.2.10/1514) to inside:192.168.1.2/1026 (192.168.2.14/1163)
- -->
-<decoder name="pix">
- <prematch>^%PIX-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %PIX-|</prematch>
- <prematch>^%ASA-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %ASA-|</prematch>
- <prematch>^%FWSM-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %FWSM-</prematch>
-</decoder>
-
-<decoder name="pix-fw1">
- <parent>pix</parent>
- <type>firewall</type>
- <prematch offset="after_parent">^2-106001</prematch>
- <regex offset="after_parent">^(\S+): \w+ (\w+) \S+ (\S+) from </regex>
- <regex>(\S+)/(\S+) to (\S+)/(\S+)</regex>
- <order>id, protocol, action, srcip, srcport, dstip, dstport</order>
-</decoder>
-
-<decoder name="pix-fw2">
- <parent>pix</parent>
- <type>firewall</type>
- <prematch offset="after_parent">^3-710003|^7-710002|^7-710005</prematch>
- <regex offset="after_parent">^(\S+): (\S+) \w+ (\w+) \.+from </regex>
- <regex>(\S+)/(\S+) to \w+:(\S+)/(\S+)</regex>
- <order>id, protocol, action, srcip, srcport, dstip, dstport</order>
-</decoder>
-
-<decoder name="pix-fw3">
- <parent>pix</parent>
- <type>firewall</type>
- <prematch offset="after_parent">^4-106023</prematch>
- <regex offset="after_parent">^(\S+): (\w+) (\w+) src \w+:</regex>
- <regex>(\S+)/(\S+) dst \w+:(\S+)/(\S+)</regex>
- <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
-</decoder>
-
-<decoder name="pix-fw4">
- <parent>pix</parent>
- <type>firewall</type>
- <prematch offset="after_parent">^4-106019</prematch>
- <regex offset="after_parent">^(\S+): IP packet from (\S+) to </regex>
- <regex>(\S+), protocol (\w+) (\w+) </regex>
- <order>id, srcip, dstip, protocol, action</order>
-</decoder>
-
-<decoder name="pix-fw5">
- <parent>pix</parent>
- <type>firewall</type>
- <prematch offset="after_parent">^2-106006|^2-106007</prematch>
- <regex offset="after_parent">^(\S+): (\w+) \S+ (\w+) from </regex>
- <regex>(\S+)/(\d+) to (\S+)/(\d+) </regex>
- <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
-</decoder>
-
-<decoder name="pix-fw6">
- <parent>pix</parent>
- <type>firewall</type>
- <prematch offset="after_parent">^6-106015</prematch>
- <regex offset="after_parent">^(\S+): (\w+) (\w+) \S+ \S+ (\S+) from </regex>
- <regex>(\S+)/(\S+) to (\S+)/(\S+)</regex>
- <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
-</decoder>
-
-<decoder name="pix-fw7">
- <parent>pix</parent>
- <type>firewall</type>
- <prematch offset="after_parent">^6-305012</prematch>
- <regex offset="after_parent">^(\S+): (\w+) \w+ (\w+) translation </regex>
- <regex>from \w+:(\S+)/(\d+) to \w+:(\S+)/(\d+) </regex>
- <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
-</decoder>
-
-<decoder name="pix-fw8">
- <parent>pix</parent>
- <type>firewall</type>
- <prematch offset="after_parent">^3-106011|^3-106010</prematch>
- <regex offset="after_parent">^(\S+): (\w+) \.+ (\w+) src </regex>
- <regex>\w+:(\S+)/(\d+) dst \w+:(\S+)/(\d+)</regex>
- <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
-</decoder>
-
-<decoder name="pix-url-success">
- <parent>pix</parent>
- <prematch offset="after_parent">^5-304001: </prematch>
- <regex offset="after_parent">^(\S+): (\S+) Accessed URL </regex>
- <regex>(\S+):(http\w*://\.+)|</regex>
- <regex>^(\S+): (\S+) Accessed URL (\S+):</regex>
- <order>id, srcip, dstip, url</order>
-</decoder>
-
-<decoder name="pix-url-deny">
- <parent>pix</parent>
- <prematch offset="after_parent">^5-304002: </prematch>
- <regex offset="after_parent">^(\S+): Access (denied) URL (http\w*://\.+) </regex>
- <regex>SRC (\S+) DEST (\S+) on interface</regex>
- <order>id, action, url, srcip, dstip</order>
-</decoder>
-
-<decoder name="pix-attacks">
- <parent>pix</parent>
- <prematch offset="after_parent">^2-106012: |^2-106017: |</prematch>
- <prematch>^2-106020|^1-106021|^1-106022|</prematch>
- <prematch>^4-4000</prematch>
- <regex offset="after_parent">^(\S+): \.+ from (\S+) </regex>
- <order>id, srcip</order>
-</decoder>
-
-<decoder name="pix-srcip">
- <parent>pix</parent>
- <prematch offset="after_parent">^6-308001</prematch>
- <regex offset="after_parent">^(\S+): \.+ (\S+)</regex>
- <order>id, srcip</order>
-</decoder>
-
-<decoder name="pix-srcip-port">
- <parent>pix</parent>
- <prematch offset="after_parent">^6-605004|^6-605005</prematch>
- <regex offset="after_parent">^(\S+): Login (\S+) from (\S+)/(\d+) \.+user "(\w+)"</regex>
- <order>id, action, srcip, srcport, user</order>
-</decoder>
-
-<decoder name="pix-generic">
- <parent>pix</parent>
- <regex offset="after_parent">^(\S+): </regex>
- <order>id</order>
-</decoder>
-
-
-
-<!-- Cisco VPN Concentrator
- - Will extract srcip and username.
- - Examples:
- -
- - Jan 8 09:10:37 vpn.example.com 11504 01/08/2007 09:10:37.780 SEV=3 AUTH/5 RPT=124 192.168.0.1 Authentication rejected: Reason = Unspecified handle = 805, server = auth.example.com, user = testuser, domain = <not specified>
- 11504 01/08/2007 09:10:37.780 SEV=3
- -->
-<decoder name="cisco-vpn-concentrator">
- <prematch>^\d+ \d\d/\d\d/\d\d\d\d \S+ SEV=\d </prematch>
- <regex offset="after_prematch">^(\S+) RPT=\d+ (\S+) </regex>
- <order>id, srcip</order>
-</decoder>
-
-
-
-<!-- Snort decoder.
- - Will extract the id, srcip and dstip
- - Examples:
- - snort: [1:469:3] ICMP PING NMAP [Classification: Attempted Information
- Leak] [Priority: 2]: {ICMP} 10.4.12.26 -> 10.4.10.231
- - snort: [1:1420:11] SNMP trap tcp [Classification: Attempted Information
- Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 -> 10.4.10.231:162
- - [**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
- [Classification: Web Application Attack]
- [Priority: 1] 10.4.12.26:34041 -> 66.179.53.37:80
- - [**] [1:1421:11] SNMP AgentX/tcp request [**]
- [Classification: Attempted Information Leak] [Priority: 2]
- 10.4.3.20:626 -> 10.4.10.161:705
- - [**] [1:1882:10] ATTACK-RESPONSES id check returned userid [**]
- [Classification: Potentially Bad Traffic] [Priority: 2]
- {UDP} 192.168.20.32 -> 192.168.20.2
- -->
-
-<decoder name="snort">
- <program_name>^snort</program_name>
-</decoder>
-
-<decoder name="snort">
- <type>ids</type>
- <prematch>^[**] [\d+:\d+:\d+] </prematch>
-</decoder>
-
-<decoder name="snort2">
- <parent>snort</parent>
- <type>ids</type>
- <prematch>^[**] |^[\d+:\d+:\d+] </prematch>
- <regex>^[**] [(\d+:\d+:\d+)] \.+ (\S+)\p*\d* -> </regex>
- <regex>(\S+)|^[(\d+:\d+:\d+)] \.+ </regex>
- <regex>(\S+)\p*\d* -> (\S+)</regex>
- <order>id,srcip,dstip</order>
- <fts>name,id,srcip,dstip</fts>
-</decoder>
-
-<decoder name="snort3">
- <parent>snort</parent>
- <type>ids</type>
- <prematch>^[Drop] [**] |^[\d+:\d+:\d+] </prematch>
- <regex>^[Drop] [**] [(\d+:\d+:\d+)] \.+ (\S+)\p*\d* -> </regex>
- <regex>(\S+)|^[(\d+:\d+:\d+)] \.+ </regex>
- <regex>(\S+)\p*\d* -> (\S+)</regex>
- <order>id,srcip,dstip</order>
- <fts>name,id,srcip,dstip</fts>
-</decoder>
-
-
-<!-- OpenBSD isakmpd decoders -->
-
-<decoder name="isakmpd">
- <program_name>^isakmpd</program_name>
-</decoder>
-
-<decoder name="isakmpd-from">
- <parent>isakmpd</parent>
- <prematch>message from </prematch>
- <regex>from (\S+) port (\d+)</regex>
- <order>srcip,srcport</order>
-</decoder>
-
-<decoder name="isakmpd-peer">
- <parent>isakmpd</parent>
- <prematch>from peer</prematch>
- <regex>from peer (\S+):(\d+)$</regex>
- <order>srcip,srcport</order>
-</decoder>
-
-
-
-<!-- Suhosin decoder.
- - Will extract the attack name and srcip.
- - Examples:
- - suhosin[76366]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '200.139.164.149', file 'xyz')
- - suhosin[24239]: ALERT - configured request variable value length limit exceeded - dropped variable 'introtext' (attacker '192.168.1.2', file '/var/www/site/administrator/index2.php')
- - suhosin[32150]: ALERT - configured POST variable limit exceeded - dropped variable 'setting[sg_allow_delete_empty_group]' (attacker '32.104.x.y', file '/home/htdocs/admincp/options.php')
- -->
-<decoder name="suhosin">
- <program_name>^suhosin</program_name>
- <type>ids</type>
- <regex>^ALERT - (\.+) \(attacker '(\S+)', </regex>
- <order>id, srcip</order>
- <fts>name, location, id</fts>
-</decoder>
-
-
-
-<!-- Dragon Decoder
- - Will extract srcip, dstip and id
- - Examples:
- - 2007-02-24 00:07:30|xx-ids|MS:MDTC-DOS|1.2.3.4|5.6.7.8|123|456|I||6|tcp,xx
- -
- -->
-<decoder name="dragon-nids">
- <type>ids</type>
- <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\|</prematch>
- <regex offset="after_prematch">^\S+\|(\S+)\|</regex>
- <regex>(\S+)\|(\S+)\|</regex>
- <order>id, srcip, dstip</order>
- <fts>name, id, srcip, dstip</fts>
-</decoder>
-
-
-
-<!-- Horde decoder
- - Will extract: username and srcip.
- - Examples:
- - [notice] [imp] Login success for raphaelv@xx [100.121.170.41] to {a.b.c:143} [on line 92 of "/home/webmail/horde/imp/redirect.php"]
- - [error] [imp] FAILED LOGIN 210.179.154.213 to xxx:143[imap] as mala1
- -->
-<decoder name="horde_imp">
- <prematch>^[\w+] [imp] |^[\w+] [horde] </prematch>
-</decoder>
-
-<decoder name="horde_imp_success">
- <parent>horde_imp</parent>
- <prematch offset="after_parent">^Login success </prematch>
- <regex offset="after_prematch">^for (\S+) [(\S+)] </regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="horde_imp_failed">
- <parent>horde_imp</parent>
- <prematch offset="after_parent">^FAILED LOGIN</prematch>
- <regex offset="after_prematch">^ (\S+) to \S+ as (\S+) </regex>
- <order>srcip, user</order>
-</decoder>
-
-
-
-<!-- Wordpress decoder.
- - It needs the WPsyslog2 plugin.
- - Examples:
- - WPsyslog[14382]: [127.0.0.1 na] Info: User authentication failed. User name: lala
- - WPsyslog[14382]: [127.0.0.1 na] Info: User logged in. User name: admin (admin).
- - wpcore[14554]: [127.0.0.1 na] http://megasite.com/wordpress Info: User authentication failed. User name: qwe.
- -->
-<decoder name="wordpress">
- <program_name>^WPsyslog|^wpcore</program_name>
- <prematch>^[</prematch>
- <regex offset="after_prematch">^(\S+) </regex>
- <order>srcip</order>
-</decoder>
-
-
-
-<!-- Roundcube decoder
- - Will extract username and src IP from the logs, when available.
-
- Examples syslog: (older and newer versions of roundcube)
- - Apr 10 22:45:20 hostname roundcube: [10-Apr-2009 22:45:20 -0500] IMAP Error: Authentication for username failed (LOGIN): "a001 NO Authentication failed." (POST /roundcube/?_task=&_action=login)
- - Apr 10 23:01:23 hostname roundcube: [10-Apr-2009 23:01:23 -0500]: Successful login for username (id 1) from 127.0.0.1
- - Oct 28 19:31:08 hostname roundcube: <isj89gtf> IMAP Error: Login failed for username from 127.0.0.1. AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /roundcube/?_task=login&_action=login)
-
- Example from roundcube internal logfile (/path/to/roundcube/logs/errors):
- - [04-Oct-2017 17:03:30 +0200]: <jkgnfe79> IMAP Error: Login failed for username from 127.0.0.1. AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /roundcube/?_task=login&_action=login)
-
- Examples if log_logins is enabled (/path/to/roundcube/logs/userlogins):
- - [04-Oct-2017 16:08:01 +0200]: <lrpo6s0r> Failed login for test from 127.0.0.1 in session abcdefg (error: 0)
- - [04-Oct-2017 16:09:17 +0200]: <4bd4jqqc> Successful login for test (ID: 6) from 127.0.0.1 in session abcdefg
--->
-
-<decoder name="roundcube">
- <program_name>^roundcube</program_name>
-</decoder>
-
-<decoder name="roundcube">
- <prematch>^[\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d \S+]</prematch>
-</decoder>
-
-<decoder name="roundcube-success">
- <parent>roundcube</parent>
- <prematch> Successful login for </prematch>
- <regex offset="after_prematch">^(\S+) \(id \d+\) from (\S+)$|^(\S+) \(ID: \d+\) from (\S+)</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="roundcube-denied-old">
- <parent>roundcube</parent>
- <prematch>] \w+ Error: Authentication </prematch>
- <regex offset="after_prematch">^for (\S+) failed</regex>
- <order>user</order>
-</decoder>
-
-<decoder name="roundcube-denied-new">
- <parent>roundcube</parent>
- <prematch>> \w+ Error: Login failed |> Failed login </prematch>
- <regex offset="after_prematch">^for (\S+) from (\S+)\. |^for (\S+) from (\S+) in session </regex>
- <order>user, srcip</order>
-</decoder>
-
-
-
-<!-- Apache decoder.
- - Updated by jesus@wazuh.com. 2016/02/17
- - Will extract the srcip
- - Examples:
- - Without ID: Will extract the srcip and srcport (when it is available)
- - [error] [client 80.230.208.105] Directory index forbidden by rule: /home/
- - [error] [client 64.94.163.159] Client sent malformed Host header
- - [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida
- - [Sun Nov 23 18:49:01.713508 2014] [:error] [pid 15816] [client 141.8.147.9:51507] PHP Notice: A non well formed numeric value encountered in /path/to/file.php on line 123
- - Feb 17 18:00:00 myhost httpd[18660]: [error] [client 12.34.56.78] File does not exist: /usr/local/htdocs/cache
- - Feb 17 18:00:00 myhost httpd[23745]: [error] [client 12.34.56.78] PHP Notice:
- - With IP + ID: Will extract the srcip, id, and srcport (when it is available)
- - [Tue Sep 30 11:30:13.262255 2014] [core:error] [pid 20101] [client 99.47.227.95:34567] AH00037: Symbolic link not allowed or link target not accessible: /usr/share/awstats/icon/mime/document.png
- - [Tue Sep 30 12:24:22.891366 2014] [proxy:warn] [pid 2331] [client 77.127.180.111:54082] AH01136: Unescaped URL path matched ProxyPass; ignoring unsafe nocanon, referer: http://www.easylinker.co.il/he/links.aspx?user=bguyb
- - [Tue Sep 30 14:25:44.895897 2014] [authz_core:error] [pid 31858] [client 99.47.227.95:38870] AH01630: client denied by server configuration: /var/www/example.com/docroot/
- - [Thu Oct 23 15:17:55.926067 2014] [ssl:info] [pid 18838] [client 36.226.119.49:2359] AH02008: SSL library error 1 in handshake (server www.example.com:443)
- - ModSecurity
- - [Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 10.10.10.10] ModSecurity: Access denied with code 403 (phase 2). Text...
- - [Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 10.10.10.10:5555] ModSecurity: Access denied with code 403 (phase 2). Text...
- - Others
- - [notice] Apache configured
- - [Thu Oct 23 15:17:55.926123 2014] [ssl:info] [pid 18838] SSL Library Error: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request -- speaking HTTP to HTTPS port!?
- - [Tue Sep 30 12:11:21.258612 2014] [ssl:error] [pid 30473] AH02032: Hostname www.example.com provided via SNI and hostname ssl://www.example.com provided via HTTP are different
--->
-
-<decoder name="apache-errorlog">
- <program_name>^httpd</program_name>
-</decoder>
-
-<decoder name="apache-errorlog">
- <prematch>^[warn] |^[notice] |^[error] </prematch>
-</decoder>
-
-<decoder name="apache-errorlog">
- <prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch>
-</decoder>
-
-
-<decoder name="apache24-errorlog-ip-port">
- <parent>apache-errorlog</parent>
- <prematch offset="after_parent">[client \S+:\d+] \S+:</prematch>
- <regex offset="after_parent">[client (\S+):(\d+)] (\S+): </regex>
- <order>srcip,srcport,id</order>
-</decoder>
-
-<decoder name="apache24-errorlog-ip">
- <parent>apache-errorlog</parent>
- <prematch offset="after_parent">[client \S+] \S+:</prematch>
- <regex offset="after_parent">[client (\S+)] (\S+): </regex>
- <order>srcip,id</order>
-</decoder>
-
-
-<decoder name="apache-errorlog-ip">
- <parent>apache-errorlog</parent>
- <prematch offset="after_parent">[client</prematch>
- <regex offset="after_prematch">^ (\S+):(\d+)] |^ (\S+)] </regex>
- <order>srcip,srcport</order>
-</decoder>
-
-
-
-<!-- Nginx error log decoder.
- - Will extract the srcip.
- - Examples:
- - 2009/09/15 20:55:40 [error] 63858#0: *3663 open() "/srv/www/ossec.net/robots.txt" failed (2: No such file or directory), client: 1.2.3.4, server: ossec.net, request: "GET /robots.txt HTTP/1.1", host: "www.ossec.net"
- - 2009/09/15 19:51:07 [error] 37992#0: accept() failed (53: Software caused connection abort)
- -->
-<decoder name="nginx-errorlog">
- <prematch>^20\d\d/\d\d/\d\d \d\d:\d\d:\d\d [</prematch>
-</decoder>
-
-<decoder name="nginx-errorlog-ip">
- <parent>nginx-errorlog</parent>
- <prematch offset="after_parent">, client: \S+, server: \S+, request: "\S+ </prematch>
- <regex offset="after_parent">, client: (\S+), </regex>
- <order>srcip</order>
-</decoder>
-
-
-
-
-<!-- NCSA common log decoder (used by apache, Lotus Domino and IIS NCSA).
- - Will extract the srcip, url and id.
- - Every web access log must use "web-log" as their
- - type if they want to be matched against the web rules.
- - Examples:
- - 63.91.167.39 - - [03/Aug/2001:21:56:18 -0700] "GET /default.ida?NNNN
- - 206.78.62.16 - - [06/Aug/2001:08:57:08 -0700] "GET /default.ida?XX
- - 5.211.112.6 - - [04/Feb/2003:16:17:30 -0500] "GET /mod_ssl:error:
- - 192.168.2.190 - - [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
- 200 1732
- - 1.1.1.1 - username [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
- - 123.4.5.6 aa.xx.com - [05/Nov/2006:00:46:56 -0500] "GET / HTTP/1.1" 302 -
- - ::ffff:202.194.15.192 190.7.138.180 - [18/Oct/2010:10:48:55 -0500] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
- -->
-<decoder name="web-accesslog">
- <type>web-log</type>
- <prematch>^\S+ \S+ \S+ [\S+ \S\d+] "\w+ \S+ HTTP\S+" </prematch>
- <regex>^(\S+) \S+ (\S+) [\S+ \S\d+] </regex>
- <regex>"(\w+) (\S+) HTTP\S+" (\d+) </regex>
- <order>srcip, srcuser, action, url, id</order>
-</decoder>
-
-
-<!-- Windows date format.
- - Pre match for windows date format. Used on Windows firewall,
- - IIS, etc.
- - Examples:
- - 2006-07-23 04:40:02 xxx
- -->
-<decoder name="windows-date-format">
- <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d </prematch>
-</decoder>
-
-
-
-<!-- Windows firewall decoder.
- - Will extract action, protocol, srcip, dstip, srcport and dstport.
- - Examples:
- - 2006-09-18 22:25:30 OPEN TCP 11.12.72.10 12.252.71.6 3311 445 - - - - - - - - -
- - 2006-09-18 22:26:23 DROP UDP 11.152.183.14 239.255.255.250 65299 1900 310 - - - - - - - RECEIVE
- - 2006-09-18 22:26:23 DROP UDP 11.152.183.14 239.255.255.250 65299 1900 310 - - - - - - - RECEIVE
- - 2006-09-18 22:26:23 DROP UDP 11.152.183.14 239.255.255.250 65298 1900 319 - - - - - - - RECEIVE
- -->
-<decoder name="windows-firewall">
- <parent>windows-date-format</parent>
- <type>firewall</type>
- <use_own_name>true</use_own_name>
- <prematch offset="after_parent">^OPEN|^CLOSE|^DROP</prematch>
- <regex offset="after_parent">^(\w+) (\w+) </regex>
- <regex>(\S+) (\S+) (\d+) (\d+) </regex>
- <order>action, protocol, srcip, dstip, srcport, dstport</order>
-</decoder>
-
-
-<!-- IIS 5 WWW W3C log format.
- - #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs-host cs(User-Agent) cs(Referer)
- - Examples:
- - 2006-07-23 04:40:02 1.2.3.4 - W3SVC3 CIN1WEB03 1.2.3.4 443 GET /Default.asp - 200 hiden.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Avant+Browser;+Avant+Browser;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) -
- -->
-<decoder name="web-accesslog-iis5">
- <parent>windows-date-format</parent>
- <type>web-log</type>
- <use_own_name>true</use_own_name>
- <prematch offset="after_parent">^\S+ \S+ W3SVC</prematch>
- <regex offset="after_parent">^(\S+) \S+ \S+ \S+ \S+ </regex>
- <regex>\d+ \S+ (\S+ \S+) (\d+) </regex>
- <order>srcip,url,id</order>
-</decoder>
-
-
-<!-- IIS6 WWW W3C log format.
- - #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem
- cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent)
- cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status
- sc-bytes cs-bytes time-taken
- - Examples:
- - 2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-Update-Agent - - hostname 200 0 0 1467 841 31
- -->
-<decoder name="web-accesslog-iis6">
- <parent>windows-date-format</parent>
- <type>web-log</type>
- <use_own_name>true</use_own_name>
- <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
- <regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\S+) </regex>
- <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
- <order>url, srcip, id</order>
-</decoder>
-
-<!-- Windows IIS decoder for default settings
- - Tested with IIS 7.5 and IIS 8.5 (Windows 2008R2 and Windows 2012R2)
- - Will extract URL, Source IP, and HTTP response code
- - Examples:
- - IIS 7.5
- - 2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624
- - IIS 8.5
- - 2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0
- - 2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0
- - 2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0
--->
-
-<decoder name="web-accesslog-iis-default">
- <parent>windows-date-format</parent>
- <type>web-log</type>
- <use_own_name>true</use_own_name>
- <prematch offset="after_parent">^\S+ GET |^\S+ POST </prematch>
- <regex offset="after_prematch">(\S+ \S*) \.* (\S+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex>
- <order>url,srcip,id</order>
-</decoder>
-
-
-<!-- IIS 5 W3C FTP log format.
- - Examples:
- - #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
- - 2006-07-23 17:57:59 192.168.3.64 Administrator MSFTPSVC1 HAIJO2 192.168.1.12 21 [144]USER Administrator - 331 0 0 0 0 FTP - - - -
- - 2006-07-23 17:57:59 192.168.3.64 Administrator MSFTPSVC1 HAIJO2 192.168.1.12 21 [144]PASS - - 230 0 0 0 16 FTP - - - -
- -->
-<decoder name="msftp">
- <parent>windows-date-format</parent>
- <use_own_name>true</use_own_name>
- <prematch offset="after_parent">^\S+ \S+ MSFTPSVC</prematch>
- <regex offset="after_parent">^(\S+) (\S+) \S+ \S+ \S+ </regex>
- <regex>\d+ [\d+](\S+) \S+ \S+ (\d+) </regex>
- <order>srcip,user,action,id</order>
-</decoder>
-
-
-
-<!-- IIS 5 W3C SMTP log format (Exchange).
- - Examples:
- - #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
- - 2006-10-09 14:04:46 69.217.186.117 - SMTPSVC1 MEE-PDC 192.168.X.X 0 xxxx -
- > +hupylaw.hupy.local 500 0 32 23 0 SMTP - - - -
- -->
-<decoder name="msexchange">
- <parent>windows-date-format</parent>
- <use_own_name>true</use_own_name>
- <prematch offset="after_parent">^\S+ \S+ SMTPSVC</prematch>
- <regex offset="after_parent">^(\S+) \S+ \S+ \S+ \S+ </regex>
- <regex>\d+ (\S+) \S+ \S+ (\d+) </regex>
- <order>srcip, action, id</order>
-</decoder>
-
-
-
-<!-- Racoon VPN.
- - Extract id (error or info) and ip address whenever possible.
- - 2006-08-08 01:42:09: ERROR: couldn't find the pskey for 222.155.15.88.
- -
- -->
-<decoder name="racoon">
- <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d: </prematch>
-</decoder>
-
-<decoder name="racoon-failed">
- <parent>racoon</parent>
- <use_own_name>true</use_own_name>
-
- <prematch offset="after_parent">^ERROR: couldn't find the pskey </prematch>
- <regex offset="after_prematch">^for (\S+)</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="racoon-action">
- <parent>racoon</parent>
- <regex offset="after_parent">^(\w+): </regex>
- <order>action</order>
-</decoder>
-
-
-
-<!-- Windows decoder
- - Will extract extra_data (as win source),action (as win category), id,
- - username and computer name (as system_name).
- - Examples:
- - WinEvtLog: Application: INFORMATION(0x00000064): ESENT:
- (no user)(no domain):
- - WinEvtLog: Security: AUDIT_FAILURE(0x000002A9): Security:
- SYSTEM: NT AUTHORITY: The logon to account: xyz by:
- MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: la failed.
- The error code was: 3221225572
- - WinEvtLog: Security: AUDIT_FAILURE(0x00000211): Security:
- SYSTEM: NT AUTHORITY: Logon Failure: Reason: Unknown user
- name or bad password User Name: ab Domain: cd
- Logon Type: 2 Logon Process: User32 Authentication
- Package: Negotiate Workstation Name: ad
- - WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff: User Name: lac Domain: OSSEC-HM Logon ID: (0x0,0x7C966E) Logon Type: 2
- - 2013 Oct 09 17:09:04 WinEvtLog: Application: INFORMATION(1): My Script: (no user): no domain: demo1.foo.example.com: test
- -->
-<decoder name="windows">
- <type>windows</type>
- <program_name>^WinEvtLog</program_name>
-</decoder>
-
-<decoder name="windows1">
- <type>windows</type>
- <parent>windows</parent>
- <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
- <regex>(\.+): \.+: (\S+): </regex>
- <order>status, id, extra_data, user, system_name</order>
- <fts>name, location, system_name</fts>
-</decoder>
-
-<decoder name="windows1">
- <type>windows</type>
- <parent>windows</parent>
- <regex> Source Network Address: (\S+)</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="windows1">
- <type>windows</type>
- <parent>windows</parent>
- <regex> Account Name:\s+(\w+\.+)\s+Account</regex>
- <order>user</order>
-</decoder>
-
-<decoder name="windows1">
- <type>windows</type>
- <parent>windows</parent>
- <regex>Account Domain:\s\s+(\w\.+)\s\s+Logon ID:</regex>
- <order>extra_data</order>
-</decoder>
-
-
-<!-- Windows decoder -NTsyslog format
- - Will extract extra_data (as win source),action (as win category), id,
- - username and computer name (as url).
- - Examples:
- - security[failure] 577 IBM17M\Jeremy Lee Privileged Service Called: Server:Security Service:- Primary User Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F) Privileges:SeSecurityPrivilege
- - security[success] 528 IBM17M\Jeremy Lee Successful Logon: User Name:Jeremy Lee Domain:IBM17M Logon ID:(0x0,0x3A2E471) Logon Type:2 Logon Process:User32 Authentication Package:Negotiate Workstation Name:IBM17M Logon GUID: {00000000-0000-0000-0000-000000000000}
- -->
-<decoder name="windows-ntsyslog">
- <type>windows</type>
- <prematch>^security[\w+] \d+ </prematch>
- <regex>^(\w+)[(\w+)] (\d+) </regex>
- <order>extra_data, status, id</order>
-</decoder>
-
-
-<!-- Windows decoder - Snare format.
- - Will extract extra_data (as win source), action (as category), id,
- - username and computer name (as system_name).
- -
- - These logs must be tab-separated (as specified in the Snare format)
- -
- - Examples:
- - Aug 11 11:11:11 xx.org MSWinEventLog 1 System 59221 Thu Aug 11 01:11:11 2006 17 Windows Update Agent Unknown User
- - Jan 16 05:52:15 hostname.xx.org MSWinEventLog 1
- Security 13049 Tue Jan 16 05:52:15 2007 680 Security
- SYSTEM User Success Audit ACTUATE Account Logon
- Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
- Account Name: IUSR_HOSTNAME Workstation: ACTUATE
- 12653
- - Jan 16 13:02:24 hostname.yy.org MSWinEventLog 1
- Application 14539 Tue Jan 16 13:02:24 2007 1704 SceCli
- Unknown User N/A Information ACTUATE None Security
- policy in the Group policy objects are applied successfully. 67
- - Jan 16 15:41:37 hostname.zz.org MSWinEventLog 1 System
- 15059 Tue Jan 16 15:41:37 2007 10 Print username User
- Information HOSTNAME None Document 76,
- /directory/directory/directory/directory/directory/date/Afilename owned
- by username was printed on hostname_duplex via port hostname_duplex.
- Size in bytes: 19543296; pages printed: 162 361
- -->
-<decoder name="windows-snare">
- <type>windows</type>
- <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch>
- <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex>
- <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex>
- <order>id, extra_data, user, status, system_name</order>
- <fts>name, id, location, user, system_name</fts>
-</decoder>
-
-
-<!-- Symantec AV decoder.
- - Source: http://www.ossec.net/wiki/index.php/Symantec_Antivirus
- - Examples:
- - 24090D00000A,4,3,7,ACMELABS-SRV2,SYSTEM,,,,,,,16777216,"Update to computer ACMELABS-LU2K3 of virus definition file 81011r succeeded.",0,,0,,,,,0,,,,,,,,,,,,,(IP)-192.168.49.66,ACMELABSav,ACMELABS,,8.1.825
- - 24090D00000F,4,3,7,ACMELABS-SRV2,SYSTEM,,,,,,,16777216,"Update to computer ACMELABS-APPS-BOX4 of virus definition file 81011r succeeded.",0,,0,,,,,0,,,,,,,,,,,,,(IP)-192.168.49.66,ACMELABSav,ACMELABS,,8.1.825
- - 240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan.Zlob,C:\WINDOWS\system32\ld100.tmp,5,4,4,256,570441764,"",0,,0,,0,4254,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
- -->
-<decoder name="symantec-av">
- <prematch>^\w\w\w\w\w\w\w\w\w\w\w\w,</prematch>
- <regex offset="after_prematch">^(\d+),\d+,\d+,(\S+),(\.+),</regex>
- <order>id, system_name, extra_data</order>
- <fts>name, location, id, system_name, extra_data</fts>
-</decoder>
-
-
-<!-- Symantec Web Security.
- - Source: http://www.ossec.net/wiki/index.php/Symantec_Websecurity
- - Examples:
- - 20070717,30517,1=3,41=SWS-3.0.1.86/vendor-config,100=Version 3.0.6,3=7,2=29
- - 20070717,73556,1=5,100=Logoff due to timeout.,11=1.2.3.4,10=usera,3=1,2=2
- 20070717,73559,1=5,11=2.3.4.5,10=userb,3=2,2=1
- -->
-<decoder name="symantec-websecurity">
- <prematch>^\d\d\d\d\d\d\d\d,\d\d\d+,</prematch>
- <plugin_decoder>SymantecWS_Decoder</plugin_decoder>
-</decoder>
-
-
-
-<!-- Trend Micro OSCE (Office Scan) decoder.
- - 20090716<;>948<;>TROJ_Generic.DIT<;>25<;>3<;>0<;>C:\Documents and Settings\Administrator\Desktop\HyperSnap 6.02.01_EN\HprSnap6Man.chm<;>
- - 20090716<;>950<;>WORM_DOWNAD.A<;>1<;>3<;>0<;>C:\Documents and Settings\DCS_VM-ICRC-WFBS6\Local Settings\Temporary Internet Files\Content.IE5\9JK3DN67\sitb[1].jpg<;>
- - 20090716<;>951<;>WORM_DOWNAD.A<;>1<;>3<;>0<;>C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9JK3DN67\sitb[1].jpg<;>
- - Date<;>Time<;>Virus name<;>Scan result<;>Scan type<;>Seen<;>Filename<;>
- - We are only extracting the scan result right now.
- -->
-<decoder name="trend-osce">
- <prematch>^20\d\d\d\d\d\d\<;></prematch>
- <regex offset="after_prematch">^\d+\<;>\S+\<;>(\d+)\<;</regex>
- <order>id</order>
-</decoder>
-
-
-
-<!-- ossec decoder.
- - Deals with ossec internal messages.
- -->
-<decoder name="ossec">
- <prematch>^ossec: </prematch>
- <type>ossec</type>
-</decoder>
-
-<decoder name="ossec-logcollector">
- <type>ossec</type>
- <prematch>^\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d ossec-logcollector</prematch>
- <regex offset="after_prematch">^\(\d+\): (\.)</regex>
- <order>extra_data</order>
-</decoder>
-
-<decoder name="ossec-agent">
- <parent>ossec</parent>
- <type>ossec</type>
- <prematch offset="after_parent">^Agent started:</prematch>
- <regex offset="after_prematch">^ '(\S+\S)'</regex>
- <order>extra_data</order>
- <fts>name, location, extra_data</fts>
-</decoder>
-
-<decoder name="ossec-alert1">
- <parent>ossec</parent>
- <prematch>^ossec: Alert Level:</prematch>
- <plugin_decoder>OSSECAlert_Decoder</plugin_decoder>
-</decoder>
-
-<decoder name="ossec-alert">
- <program_name>^ossec$</program_name>
- <plugin_decoder>OSSECAlert_Decoder</plugin_decoder>
-</decoder>
-
-<!-- decoder for active responses as logged by an OSSEC agent or server
-
-- Examples
-Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 172.16.0.1 1304756247.60385 31151
-Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 172.16.0.1 1304756247.60385 31151
-Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/host-deny.sh delete - 172.16.0.1 1304756247.60385 31151
-Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
--->
-
-<decoder name="ar_log">
- <prematch>^\w\w\w \w+\s+\d+ \d\d:\d\d:\d\d \w+ \d+ /\S+/active-response</prematch>
- <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)</regex>
- <order>action, status, srcip, id, extra_data</order>
-</decoder>
-
-<!-- Zeus decoder.
- - Will extract the severity and the srcip/username when available.
- - Examples:
- - [08/Aug/2006:22:32:12 +0100] WARN:admin:Authentication failure, url=/index.cgi, host=xx.yy.com, user=admin
- - [10/Dec/2006:16:59:26 +0000] INFO:Zeus Admin Server running
- -->
-<decoder name="zeus">
- <prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
- <regex offset="after_prematch"> host=(\S+), </regex>
- <order>srcip</order>
-</decoder>
-
-
-
-<!-- Vmware ESX logs.
- - Will extract the severity and username/ip when available.
- - Examples:
- - [2008-03-09 22:43:35.924 'ha-eventmgr' 84503472 info] Event 2053 : User root@127.0.0.1 logged in
- - [2008-02-05 02:13:18.112 'ha-eventmgr' 95833272 info] Event xyz : User m@1.2.3.4 logged in
- - [2008-08-26 11:06:16.359 'ha-eventmgr' 20532144 info] Event 285 : Failed login attempt for root@127.0.0.1
- - Aug 25 06:01:10 hostname vmware-hostd[1863]: Accepted password for user root from 127.0.0.1
- - Aug 7 11:05:34 localhost vmware-authd[9709]: login from 172.16.129.78 as 523b717c-4542-f5fc-c006-1644eb8f4330
- - Aug 26 11:42:29 localhost vmware-hostd[1863]: Rejected password for user blablabla from 127.0.0.1
- -->
-<decoder name="vmware">
- <prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d '\S+' \d+ </prematch>
-</decoder>
-
-<decoder name="vmware-extra">
- <parent>vmware</parent>
- <regex offset="after_parent">^(\w+)] \S+ \S+ </regex>
- <order>status</order>
-</decoder>
-
-<decoder name="vmware-extra">
- <parent>vmware</parent>
- <regex offset="after_regex">^: User (\w+)@(\S+)</regex>
- <regex> logged |^: Failed login \w+ for (\w+)@(\S+)</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="vmware-syslog">
- <program_name>vmware</program_name>
-</decoder>
-
-<decoder name="vmware-success">
- <parent>vmware-syslog</parent>
- <prematch>^Accepted|^Rejected</prematch>
- <regex offset="after_prematch">^ \S+ for user (\S+) from (\S+)$</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="vmware-login">
- <parent>vmware-syslog</parent>
- <prematch>^login from </prematch>
- <regex offset="after_prematch">^(\S+) as</regex>
- <order>srcip</order>
-</decoder>
-
-
-
-<!-- Solaris BSM
- - Examples:
- - Nov 21 15:12:56 unknown audit: [ID 905220 audit.notice] system booted
- text booting kernel
- - Nov 21 15:16:22 unknown audit: [ID 984917 audit.notice] login - telnet
- failed session 2740580090 by root as root:root from 1.254.168.192
- - failed session 2740580090 by root as root:root from 1.254.168.192
- - ok session 347344759 by 500959152 as root:root from 3.11.8.4 obj
- -->
-<decoder name="solaris_bsm">
- <program_name>^audit$</program_name>
-</decoder>
-
-<decoder name="solaris_bsm_session">
- <parent>solaris_bsm</parent>
- <prematch> \w+ session \d+ by </prematch>
- <regex> (\w+) session \d+ by</regex>
- <order>status</order>
-</decoder>
-
-<decoder name="solaris_bsm_session">
- <parent>solaris_bsm</parent>
- <regex offset="after_regex">^ \S+ as \S+:\S+ from (\S+)</regex>
- <order>srcip</order>
-</decoder>
-
-
-
-<!-- Asterisk logs
- - Examples:
- - Dec 16 18:02:04 asterisk1 asterisk[31774]: NOTICE[31787]:
- chan_sip.c:11242 in handle_request_register: Registration from
- '"503"<sip:503@192.168.1.107>' failed for '192.168.1.137' - Wrong
- password
- -->
-<decoder name="asterisk">
- <program_name>^asterisk</program_name>
-</decoder>
-
-<decoder name="asterisk-hijacking">
- <parent>asterisk</parent>
- <prematch>^WARNING[\d+]: \S+ in \S+: Don't know </prematch>
- <regex offset="after_prematch">^\S+ how to respond via '(\w+/\d.\d/\w+)'</regex>
- <order>user</order>
-</decoder>
-
-<decoder name="asterisk-denied">
- <parent>asterisk</parent>
- <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
- <regex offset="after_prematch">^'\.+' failed for '(\S+):(\d+)'|^'\.+' failed for '(\S+)'</regex>
- <order>srcip,srcport</order>
-</decoder>
-
-<decoder name="asterisk-denied2">
- <parent>asterisk</parent>
- <prematch>Registration from </prematch>
- <regex offset="after_prematch">failed for '(\S+):(\d+)'|failed for '(\S+)'</regex>
- <order>srcip,srcport</order>
-</decoder>
-
-<decoder name="asterisk-denied3">
- <parent>asterisk</parent>
- <prematch>^NOTICE[\d+][\w+]: \S+ in \S+: Call from </prematch>
- <regex offset="after_prematch">^'\S*' \((\S+):(\d+)\) to extension '(\S+)' rejected because extension not found in context '(\S+)'.$</regex>
- <order>srcip, srcport, extra_data, extra_data</order>
-</decoder>
-
-<decoder name="asterisk-iax-authentication-denied">
- <parent>asterisk</parent>
- <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch>
- <regex offset="after_prematch">^(\S+) failed MD5 authentication for (\S+)</regex>
- <order>srcip, user</order>
-</decoder>
-
-<!-- Cisco IOS
- - Group for Cisco IOS messages.
- - We would need to support multiple formats, but currently we require
- - no service time stamp and no sequence-numbers.
- -
- - Aug 17 17:41:26 xyz.com 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS: list 30 denied 124.254.75.141 1 packet
- - Aug 20 11:33:41 RouterName 696: %SYS-5-CONFIG_I: Configured from
- console by admin on vty0 (210.x.x.12)
- - 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS:
- - 1348: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
- - 1348: *Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
- - 23: May 3 05:15:25.217 UTC: %SEC-6-IPACCESSLOGP:
- - Possible regex:
- "^%\w+-\d-\w+: |^\S\w\w+ \.\d \d\d:\S+ \w+: %\w+-\d-\w+:"
- -->
-<decoder name="cisco-ios">
- <prematch>^%\w+-\d-\w+: </prematch>
-</decoder>
-
-<decoder name="cisco-ios">
- <program_name />
- <prematch>^%\w+-\d-\w+: </prematch>
-</decoder>
-
-
-<!-- Cisco IOS
- - Will extract the action, srcip, srcport, dstip and dstport
- - Samples:
- -
- - %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet
- - %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet
- -->
-<decoder name="cisco-ios-acl">
- <parent>cisco-ios</parent>
- <type>firewall</type>
- <prematch>^%SEC-6-IPACCESSLOGP: </prematch>
- <regex offset="after_prematch">^list \S+ (\w+) (\w+) </regex>
- <regex>(\S+)\((\d+)\) -> (\S+)\((\d+)\),</regex>
- <order>action, protocol, srcip, srcport, dstip, dstport</order>
-</decoder>
-
-
-<!-- Cisco IOS IDS/IPS module
- - Will extract the id, srcip, srcport, dstip and dstport
- - Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:51654 -> 10.10.10.10:4444]
- - Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80]
- - Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:2 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:60797 -> 10.10.10.10:80]
- -->
-<decoder name="cisco-ios-ids">
- <parent>cisco-ios</parent>
- <type>ids</type>
- <prematch>^%IPS-4-SIGNATURE: </prematch>
- <regex offset="after_prematch">^Sig:(\d+) \.+[(\S+):(\d+) -> </regex>
- <regex>(\S+):(\d+)]</regex>
- <order>id, srcip, srcport, dstip, dstport</order>
- <fts>name, id, srcip, dstip</fts>
- <ftscomment>First time Cisco IOS IDS/IPS module rule fired.</ftscomment>
-</decoder>
-
-
-<!-- Cisco IOS
- - Extracts the ID of cisco ios messages.
- -->
-<decoder name="cisco-ios-generic">
- <parent>cisco-ios</parent>
- <regex>^(%\w+-\d-\w+): </regex>
- <order>id</order>
-</decoder>
-
-
-
-<!-- Checkpoint via syslog decoder.
- - Does not currently handle all types of Checkpoint events.
- - Checkpoint NG(X)/FW-1 logs via (Linux) syslog
- - Ex. fw log -ftnp fw.log | logger -t Checkpoint
- -
- - fw log :
- - -f select current log file
- - -t tail file
- - -n use ip instead of name
- - -p use port number instead of name
- -
- - -l add date before timestamp
- - Use of -l changes log format slightly
- -
- - -g without : and ; delimiters
- - use of -g significantly changes log format
- - this decoder is incompatible with -g
- -
- - logger :
- - -t <tag> prepends "tag: " to log entry
- - the tag here must match "program name" in the decoder
- -
- - Examples:
- -
- - Checkpoint: 21Aug2007 12:00:00 accept 10.10.10.2 >eth0 rule: 100; rule_uid:
-{00000000-0000-0000-0000-000000000000}; service_id: nbdatagram; src:
-10.10.10.3; dst: 10.10.10.255; proto: udp; product: VPN-1 & FireWall-1;
-service: 138; s_port: 138;
- -
- - Checkpoint: 13:00:00 accept 10.10.10.2 >eth0 rule: 101; rule_uid:
-{00000000-0000-0000-0000-000000000000}; service_id: http; src: 10.10.10.3; dst:
-10.1.2.3; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 1111;
- -
- - Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 >eth4 rule: 102; rule_uid:
-{00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2;
-dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 &
-FireWall-1;
- -
- - Checkpoint: 3Apr2008 15:02:15 monitor 10.10.10.3 >eth2 Attack Info: Line
-in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
-10.10.10.5; proto: tcp; product: SmartDefense; service: 111; s_port: 222;
- -->
-
-<!-- \s+\S+ \d\d:\d\d:\d\d (\w+) \S+ \p\S+ rule: -->
-<decoder name="checkpoint-syslog">
- <program_name>^Checkpoint</program_name>
- <prematch>^\s+\S+ \d\d:\d\d:\d\d </prematch>
-</decoder>
-
-<decoder name="checkpoint-syslog-fw">
- <parent>checkpoint-syslog</parent>
- <type>firewall</type>
- <prematch offset="after_parent">^drop|^accept|^reject</prematch>
- <regex offset="after_parent">^(\w+)\s+\S+ \p\S+ rule:\.+</regex>
- <regex>src: (\S+); dst: (\S+); proto: (\S+);</regex>
- <order>action,srcip,dstip,protocol</order>
-</decoder>
-
-<decoder name="checkpoint-syslog-fw">
- <parent>checkpoint-syslog</parent>
- <type>firewall</type>
- <regex offset="after_regex">service: (\d+); s_port: (\d+);</regex>
- <order>dstport,srcport</order>
-</decoder>
-
-<decoder name="checkpoint-syslog-ids">
- <parent>checkpoint-syslog</parent>
- <type>ids</type>
- <prematch offset="after_parent">^monitor|^drop</prematch>
- <regex offset="after_prematch">attack: (\.+); </regex>
- <regex>src: (\S+); dst: (\S+); </regex>
- <regex>proto: (\S+);</regex>
- <order>extra_data, srcip, dstip, protocol</order>
- <fts>name, extra_data, srcip, dstip</fts>
- <ftscomment>First time Checkpoint rule fired.</ftscomment>
-</decoder>
-
-
-
-<!-- Microsoft Windows 2003 ipv4, 2008 ipv4/ipv6 DHCP decoder for OSSEC
- - Author: phishphreek@gmail.com
- -->
-
-<!--
- - Server 2008 DHCP IPv4 Decoder (must go first)
- - ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID.
- - 24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
- - 0,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
--->
-
-<decoder name="ms-dhcp-ipv4">
- <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|</prematch>
- <prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
- <regex>^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\S+)</regex>
- <order>id,extra_data,srcip</order>
-</decoder>
-
-<!--
- - Server 2008 DHCP IPv6 Decoder (must go second)
- - ID,Date,Time,Description,IPV6 Address,Host Name,Error Code, Duid Length, Duid Bytes(Hex),User Name.
--->
-<decoder name="ms-dhcp-ipv6">
- <prematch>^\d\d\d\d\d,\d\d/\d\d/\d\d,\d\d:\d\d:\d\d,</prematch>
- <regex>^(\d\d\d\d\d),</regex>
- <order>id</order>
-</decoder>
-
-
-<!-- OpenBSD kernel messages -->
-<decoder name="bsd_kernel">
- <program_name>^/bsd</program_name>
-</decoder>
-
-<decoder name="bsd_arp">
- <parent>bsd_kernel</parent>
- <prematch offset="after_parent">^arp </prematch>
- <regex offset="after_prematch"> for (\S+) by (\S+) on \S+</regex>
- <order>dstip, extra_data</order>
-</decoder>
-
-<!-- OpenBSD deluser
- - 2014-02-21T10:22:55.134355-05:00 arrakis userdel[23023]: user removed: name=dac
--->
-
-<decoder name="open-userdel">
- <program_name>userdel</program_name>
- <regex>user removed: name=(\S+)$</regex>
- <order>srcuser</order>
-</decoder>
-
-
-
-<!-- OpenBSD mountd decoder
-- Apr 11 20:01:02 ix mountd[11618]: Refused mount RPC from host 192.168.17.10 port 45659
--->
-
-<decoder name="mountd">
- <program_name>^mountd</program_name>
-</decoder>
-
-<decoder name="mountd-host">
- <parent>mountd</parent>
- <prematch>from host </prematch>
- <regex offset="after_prematch">(\S+) port \d+$</regex>
- <order>srcip</order>
-</decoder>
-
-
-<!-- nss ldap decoders
-- Jun 26 08:19:25 servername sh: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
-- Aug 16 10:58:12 client nscd: nss_ldap: failed to bind to LDAP server ldap://ldap.example.com: Can't contact LDAP server
--->
-<!--
-<decoder name="nss-ldap">
- <program_name>^sh$|^nscd$</program_name>
- <prematch>^nss_ldap</prematch>
-</decoder>
-
-<decoder name="ldap-server">
- <parent>nss-ldap</parent>
- <prematch> server </prematch>
- <regex offset="after_prematch">ldap://(\S+):</regex>
- <order>system_name</order>
-</decoder>
--->
-
-
-
-<!-- OpenBSD groupdel
- - May 28 09:15:43 ix groupdel[25984]: group deleted: name=_dbus
--->
-<decoder name="groupdel">
- <program_name>groupdel</program_name>
- <regex>^group deleted: name=(\S+)$</regex>
- <order>extra_data</order>
-</decoder>
-
-
-<!-- Portsentry -->
-<decoder name="portsentry">
- <program_name>^portsentry</program_name>
-</decoder>
-
-<decoder name="portsentry-attackalert">
- <parent>portsentry</parent>
- <prematch>attackalert: Connect from host: </prematch>
- <regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</regex>
- <order>srcip,protocol,dstport</order>
-</decoder>
-
-<decoder name="portsentry-blocked">
- <parent>portsentry</parent>
- <prematch>is already blocked. Ignoring$</prematch>
- <regex>Host: (\S+) is</regex>
- <order>srcip</order>
-</decoder>
-
-
-<!-- Clamav and Freshclam decoder
- - Nov 5 22:59:19 ix freshclam[32349]: Incremental update failed, trying to download daily.cvd
--->
-<decoder name="clamd">
- <program_name>^clamd</program_name>
-</decoder>
-
-<decoder name="freshclam">
- <program_name>^freshclam</program_name>
-</decoder>
-
-
-<!-- OpenLDAP decoder.
- - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 fd=64 ACCEPT from IP=10.10.248.27:33957 (IP=10.10.241.77:389)
- - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=0 BIND dn="uid=example,ou=People,dc=example,dc=com" method=128
- - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=0 RESULT tag=97 err=49 text=
- ^- Login Failed
- - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=1 BIND dn="uid=example,ou=People,dc=example,dc=com" method=128
- ^- Login Retried
- - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=1 RESULT tag=97 err=0 text=
- ^- Login Successful
- - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=2 UNBIND
- - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 fd=64
- ^- Connection closed
-
- -->
-<decoder name="openldap">
- <program_name>^slapd</program_name>
- <accumulate/>
-</decoder>
-
-<decoder name="openldap-connect">
- <parent>openldap</parent>
- <prematch>ACCEPT</prematch>
- <regex>^conn=(\d+) fd=\d+ ACCEPT from IP=(\S+):</regex>
- <order>id, srcip</order>
- <accumulate/>
-</decoder>
-
-<decoder name="openldap-bind">
- <parent>openldap</parent>
- <prematch>BIND </prematch>
- <regex>^conn=(\d+) op=\d+ BIND dn="\w+=(\w+),</regex>
- <order>id, dstuser</order>
- <accumulate/>
-</decoder>
-
-<decoder name="openldap-result">
- <accumulate/>
- <parent>openldap</parent>
- <prematch> RESULT </prematch>
- <regex>^conn=(\d+) op=\d+ RESULT </regex>
- <order>id</order>
-</decoder>
-
-<!-- NTP decoder
- - gorilla ntpd[27379]: bad sensor nmea0
- - tiny ntpd[25875]: bad peer 192.168.1.233 (192.168.1.233)
- - gorilla ntpd[29719]: bind on 192.168.1.233 failed, skipping: Can't assign requested address
- - ix ntpd[8392]: bind on 192.168.17.9 failed, skipping: Address already in use
- - ix ntpd[11685]: bad peer from pool pool.ntp.org (64.73.32.135)
- - richese ntpd[3465]: bad peer ix (192.168.17.9)
- - ix ntpd[11685]: bad peer from pool pool.ntp.org (69.50.219.51)
- - ix ntpd[7045]: recvmsg 192.168.17.17: Connection refused
- - ix ntpd[29411]: 2 out of 3 peers valid
- - bridge ntpd[5877]: logconfig: illegal argument - ignored
- - bridge ntpd[5902]: offset 0.000000 sec freq 0.000 ppm error 0.000011 poll 6
--->
-<decoder name="ntpd">
- <program_name>^ntpd</program_name>
-</decoder>
-
-<decoder name="ntpd-bad-peer">
- <parent>ntpd</parent>
- <prematch offset="after_parent">^bad peer </prematch>
- <regex>^bad peer \S+ \p(\S+)\p$|^bad peer from pool \S+ \p(\S+)\p$</regex>
- <order>srcip</order>
-</decoder>
-
-
-<!-- Auditd
-163
-164 - Will extract action, id, status, extra_data, srcip
-165 - Author and (c): Michael Starks, 2011
-166 - Future enhancements should ensure that all log samples regress properly due to the complexity of these decoders
-167 - Examples:
-
-<!-- CentOS 5.5 -->
-type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
-type=CRED_ACQ msg=audit(1305666154.831:51859): user pid=21250 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="username" : exe="/usr/sbin/sshd" (hostname=lala.example.com, addr=172.16.0.1, terminal=ssh res=success)'
-type=CRED_ACQ msg=audit(1273182001.226:148635): user pid=29770 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
-type=USER_AUTH msg=audit(1305666163.690:51871): user pid=21269 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
-type=USER_ACCT msg=audit(1306939201.750:67934): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=CRED_ACQ msg=audit(1306939201.751:67935): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=USER_START msg=audit(1306939201.756:67937): user pid=4401 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=USER_CHAUTHTOK msg=audit(1304523288.952:37394): user pid=7258 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='op=change password id=505 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1 res=success)'
-
-<!-- Unknown source -->
-type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
-
-<!-- Ubuntu 10.04 LTS -->
-type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"
-type=SYSCALL msg=audit(1307045820.403:151): arch=c000003e syscall=59 success=no exit=-13 a0=de24c8 a1=de2408 a2=dc3008 a3=7fff1db3cc60 items=1 ppid=11719 pid=12347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="bash" exe="/bin/bash" key=(null)
-type=SYSCALL msg=audit(1306939143.715:67933): arch=40000003 syscall=94 success=yes exit=0 a0=5 a1=180 a2=8ebd360 a3=8ec4978 items=1 ppid=4383 pid=4388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8038 comm="less" exe="/usr/bin/less" subj=user_u:system_r:unconfined_t:s0 key="perm_mod"
-type=USER_ROLE_CHANGE msg=audit(1280266360.845:51): user pid=1978 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
-type=PATH msg=audit(1306967989.163:119): item=0 name="./ls" inode=261813 dev=fb:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
-
-<!-- Will not decode due to null name, that's OK -->
-type=PATH msg=audit(1273924468.947:179534): item=0 name=(null) inode=424783 dev=fd:07 mode=0100640 ouid=0 ogid=502 rdev=00:00 obj=user_u:object_r:file_t:s0
-
--->
-
-<decoder name="auditd">
- <prematch>^type=</prematch>
-</decoder>
-
-<!-- SELinux -->
-<decoder name="auditd-selinux">
- <parent>auditd</parent>
- <prematch offset="after_parent">^AVC </prematch>
- <regex offset="after_parent">^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$</regex>
- <order>action,id,status,extra_data</order>
-</decoder>
-
-<!-- syscall -->
-<decoder name="auditd-syscall">
- <parent>auditd</parent>
- <prematch offset="after_parent">^SYSCALL </prematch>
- <regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"</regex>
- <order>action,id,status,extra_data</order>
-</decoder>
-
-<!-- config -->
-<decoder name="auditd-config">
- <parent>auditd</parent>
- <prematch offset="after_parent">^CONFIG_CHANGE </prematch>
- <regex offset="after_parent">^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$</regex>
- <order>action,id,extra_data</order>
-</decoder>
-
-<!-- path (will only decode if name is not null)-->
-<decoder name="auditd-path">
- <parent>auditd</parent>
- <prematch offset="after_parent">^PATH </prematch>
- <regex offset="after_parent">^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
- <order>action,id,extra_data</order>
-</decoder>
-
-<!-- user-related -->
-<decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
- <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
- <order>action,id</order>
-</decoder>
-
-<decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
- <order>user,extra_data,srcip</order>
-</decoder>
-
-<decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
- <order>user,extra_data,srcip,status</order>
-</decoder>
-
-<decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
- <order>user,extra_data,srcip,status</order>
-</decoder>
-
-<decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
- <order>extra_data,srcip,status</order>
-</decoder>
-
-<!--
-mptscsih \ mptbase decoder
-
-Description: module for SCSI controllers.
-
-Examples:
-[ 5008.286061] mptscsih: ioc0: task abort: FAILED (rv=2003) (sc=ffff88007a8a9f00)
-
-[ 6498.769248] mptbase: ioc0: RAID STATUS CHANGE for PhysDisk 1 id=8
-[ 6498.769252] mptbase: ioc0: PhysDisk is now failed, out of sync
-
-[ 6498.775783] mptbase: ioc0: RAID STATUS CHANGE for VolumeID 0
-[ 6498.775788] mptbase: ioc0: volume is now degraded, enabled
--->
-<decoder name="mptscsih-1">
- <parent>iptables</parent>
- <prematch>^[\s\d+.\d+] mptscsih: </prematch>
- <regex>^[\s\d+.\d+] (\w+): (\w+): task abort: (\w+)</regex>
- <order>id,data,status</order>
-</decoder>
-
-<decoder name="mptbase-1">
- <parent>iptables</parent>
- <prematch>^[\s\d+.\d+] mptbase: </prematch>
- <regex>^[\s\d+.\d+] (\w+): (\w+):\s+\w+ is now (\w+)\p\s(\D+)$</regex>
- <order>id,data,action,status</order>
-</decoder>
-
-<!-- Grandstream HT502 VoIP gateway decoder
-Author and (c): Michael Starks, 2014 -->
-
-<!-- HT502: [00:0B:82:14:5B:94] Transport error (-1) for transaction 2677 -->
-
-<decoder name="grandstream-ata">
- <prematch>^HT286: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
- <prematch>^HT502: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
- <prematch>^HT503: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* </prematch>
-</decoder>
-
-<decoder name="grandstream-registration">
- <parent>grandstream-ata</parent>
- <prematch>Received </prematch>
- <regex offset="after_prematch">^(\d+) response for transaction (\d+)\((\w+)\)$</regex>
- <order>status, id, action</order>
-</decoder>
-
-<decoder name="grandstream-fts-registered">
- <parent>grandstream-ata</parent>
- <prematch>Account </prematch>
- <regex offset="after_prematch">^(\d+) (registered), tried \d+; Next registration in \d+ seconds \(\d+/\d+\) on (\.+)$</regex>
- <order>id, status, extra_data</order>
- <fts>name, location, extra_data</fts>
-</decoder>
-
-<decoder name="grandstream-incoming-cid">
- <parent>grandstream-ata</parent>
- <prematch>Vinetic::</prematch>
- <regex offset="after_prematch">^(startRing) with CID, Attempting to deliver CID (\d+) on port \d+$</regex>
- <order>action, id</order>
-</decoder>
-
-<decoder name="grandstream-outgoing-call">
- <parent>grandstream-ata</parent>
- <regex offset="after_parent">^(Dialing) (\d+)$</regex>
- <order>action, id</order>
-</decoder>
-
-
-<!-- apparmor
- - Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003
- - Jul 14 11:03:47 hostname kernel: [ 8665.951930] type=1400 audit(1405328627.702:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xfce4/defaults.list" pid=16418 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
- - Jun 16 17:37:39 hostname kernel: [891880.587623] audit: type=1400 audit(1402933059.038:1681857): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/dovecot//null-1fde//null-1fdf" name="/usr/lib/dovecot/pop3-login" pid=13903 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18"
- - Jun 16 17:37:39 hostname kernel: [891880.587957] audit: type=1400 audit(1402933059.038:1681858): apparmor="ALLOWED" operation="open" profile="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18" name="/usr/lib/dovecot/libdovecot-login.so.0.0.0" pid=13903 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
- - Jun 16 17:37:39 hostname kernel: [891880.587976] audit: type=1400 audit(1402933059.038:1681859): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18" name="/usr/lib/dovecot/libdovecot-login.so.0.0.0" pid=13903 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
- - Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1402933059.038:1681860): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18" name="/usr/lib/dovecot/libdovecot-login.so.0.0.0" pid=13903 comm="pop3-login" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
- - Jun 23 20:46:15 hostname kernel: [ 11.103248] audit: type=1400 audit(1403549175.177:2): apparmor="STATUS" operation="profile_load" name="/sbin/klogd" pid=2185 comm="apparmor_parser"
- - Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33
- - Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0
--->
-
-<decoder name="apparmor">
- <parent>iptables</parent>
- <prematch> apparmor=</prematch>
- <regex> apparmor="(\S+)" operation="(\S+)"</regex>
- <order>status, extra_data</order>
-</decoder>
-
-<!-- unix_chkpwd
- - Jul 21 07:40:29 localhost unix_chkpwd[15804]: password check failed for user (username)
--->
-<decoder name="unix_chkpwd">
- <program_name>^unix_chkpwd</program_name>
-</decoder>
-
-<!--Jul 21 07:40:29 localhost unix_chkpwd[15804]: password check failed for user (username)-->
-<decoder name="chkpwd-user">
- <parent>unix_chkpwd</parent>
- <regex offset="after_parent">user \((\w+)\)$</regex>
- <order>srcuser</order>
-</decoder>
-
-<!-- Barracuda S&VF Email Logs
-Examples:
-May 14 03:31:21 mx1.example.org inbound/pass1: mail-88-66.reachmail.net[216.55.88.66] 1400074281-06f4a338c037a90001-TkCAQV 1400074281 1400074283 RECV errors@mail-88-68.reachmail.net eteixeira@example.net 2 12 -
-May 15 14:09:17 mx1.example.org inbound/pass1: host.limitless-servers.com[192.208.186.41] 1400198954-06f4a338c062640001-BkZagu 1400198954 1400198958 SCAN - heartattackbreakthrough@ridchanceofhrtattk.us en@example.org - 2 74 ridchanceofhrtattk.us SZ:2557 SUBJ:THE #1 Trick to Prevent Heart-Attacks Revealed???
-May 16 10:12:29 mx1.example.org inbound/pass1: kumarafoundation.hestoe.com[208.123.118.114] 1400271149-06f4a338c07a210001-QwTJwG 1400271149 1400271151 SCAN - EzekielMack@kumarafoundation.hestoe.com ctakesue@example.org - 2 74 hestoe.com SZ:1917 SUBJ:Bad Economy, Bad Rates - Get An Auto Insurance Quotes Today
-May 13 01:20:44 mx1.example.org scan: salmon.emxp002.net[174.123.35.182] 1399980039-06f4a338c019db0001-ZAPlzU 1399980040 1399980045 SCAN - errors@mermaid.emxp002.net PTAUA@HINGYCA.ORG 1.636 0 0 - SZ:86808 SUBJ:ATTN PASILA: URGENT FUNDING AVAILABLE
-May 14 09:39:30 mx1.example.org scan: mc.eau.lormaneducation.com[64.198.99.4] 1400096370-06f4a338c040390001-vQoliC 1400096370 1400096372 SCAN - bounce-201405143661297864@mc.eau.lormaneducation.com tmoriyasu@dod.hawaii.gov 0.401 0 0 - SZ:22001 SUBJ:Contractor's Dilemma of Dealing With Bad Plans and Specs - OnDemand Webinar
-May 16 10:56:04 mx1.example.org scan: smtp133.elabs13.com[74.116.235.133] 1400273757-06f4a338c07b490001-CBNzJg 1400273757 1400273765 SCAN - newsletter@email.cnbc.com tcolwell@example.net 0.402 0 0 - SZ:26609 SUBJ:=?utf-8?Q?"Failure=20to=20Recall:=20Investigating=20GM"=20Premier?==?utf-8?Q?es=20Sunday=2010p=20ET/PT?=
-Jul 26 10:39:36 mx1.example.org outbound/smtp: 127.0.0.1 1406407176-06f4a35b4d10f2c0001-EGYtgK 0 0 SEND - 3 A90EBA1F1BA connect to dnvrco-pub-iedge-vip.email.rr.com[107.14.73.70]: server refused mail service
-Jul 26 13:38:16 mx1.example.org outbound/smtp: 127.0.0.1 1406248798-06f4a35b4de6bd0001-3QeedR 0 0 SEND - 3 68EC0A1F1A3 Name service error for name=conference.preventchildabusetexas.org type=MX: Host not found, try again
-Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2000001-PDxQZ2 0 0 SEND - 3 A194BA1F1AC connect to qw.eau.lormanwebinars.com[63.232.201.60]: Connection refused
--->
-
-<decoder name="barracuda-svf-email">
- <program_name>^inbound/pass|^scan|^outbound/smtp</program_name>
-</decoder>
-
-<decoder name="barracuda-svf1">
- <parent>barracuda-svf-email</parent>
- <prematch>^\S+[\S+]|</prematch>
- <prematch>^\S+</prematch>
- <regex>^\S+[(\S+)] (\d+-\w+-\w+) \d+ \d+ |</regex>
- <regex>^(\S+) (\d+-\w+-\w+) \d+ \d+ </regex>
- <order>srcip, id</order>
-</decoder>
-
-<!-- Info section - SCAN -->
-<decoder name="barracuda-svf1">
- <parent>barracuda-svf-email</parent>
- <regex offset="after_regex">(SCAN) (\S+ \S+ \S+ \S+ \d+ \d+ \.+ SUBJ:\.+)$</regex>
- <order>action, extra_data</order>
-</decoder>
-
-<!-- Info section RECV -->
-<decoder name="barracuda-svf1">
- <parent>barracuda-svf-email</parent>
- <regex offset="after_regex">(RECV) (\S+ \S+ \d+ \d+ \.+)$</regex>
- <order>action, extra_data</order>
-</decoder>
-
-<!-- Info section SEND -->
-<decoder name="barracuda-svf1">
- <parent>barracuda-svf-email</parent>
- <regex offset="after_regex">(SEND) (\S+ \d+ \S+ \.+)$</regex>
- <order>action, extra_data</order>
-</decoder>
-
-<!-- Barracuda S&VF Administration-->
-
-<decoder name="barracuda-svf-admin">
- <program_name>^web</program_name>
-</decoder>
-
-<decoder name="barracuda-svf-admin-change">
- <parent>barracuda-svf-admin</parent>
- <prematch>^[\S+] global[] CHANGE</prematch>
- <regex offset="after_parent">^[(\S+)] global[] (CHANGE) (\S+ \(\S*)\)$</regex>
- <order>srcip,action,extra_data</order>
-</decoder>
-
-<decoder name="barracuda-svf-admin-auth">
- <parent>barracuda-svf-admin</parent>
- <prematch>^[\S+] LOGIN|</prematch>
- <prematch>^[\S+] FAILED_LOGIN|</prematch>
- <prematch>^[\S+] LOGOUT</prematch>
- <regex offset="after_parent">^[(\S+)] (\S+) \((\S+)\)\p*$</regex>
- <order>srcip,action,user</order>
-</decoder>
-
-
-<!--
- - Decoder for Sysmon Event ID 1: Process Created
- - Maintained by Josh Brower, Josh@DefensiveDepth.com
- -
- - OSSEC to Sysmon Fields Mapping:
- - user = User
- - status = Image
- - url = Hash
- - extra_data = ParentImage
-
- - Examples:
- - 2014 Dec 20 14:29:48 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 2:29 PM ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image: C:\Windows\system32\svchost.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log User: WIN-U93G48C7BOP\Administrator LogonGuid: {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage: C:\Windows\Explorer.EXE ParentCommandLine: C:\Windows\Explorer.EXE
--->
-
-<decoder name="Sysmon-EventID#1">
-<type>windows</type>
-<prematch>INFORMATION\(1\)</prematch>
-<regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex>
-<order>status,user,url,data</order>
-</decoder>
-
-<!-- Squid access log decoder.
- - Will extract the srcip.
- - Author: Ahmet Ozturk
- - Examples:
- - 1140701044.525 1231 192.168.1.201 TCP_DENIED/400 1536
- GET ahmet - NONE/- text/html
- - 1140701230.827 781 192.168.1.210 TCP_DENIED/407 1785
- GET http://www.ossec.net oahmet NONE/- text/html
- -->
-<decoder name="squid-accesslog">
- <type>squid</type>
- <prematch>^\d+ \S+ </prematch>
- <regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
- <order>srcip,action,id,url</order>
-</decoder>
-
-<!-- unbound
- - 2014-05-20T09:01:07.283219-04:00 arrakis unbound: [9405:0] notice: sendto failed: Can't assign requested address
- - 2014-07-14T14:00:02.814490-04:00 arrakis unbound: [2541:0] info: 127.0.0.1 talkgadget.google.com. A IN
- - 2014-07-14T14:00:05.507848-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: 3 queries, 2 answers from cache, 1 recursions, 0 prefetch
- - 2014-07-14T14:00:05.507955-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
- - 2014-07-14T14:00:05.508075-04:00 arrakis unbound: [2541:0] info: average recursion processing time 0.038814 sec
- - 2014-07-14T14:00:05.508166-04:00 arrakis unbound: [2541:0] info: histogram of recursion processing times
- - 2014-07-14T14:00:05.508248-04:00 arrakis unbound: [2541:0] info: [25%]=0 median[50%]=0 [75%]=0
- - 2014-07-14T14:00:05.508333-04:00 arrakis unbound: [2541:0] info: lower(secs) upper(secs) recursions
- - 2014-07-14T14:00:05.508414-04:00 arrakis unbound: [2541:0] info: 0.032768 0.065536 1
- - 2014-07-14T15:05:07.520229-04:00 arrakis unbound: [2541:0] info: 127.0.0.1 github.com. AAAA IN
--->
-
-
-<decoder name="unbound">
- <program_name>^unbound</program_name>
-</decoder>
-
-<decoder name="unbound-a">
- <parent>unbound</parent>
- <regex> info: (\S+) (\S+). A IN$| info: (\S+) (\S+) AAAA IN$</regex>
- <order>srcip,url</order>
-</decoder>
-
-<!-- OpenBSD doas -->
-<decoder name="doas">
- <program_name>^doas</program_name>
-</decoder>
-
-<decoder name="doas-user">
- <parent>doas</parent>
- <regex>^(\S+) ran| for (\S+):</regex>
- <order>srcuser</order>
-</decoder>
-
-<decoder name="doas-user">
- <parent>doas</parent>
- <regex offset="after_parent"> as (\S+): </regex>
- <order>dstuser</order>
-</decoder>
-
-<!-- Exim
- - Examples:
- - 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user)
- - 2017-01-24 05:22:29 dovecot_plain authenticator failed for (test) [::1]:39454: 535 Incorrect authentication data (set_id=test)
- - 2017-01-24 03:09:46 SMTP connection from [10.101.1.10]:55010 (TCP/IP connection count = 1)
- - 2017-01-24 02:53:13 SMTP connection from (hydra) [10.101.1.10]:53682 lost
- - 2017-01-24 05:36:23 SMTP call from (000000) [::1]:39480 dropped: too many syntax or protocol errors (last command was "123")
--->
-
-<decoder name="exim-authfailed">
- <parent>windows-date-format</parent>
- <prematch offset="after_parent">authenticator failed</prematch>
- <regex offset="after_prematch">[(\S+)]:\d+: \d+ Incorrect authentication data \(set_id=(\w+)\)</regex>
- <order>srcip,user</order>
-</decoder>
-
-<decoder name="exim-connect">
- <parent>windows-date-format</parent>
- <prematch offset="after_parent">^SMTP connection from </prematch>
- <regex offset="after_prematch">[(\S+)]:\d+ \(TCP/IP connection count</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="exim-disconnect">
- <parent>windows-date-format</parent>
- <prematch offset="after_parent">^SMTP connection from </prematch>
- <regex offset="after_prematch">[(\S+)]:\d+ lost</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="exim-syntax-errors">
- <parent>windows-date-format</parent>
- <prematch offset="after_parent">^SMTP call from </prematch>
- <regex offset="after_prematch">[(\S+)]:\d+ dropped: too many syntax or protocol errors</regex>
- <order>srcip</order>
-</decoder>
-
-<!-- NSD
- - Aug 11 13:21:46 ix nsd[16565]: server initialization failed, nsd could not be started
- - Aug 11 13:22:14 ix nsd[13816]: blocked.hosts:2: syntax error
- - Aug 11 13:22:14 ix nsd[13816]: blocked.hosts:2: unrecognized RR type 'name:'
- - Aug 12 09:01:00 junction.example.com nsd[7405]: NSTATS 1439384460 1439314258 A=1 AAAA=1
- - Aug 12 09:01:00 junction.example.com nsd[7405]: XSTATS 1439384460 1439314258 RR=0 RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=0 SAn
-s=2 SFwdQ=0 SDupQ=0 SErr=0 RQ=2 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=0 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
- - Dec 16 12:51:17 pine nsd[90235]: xfrd: zone example.com received error code NOT IMPL from 192.168.17.9@153
--->
-
-<decoder name="nsd">
- <program_name>^nsd</program_name>
-</decoder>
-
-<decoder name="nsd-from">
- <parent>nsd</parent>
- <regex> from (\S+)@| from (\S+)</regex>
- <order>srcip</order>
-</decoder>
-
-<!-- ownCloud
- - Examples owncloud.log (Note that the syntax of failed login logs differs between oler and newer ownCloud versions):
- - {"reqId":"Jrd4fkwIcXhVjtP8qODR","level":2,"time":"2017-09-20T15:44:23+02:00","remoteAddr":"127.0.0.1","user":"--","app":"core","method":"POST","url":"\/login","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')"}
- - {"reqId":"wlioIFa6pOvt6DIAoeHE","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2016-04-12T22:28:20+02:00","method":"POST","url":"\/","user":"--"}
- - {"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-08T12:12:41+02:00"}
- - {"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}
- - {"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-08T12:12:41+02:00"}
- - {"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}
- - {"reqId":"f7906a8355f496e3a1947d7839c4a2c3","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:17:43+00:00"}
- - {"reqId":"9f8edc5558b2b4f8628663d83a092a7f","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:19:02 - +00:00","method":"POST","url":"\/cloud\/index.php"}
- - {"app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:16:29+00:00"}
- - {"reqId":"5576a04643d8e","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:13:58+00:00","method":"POST","url":"\/owncloud\/index.php"}
- - {"app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:10:29+00:00"}
- - {"reqId":"55769fcacd1e0","app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:11:54+00:00","method":"POST","url":"\/owncloud\/index.php"}
- - {"reqId":"BaW6nfA5rHBoihjDtQVm","remoteAddr":"127.0.0.1","app":"core-preview","message":"Passed filename is not valid, might be malicious (file:\"test\";ip:\"127.0.0.1\")","level":2,"time":"2017-09-01T22:11:25+02:00","method":"POST","url":"\/login","user":"--"}
- - {"reqId":"4ETnKW0UyDBNmL4z\/umV","remoteAddr":"127.0.0.1","app":"PHP","message":"Redis::connect(): connect() failed: No such file or directory at \/var\/www\/owncloud\/lib\/private\/RedisFactory.php#60","level":3,"time":"2017-08-21T16:00:34+02:00","method":"PROPFIND","url":"\/remote.php\/dav\/addressbooks\/users\/admin\/example\/","user":"admin"}
- - {"reqId":"4j2DKpvOh0OezXVwfuLO","remoteAddr":"127.0.0.1","app":"PHP","message":"fopen(\/var\/www\/owncloud\/data\/user 1\/thumbnails\/1234\/32-32.png): failed to open stream: No such file or directory at \/var\/www\/owncloud\/lib\/private\/Files\/Storage\/Local.php#278","level":3,"time":"2017-07-15T23:59:20+02:00","method":"GET","url":"\/core\/preview.png?file=%2Fexample.txt&c=123&x=32&y=32&forceIcon=0","user":"user 1"}
-
- - Examples syslog:
- - Sep 1 20:16:09 foo ownCloud[15463]: {core} Login failed: 'test' (Remote IP: '127.0.0.1')
- - Sep 1 22:16:33 foo ownCloud[15467]: {core-preview} Passed filename is not valid, might be malicious (file:"test";ip:"127.0.0.1")
--->
-
-<decoder name="owncloud">
- <prematch>^{"reqId":"\S+","message":"\.+","level":\d,"time":"\.+"}$|^{"app":"\S+","message":"\.+","level":\d,"time":"\.+"}$|^{"reqId":"\S+","level":\d,"time":"\S+","message":"\.+"}$</prematch>
-</decoder>
-
-<!-- Note: This defaults to "ownCloud" but users can change the syslog tag: https://github.com/owncloud/core/blob/v10.0.2/config/config.sample.php#L608-L614 -->
-<decoder name="owncloud">
- <program_name>^ownCloud</program_name>
-</decoder>
-
-<decoder name="owncloud-failed1">
- <parent>owncloud</parent>
- <prematch>Login failed: user </prematch>
- <regex offset="after_prematch">^'(\w+)' , wrong password, IP:(\d+.\d+.\d+.\d+)</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="owncloud-failed2">
- <parent>owncloud</parent>
- <prematch>Login failed: </prematch>
- <regex offset="after_prematch">^'(\w+)' \(Remote IP: '(\d+.\d+.\d+.\d+)</regex>
- <order>user, srcip</order>
-</decoder>
-
-<decoder name="owncloud-malicious">
- <parent>owncloud</parent>
- <prematch>Passed filename is not valid, might be malicious </prematch>
- <regex offset="after_prematch">;ip:"(\d+.\d+.\d+.\d+)|;ip:\\"(\d+.\d+.\d+.\d+)</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="owncloud-loglevel">
- <parent>owncloud</parent>
- <prematch>","level":</prematch>
- <regex offset="after_prematch">^(\d),"</regex>
- <order>status</order>
-</decoder>
-
-<!-- psad
- - Examples: (Note: IPv6 untested)
- - Sep 8 22:52:30 sni psad: scan detected (Nmap -sT or -sS scan): 212.83.152.232 -> 1.2.3.4 tcp: [21943] flags: SYN tcp pkts: 3 DL: 3
- - Sep 9 08:36:30 sni psad: src: 62.210.167.199 signature match: "BACKDOOR DoomJuice file upload attempt" (sid: 2375) tcp port: 3180
- - Sep 9 08:36:30 sni psad: scan detected (Masscan SYN scan): 62.210.167.199 -> 1.2.3.4 tcp: [3320-62210] flags: SYN tcp pkts: 10 DL: 3
- - Sep 3 14:18:52 sni psad: scan detected ( -sU scan): 192.168.1.42 -> 239.255.255.250 udp: [1900] udp pkts: 16 DL: 3
- - Sep 4 11:33:23 sni psad: src: 46.17.46.8 signature match: "MISC Microsoft PPTP communication attempt" (sid: 100082) tcp port: 1723
- - Sep 4 11:33:23 sni psad: src: 46.17.46.8 signature match: "DOS iParty DOS attempt" (sid: 1605) tcp port: 6004
- - Sep 4 11:33:23 sni psad: src: 46.17.46.8 signature match: "DOS Real Audio Server communication attempt" (sid: 100112) tcp port: 7070
- - Sep 4 11:33:23 sni psad: src: 46.17.46.8 signature match: "BACKDOOR DoomJuice file upload attempt" (sid: 2375) tcp port: 3129
- - Aug 9 16:46:32 dsc psad: message repeated 2 times: [ scan detected (Nmap -sT or -sS scan): 10.1.0.15 -> 192.168.1.18 tcp: [80] flags: SYN tcp pkts: 3 DL: 3]example logs:
--->
-
-<decoder name="psad">
- <program_name>psad</program_name>
-</decoder>
-
-<decoder name="psad-scan">
- <parent>psad</parent>
- <prematch>^scan detected </prematch>
- <regex offset="after_prematch"> (\S+) -> (\S+) \.+ DL: (\d)</regex>
- <order>srcip,dstip,status</order>
-</decoder>
-
-<decoder name="psad-repeated">
- <parent>psad</parent>
- <prematch>^message repeated</prematch>
- <regex offset="after_prematch"> (\S+) -> (\S+) \.+ DL: (\d)</regex>
- <order>srcip,dstip,status</order>
-</decoder>
-
-<decoder name="psad-signature">
- <parent>psad</parent>
- <prematch>signature match: </prematch>
- <regex offset="after_parent">src: (\S+) signature match: \.+ port: (\d+)</regex>
- <order>srcip,dstport</order>
-</decoder>
-
-<!-- Proxmox Virtual Environment (Proxmox VE)
- - Examples syslog:
- - Sep 10 22:12:41 example pvedaemon[6427]: authentication failure; rhost=192.168.0.1 user=root@pam msg=Authentication failure
- - Sep 10 22:12:49 example pvedaemon[6428]: authentication failure; rhost=192.168.0.1 user=root@pve msg=no such user ('root@pve')
- - Sep 10 22:12:54 example pvedaemon[6428]: <root@pam> successful auth for user 'root@pam'
- - Sep 10 22:13:44 example pvedaemon[6427]: <root@pam> starting task UPID:example:00000000:11111111:22222222:vzstart:100:root@pam:
- - Sep 10 22:13:44 example pvedaemon[13735]: starting CT 100: UPID:example:00000000:11111111:22222222:vzstart:100:root@pam:
- - Sep 10 22:13:46 example pvedaemon[6427]: <root@pam> end task UPID:example:00000000:11111111:22222222:vzstart:100:root@pam: OK
- - Sep 10 22:13:47 example pvestatd[1892]: modified cpu set for lxc/100: 4
- - Sep 10 06:25:44 example pveproxy[15342]: received signal TERM
- - Sep 10 06:25:44 example pveproxy[15342]: server closing
- - Sep 10 06:25:44 example pveproxy[15345]: worker exit
- - Sep 10 06:25:44 example pveproxy[15344]: worker exit
- - Sep 10 06:25:44 example pveproxy[15343]: worker exit
- - Sep 10 06:25:44 example pveproxy[15342]: worker 15343 finished
- - Sep 10 06:25:44 example pveproxy[15342]: worker 15344 finished
- - Sep 10 06:25:44 example pveproxy[15342]: worker 15345 finished
- - Sep 10 06:25:44 example pveproxy[15342]: server stopped
- - Sep 10 06:25:45 example pveproxy[22375]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
- - Sep 10 06:25:45 example pveproxy[22413]: starting server
- - Sep 10 06:25:45 example pveproxy[22413]: starting 3 worker(s)
- - Sep 10 06:25:45 example pveproxy[22413]: worker 22414 started
- - Sep 10 06:25:45 example pveproxy[22413]: worker 22415 started
- - Sep 10 06:25:45 example pveproxy[22413]: worker 22416 started
- - Sep 10 06:25:47 example pvepw-logger[15428]: received terminate request (signal)
- - Sep 10 06:25:47 example pvepw-logger[15428]: stopping pvefw logger
- - Sep 10 06:25:48 example pvepw-logger[22551]: starting pvefw logger
--->
-
-<decoder name="pvedaemon">
- <program_name>^pvedaemon</program_name>
-</decoder>
-
-<decoder name="pvestatd">
- <program_name>^pvestatd</program_name>
-</decoder>
-
-<decoder name="pveproxy">
- <program_name>^pveproxy</program_name>
-</decoder>
-
-<decoder name="pvepw-logger">
- <program_name>^pvepw-logger</program_name>
-</decoder>
-
-<decoder name="pvedaemon-auth-failed">
- <parent>pvedaemon</parent>
- <prematch>authentication failure; </prematch>
- <regex offset="after_prematch">^rhost=(\S+) user=(\S+)@pam msg=|^rhost=(\S+) user=(\S+)@pve msg=</regex>
- <order>srcip, user</order>
-</decoder>
-
-<decoder name="pvedaemon-auth-success">
- <parent>pvedaemon</parent>
- <prematch>successful auth for user '</prematch>
- <regex offset="after_prematch">^(\S+)@pam'$|^(\S+)@pve'$</regex>
- <order>user</order>
-</decoder>
-
-<decoder name="dhcpd">
- <program_name>^dhcpd$</program_name>
-</decoder>
-
-<decoder name="dhcpd-data">
- <parent>dhcpd</parent>
- <regex offset="after_parent">^(\S+) \S+ (\S+) \S+ (\S+) via (\S+)$</regex>
- <order>action, srcip, extra_data, extra_data</order>
-</decoder>
-
-<decoder name="dhcpd-ack">
- <parent>dhcpd</parent>
- <prematch> acking </prematch>
- <regex offset="after_parent">already acking lease (\S+)</regex>
- <order>srcip</order>
-</decoder>
-
-<decoder name="dhcpd-release">
- <parent>dhcpd</parent>
- <prematch>^IP address</prematch>
- <regex offset="after_parent">^IP address (\S+) </regex>
- <order>srcip</order>
-</decoder>
-
-<!-- OpenBSD httpd -->
-<decoder name="openbsd-httpd">
- <prematch> [\d+/\w+/\d+:\d+:\d+:\d+ -\d+] "</prematch>
- <regex>^(\S+) (\S+) \S+ \S+ [\d+/\w+/\d+:\d+:\d+:\d+ -\d+] "(\S+) (\S+) HTTP/\d.\d" (\d+) \d$</regex>
- <order>url, srcip, protocol, url, status</order>
- <type>web-log</type>
-</decoder>
-
-<!-- dnsmasq -->
-<decoder name="dnsmasq">
- <!--<program_name>^dnsmasq</program_name>-->
- <prematch>^dnsmasq</prematch>
-</decoder>
-
-<decoder name="dnsmasq2">
- <parent>dnsmasq</parent>
- <regex offset="after_parent">^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) to (\S+)|</regex>
- <regex>^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) from (\S+)|</regex>
- <regex>^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) is (\S+)</regex>
- <order>srcip, action, url, extra_data</order>
-</decoder>
-
-<!-- Kaspersky Endpoint Security 10 for Linux -->
-<!-- Kesl example Logs -->
-<!-- Nov 5 00:11:21 hostname kesl: {"EventType": "AVBasesAreTotallyOutOfDate","EventId": "27336","TaskName": "Update","TaskId": "6","AVBasesDate": "2018-10-17 09:49:00"} -->
-<!-- Oct 25 13:11:21 hostname kesl: {"EventType": "AVBasesAreOutOfDate","EventId": "27311","TaskName": "Update","TaskId": "6","AVBasesDate": "2018-10-17 09:49:00"} -->
-<!-- Nov 10 13:19:27 hostname kesl: {"EventType": "UpdateError","EventId": "27381","TaskType": "Update","TaskName": "Update","TaskId": "6","RuntimeTaskId": "120"} -->
-<!-- Nov 10 13:22:09 hostname kesl: {"EventType": "ThreatDetected","EventId": "27384","DetectName": "EICAR-Test-File","DetectType": "Virware","DetectCertainty": "Sure","DetectSource": "Local","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "20","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "root","AccessUserId": "0","FileOwner": "root","FileOwnerId": "0"} -->
-<!-- Nov 14 13:50:01 hostname kesl: {"EventType": "ObjectSavedToBackup","EventId": "27448","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "126","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "userlogin","AccessUserId": "1000","FileOwner": "root","FileOwnerId": "0"} -->
-<!-- Nov 14 13:50:01 hostname kesl: {"EventType": "ObjectNotDisinfected","EventId": "27449","ObjectNotDisinfectedReason": "NonCurable","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "126","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "userlogin","AccessUserId": "1000","FileOwner": "root","FileOwnerId": "0"} -->
-<!-- Nov 14 13:50:01 hostname kesl: {"EventType": "ObjectDeleted","EventId": "27450","FileName": "/home/userlogin/eicar.com","ObjectName": "File","TaskId": "1","RuntimeTaskId": "126","TaskName": "File_Monitoring","TaskType": "OAS","AccessUser": "userlogin","AccessUserId": "1000","FileOwner": "root","FileOwnerId": "0"} -->
-<!-- Nov 14 12:44:04 hostname kesl: {"EventType": "TaskStateChanged","EventId": "27438","TaskName": "Update","TaskType": "Update","TaskId": "6","TaskState": "Starting","PrevTaskState": "Stopped","TaskRequestInitiator": "User","RuntimeTaskId": "127"} -->
-<!-- Nov 14 12:44:04 hostname kesl: {"EventType": "TaskStateChanged","EventId": "27439","TaskName": "Update","TaskType": "Update","TaskId": "6","TaskState": "Started","PrevTaskState": "Starting","TaskRequestInitiator": "User","RuntimeTaskId": "127"} -->
-
-<decoder name="kesl">
- <program_name>^kesl</program_name>
-</decoder>
-
-<decoder name="kesl-avbases-old">
- <parent>kesl</parent>
- <prematch>^\p\pEventType\p: \p\S+\p,\pEventId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pAVBasesDate\p: \p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\p</prematch>
- <regex offset="after_parent">^\p\pEventType\p: \p(\S+)\p,\pEventId\p: \p(\d+)\p,\pTaskName\p: \p(\S+)\p,\pTaskId\p: \p\d+\p,\pAVBasesDate\p: \p(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\p\p</regex>
- <order>status, id, action, extra_data</order>
-</decoder>
-
-<decoder name="kesl-threat-detected">
- <parent>kesl</parent>
- <prematch>^\p\pEventType\p: \p\S+\p,\pEventID\p: \p\d+\p,\pDetectName\p: \p\S+\p,\pDetectType\p: \p\S+\p,\pDetectCertainty\p: \p\S+\p,\pDetectSource\p: \p\S+\p,\pFileName\p: \p\S+,\pObjectName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pRuntimeTaskId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p\S+\p,\pAccessUser\p: \p\S+\p,\pAccessUserId\p: \p\d+\p,\pFileOwner\p: \p\S+\p,\pFileOwnerId\p: \p\d+\p\p</prematch>
- <regex offset="after_parent">^\p\pEventType\p: \p(\S+)\p,\pEventID\p: \p(\d+)\p,\pDetectName\p: \p\S+\p,\pDetectType\p: \p\S+\p,\pDetectCertainty\p: \p(\S+)\p,\pDetectSource\p: \p\S+\p,\pFileName\p: \S+,\pObjectName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pRuntimeTaskId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p(\S+)\p,\pAccessUser\p: \p\S+\p,\pAccessUserId\p: \p\d+\p,\pFileOwner\p: \p\S+\p,\pFileOwnerId\p: \p\d+\p\p</regex>
- <order>status, id, extra_data, action</order>
-</decoder>
-
-<decoder name="kesl-taskstatechange">
- <parent>kesl</parent>
- <prematch>^\p\pEventType\p: \p\S+\p,\pEventId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pTaskState\p: \p\S+\p,\pPrevTaskState\p: \p\S+\p,\pTaskRequestInitiator\p: \p\S+\p,\pRuntimeTaskId\p: \p\d+\p\p</prematch>
- <regex offset="after_parent">^\p\pEventType\p: \p(\S+)\p,\pEventId\p: \p(\d+)\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p(\S+)\p,\pTaskId\p: \p\d+\p,\pTaskState\p: \p(\S+)\p,\pPrevTaskState\p: \p\S+\p,\pTaskRequestInitiator\p: \p(\S+)\p,\pRuntimeTaskId\p: \p\d+\p\p</regex>
- <order>action, id, extra_data, status, srcuser</order>
-</decoder>
-
-<!-- MHN - Json log decoder - Dionaea -->
-<!-- include /var/log/mhn/mhn-json.log to ossec.conf -->
-<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "timestamp": "2018-09-14T11:02:54.215411", "dionaea_action": "reject", "type": "dionaea.connections", "app": "dionaea", "src_ip": "16.10.10.10", "vendor_product": "Dionaea", "dest_port": 365, "signature": "Connection to Honeypot", "src_port": 45302, "dest_ip": "16.10.10.11", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "transport": "tcp", "severity": "high"} -->
-<decoder name="dionaea">
- <prematch>dionaea.connections</prematch>
- <regex>^{\pdirection\p: \p(\S+)\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\.\d+\p, \pdionaea_action\p: \p(\S+)\p, \ptype\p: \pdionaea.connections\p, \papp\p: \pdionaea\p, \psrc_ip\p: "(\S+)", \pvendor_product\p: \pDionaea\p, \pdest_port\p: (\d+), \psignature\p: \p\.+\p, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p}</regex>
- <order>extra_data, protocol, action, srcip, dstport, srcport, dstip</order>
-</decoder>
-
-<!-- MHN - Json log decoder - Cowrie -->
-<!-- include /var/log/mhn/mhn-json.log to ossec.conf -->
-<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "ssh_username": "admin", "app": "cowrie", "transport": "tcp", "dest_port": 22, "src_port": 45302, "severity": "high", "timestamp": "2018-10-23T11:22:36.597864", "vendor_product": "Cowrie", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "src_ip": "16.10.10.10", "ssh_password": "password", "signature": "SSH login attempted on cowrie honeypot", "ssh_version": "'SSH-2.0-Sun_SSH_1.1.4'", "type": "cowrie.sessions", "dest_ip": "16.10.10.11"} -->
-<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "timestamp": "2018-10-23T07:45:56.937787", "vendor_product": "Cowrie", "type": "cowrie.sessions", "app": "cowrie", "src_ip": "16.10.10.10", "dest_port": 22, "signature": "SSH session on cowrie honeypot", "ssh_version": "'SSH-2.0-Sun_SSH_1.1.4'", "src_port": 45302, "dest_ip": "16.10.10.11", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "transport": "tcp", "severity": "high"} -->
-<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "timestamp": "2018-11-14T10:32:38.686578", "app": "cowrie", "transport": "tcp", "dest_port": 22, "src_port": 45302, "severity": "high", "vendor_product": "Cowrie", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "src_ip": "16.10.10.10", "command": "whoami", "signature": "command attempted on cowrie honeypot", "ssh_version": "'SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4'", "type": "cowrie.sessions", "dest_ip": "16.10.10.11"} -->
-
-<decoder name="cowrie">
- <prematch>cowrie.sessions</prematch>
-</decoder>
-
-<decoder name="cowrie-attempt">
- <parent>cowrie</parent>
- <prematch>"SSH login attempted</prematch>
- <regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \pssh_username\p: \p(\S+)\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pssh_password\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"}</regex>
- <order>protocol, extra_data, user, dstport, srcport, srcip, action, dstip</order>
-</decoder>
-
-<decoder name="cowrie-session">
- <parent>cowrie</parent>
- <prematch>"SSH session on cowrie honeypot</prematch>
- <regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \ptype\p: \pcowrie.sessions\p, \papp\p: \pcowrie\p, \psrc_ip\p: "(\S+)", \pdest_port\p: (\d+), \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p}</regex>
- <order>protocol, extra_data, srcip, dstport, action, srcport, dstip</order>
-</decoder>
-
-<decoder name="cowrie-command">
- <parent>cowrie</parent>
- <prematch>"command attempted on cowrie honeypot</prematch>
- <regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pcommand\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"}</regex>
- <order>protocol, extra_data, dstport, srcport, srcip, action, dstip</order>
-</decoder>
-
-<!-- EOF -->
+++ /dev/null
-# internal_options.conf, Daniel B. Cid (dcid @ ossec.net).
-#
-# DO NOT TOUCH THIS FILE. The default configuration
-# is at ossec.conf. More information at:
-# http://www.ossec.net/en/manual.html
-#
-# This file should be handled with care. It contain
-# run time modifications that can affect the use
-# of ossec. Only change it if you know what you
-# are doing. Again, look first at ossec.conf
-# for most of the things you want to change.
-
-
-# Analysisd default rule timeframe.
-analysisd.default_timeframe=360
-# Analysisd stats maximum diff.
-analysisd.stats_maxdiff=999000
-# Analysisd stats minimum diff.
-analysisd.stats_mindiff=1250
-# Analysisd stats percentage (how much to differ from average)
-analysisd.stats_percent_diff=150
-# Analysisd FTS list size.
-analysisd.fts_list_size=32
-# Analysisd FTS minimum string size.
-analysisd.fts_min_size_for_str=14
-# Analysisd Enable the firewall log (at logs/firewall/firewall.log)
-# 1 to enable, 0 to disable.
-analysisd.log_fw=1
-# Maximum number of fields in a decoder (order tag)
-analysisd.decoder_order_size=10
-
-
-# Output GeoIP data at JSON alerts
-analysisd.geoip_jsonout=0
-
-# Logcollector file loop timeout (check every 2 seconds for file changes)
-logcollector.loop_timeout=2
-
-# Logcollector number of attempts to open a log file.
-logcollector.open_attempts=8
-
-# Logcollector - If it should accept remote commands from the manager
-logcollector.remote_commands=0
-
-
-
-# Remoted counter io flush.
-remoted.recv_counter_flush=128
-
-# Remoted compression averages printout.
-remoted.comp_average_printout=19999
-
-# Verify msg id (set to 0 to disable it)
-remoted.verify_msg_id=1
-
-# Don't exit when client.keys empty
-remoted.pass_empty_keyfile=0
-
-# Maild strict checking (0=disabled, 1=enabled)
-maild.strict_checking=1
-
-# Maild grouping (0=disabled, 1=enabled)
-# Groups alerts within the same e-mail.
-maild.groupping=1
-
-# Maild full subject (0=disabled, 1=enabled)
-maild.full_subject=0
-
-# Maild display GeoIP data (0=disabled, 1=enabled)
-maild.geoip=1
-
-
-# Monitord day_wait. Amount of seconds to wait before compressing/signing
-# the files.
-monitord.day_wait=10
-
-# Monitord compress. (0=do not compress, 1=compress)
-monitord.compress=1
-
-# Monitord sign. (0=do not sign, 1=sign)
-monitord.sign=1
-
-# Monitord monitor_agents. (0=do not monitor, 1=monitor)
-monitord.monitor_agents=1
-
-# Monitord notify_time. Frequency of which the clients' availability needs
-# to be checked. (60-3600)
-monitord.notify_time=600
-
-# Syscheck checking/usage speed. To avoid large cpu/memory
-# usage, you can specify how much to sleep after generating
-# the checksum of X files. The default is to sleep 2 seconds
-# after reading 15 files.
-syscheck.sleep=2
-syscheck.sleep_after=15
-
-# Rootcheck checking/usage speed. Rootcheck will pause for this
-# duration after scanning a PID or port.
-rootcheck.sleep=2
-
-
-# Database - maximum number of reconnect attempts
-dbd.reconnect_attempts=10
-
-
-# Debug options.
-# Debug 0 -> no debug
-# Debug 1 -> first level of debug
-# Debug 2 -> full debugging
-
-# Windows debug (used by the windows agent)
-windows.debug=0
-
-# Syscheck (local, server and unix agent)
-syscheck.debug=0
-
-# Remoted (server debug)
-remoted.debug=0
-
-# Analysisd (server or local)
-analysisd.debug=0
-
-# Log collector (server, local or unix agent)
-logcollector.debug=0
-
-# Unix agentd
-agent.debug=0
-
-
-# EOF
+++ /dev/null
-<!-- OSSEC example config -->
-
-<ossec_config>
- <client>
- <server-ip>192.168.10.100</server-ip>
- </client>
-
- <syscheck>
- <!-- Frequency that syscheck is executed (default every 2 hours) -->
- <frequency>7200</frequency>
-
- <!-- Directories to check (perform all possible verifications) -->
- <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
- <directories check_all="yes">/bin,/sbin,/boot</directories>
-
- <!-- Files/directories to ignore -->
- <ignore>/etc/mtab</ignore>
- <ignore>/etc/hosts.deny</ignore>
- <ignore>/etc/mail/statistics</ignore>
- <ignore>/etc/random-seed</ignore>
- <ignore>/etc/random.seed</ignore>
- <ignore>/etc/adjtime</ignore>
- <ignore>/etc/httpd/logs</ignore>
-
- <!-- Check the file, but never compute the diff -->
- <nodiff>/etc/ssl/private.key</nodiff>
- </syscheck>
-
- <rootcheck>
- <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
- </rootcheck>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/messages</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/authlog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/secure</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/xferlog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/maillog</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
- <location>/var/www/logs/access_log</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
- <location>/var/www/logs/error_log</location>
- </localfile>
-</ossec_config>
+++ /dev/null
-<!-- OSSEC example config -->
-
-<ossec_config>
- <global>
- <email_notification>yes</email_notification>
- <email_to>daniel.cid@example.com</email_to>
- <smtp_server>smtp.example.com.</smtp_server>
- <email_from>ossecm@ossec.example.com.</email_from>
- </global>
-
- <rules>
- <include>rules_config.xml</include>
- <include>pam_rules.xml</include>
- <include>sshd_rules.xml</include>
- <include>telnetd_rules.xml</include>
- <include>syslog_rules.xml</include>
- <include>arpwatch_rules.xml</include>
- <include>symantec-av_rules.xml</include>
- <include>symantec-ws_rules.xml</include>
- <include>pix_rules.xml</include>
- <include>named_rules.xml</include>
- <include>smbd_rules.xml</include>
- <include>vsftpd_rules.xml</include>
- <include>pure-ftpd_rules.xml</include>
- <include>proftpd_rules.xml</include>
- <include>ms_ftpd_rules.xml</include>
- <include>ftpd_rules.xml</include>
- <include>hordeimp_rules.xml</include>
- <include>roundcube_rules.xml</include>
- <include>wordpress_rules.xml</include>
- <include>cimserver_rules.xml</include>
- <include>vpopmail_rules.xml</include>
- <include>vmpop3d_rules.xml</include>
- <include>courier_rules.xml</include>
- <include>web_rules.xml</include>
- <include>web_appsec_rules.xml</include>
- <include>apache_rules.xml</include>
- <include>nginx_rules.xml</include>
- <include>php_rules.xml</include>
- <include>mysql_rules.xml</include>
- <include>postgresql_rules.xml</include>
- <include>ids_rules.xml</include>
- <include>squid_rules.xml</include>
- <include>firewall_rules.xml</include>
- <include>apparmor_rules.xml</include>
- <include>cisco-ios_rules.xml</include>
- <include>netscreenfw_rules.xml</include>
- <include>sonicwall_rules.xml</include>
- <include>postfix_rules.xml</include>
- <include>sendmail_rules.xml</include>
- <include>imapd_rules.xml</include>
- <include>mailscanner_rules.xml</include>
- <include>dovecot_rules.xml</include>
- <include>ms-exchange_rules.xml</include>
- <include>racoon_rules.xml</include>
- <include>vpn_concentrator_rules.xml</include>
- <include>spamd_rules.xml</include>
- <include>msauth_rules.xml</include>
- <include>mcafee_av_rules.xml</include>
- <include>trend-osce_rules.xml</include>
- <include>ms-se_rules.xml</include>
- <!-- <include>policy_rules.xml</include> -->
- <include>zeus_rules.xml</include>
- <include>solaris_bsm_rules.xml</include>
- <include>vmware_rules.xml</include>
- <include>ms_dhcp_rules.xml</include>
- <include>asterisk_rules.xml</include>
- <include>ossec_rules.xml</include>
- <include>attack_rules.xml</include>
- <include>systemd_rules.xml</include>
- <include>firewalld_rules.xml</include>
- <include>dropbear_rules.xml</include>
- <include>unbound_rules.xml</include>
- <include>sysmon_rules.xml</include>
- <include>opensmtpd_rules.xml</include>
- <include>exim_rules.xml</include>
- <include>openbsd-dhcpd_rules.xml</include>
- <include>dnsmasq_rules.xml</include>
- <include>local_rules.xml</include>
- </rules>
-
- <syscheck>
- <!-- Frequency that syscheck is executed -- default every 20 hours -->
- <frequency>17200</frequency>
-
- <!-- Directories to check (perform all possible verifications) -->
- <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
- <directories check_all="yes">/bin,/sbin,/boot</directories>
-
- <!-- Files/directories to ignore -->
- <ignore>/etc/mtab</ignore>
- <ignore>/etc/hosts.deny</ignore>
- <ignore>/etc/mail/statistics</ignore>
- <ignore>/etc/random-seed</ignore>
- <ignore>/etc/random.seed</ignore>
- <ignore>/etc/adjtime</ignore>
- <ignore>/etc/httpd/logs</ignore>
-
- <!-- Check the file, but never compute the diff -->
- <nodiff>/etc/ssl/private.key</nodiff>
- </syscheck>
-
- <rootcheck>
- <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
- </rootcheck>
-
- <global>
- <white_list>127.0.0.1</white_list>
- <white_list>192.168.2.1</white_list>
- <white_list>192.168.2.190</white_list>
- <white_list>192.168.2.32</white_list>
- <white_list>192.168.2.10</white_list>
- </global>
-
- <alerts>
- <log_alert_level>1</log_alert_level>
- <email_alert_level>7</email_alert_level>
- </alerts>
-
- <command>
- <name>host-deny</name>
- <executable>host-deny.sh</executable>
- <expect>srcip</expect>
- <timeout_allowed>yes</timeout_allowed>
- </command>
-
- <command>
- <name>firewall-drop</name>
- <executable>firewall-drop.sh</executable>
- <expect>srcip</expect>
- <timeout_allowed>yes</timeout_allowed>
- </command>
-
- <command>
- <name>disable-account</name>
- <executable>disable-account.sh</executable>
- <expect>user</expect>
- <timeout_allowed>yes</timeout_allowed>
- </command>
-
-
- <!-- Active Response Config -->
- <active-response>
- <!-- This response is going to execute the host-deny
- - command for every event that fires a rule with
- - level (severity) >= 6.
- - The IP is going to be blocked for 600 seconds.
- -->
- <command>host-deny</command>
- <location>local</location>
- <level>7</level>
- <timeout>600</timeout>
- </active-response>
-
- <active-response>
- <!-- Firewall Drop response. Block the IP for
- - 600 seconds on the firewall (iptables,
- - ipfilter, etc).
- -->
- <command>firewall-drop</command>
- <location>local</location>
- <level>7</level>
- <timeout>600</timeout>
- </active-response>
-
- <!-- Files to monitor (localfiles) -->
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/messages</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/authlog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/secure</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/xferlog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/maillog</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
- <location>/var/www/logs/access_log</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
- <location>/var/www/logs/error_log</location>
- </localfile>
-</ossec_config>
+++ /dev/null
-<!-- OSSEC example config -->
-
-<ossec_config>
- <global>
- <email_notification>yes</email_notification>
- <email_to>daniel.cid@example.com</email_to>
- <smtp_server>smtp.example.com.</smtp_server>
- <email_from>ossecm@ossec.example.com.</email_from>
- </global>
-
- <rules>
- <include>rules_config.xml</include>
- <include>pam_rules.xml</include>
- <include>sshd_rules.xml</include>
- <include>telnetd_rules.xml</include>
- <include>syslog_rules.xml</include>
- <include>arpwatch_rules.xml</include>
- <include>symantec-av_rules.xml</include>
- <include>symantec-ws_rules.xml</include>
- <include>pix_rules.xml</include>
- <include>named_rules.xml</include>
- <include>smbd_rules.xml</include>
- <include>vsftpd_rules.xml</include>
- <include>pure-ftpd_rules.xml</include>
- <include>proftpd_rules.xml</include>
- <include>ms_ftpd_rules.xml</include>
- <include>ftpd_rules.xml</include>
- <include>hordeimp_rules.xml</include>
- <include>roundcube_rules.xml</include>
- <include>wordpress_rules.xml</include>
- <include>cimserver_rules.xml</include>
- <include>vpopmail_rules.xml</include>
- <include>vmpop3d_rules.xml</include>
- <include>courier_rules.xml</include>
- <include>web_rules.xml</include>
- <include>web_appsec_rules.xml</include>
- <include>apache_rules.xml</include>
- <include>nginx_rules.xml</include>
- <include>php_rules.xml</include>
- <include>mysql_rules.xml</include>
- <include>postgresql_rules.xml</include>
- <include>ids_rules.xml</include>
- <include>squid_rules.xml</include>
- <include>firewall_rules.xml</include>
- <include>apparmor_rules.xml</include>
- <include>cisco-ios_rules.xml</include>
- <include>netscreenfw_rules.xml</include>
- <include>sonicwall_rules.xml</include>
- <include>postfix_rules.xml</include>
- <include>sendmail_rules.xml</include>
- <include>imapd_rules.xml</include>
- <include>mailscanner_rules.xml</include>
- <include>dovecot_rules.xml</include>
- <include>ms-exchange_rules.xml</include>
- <include>racoon_rules.xml</include>
- <include>vpn_concentrator_rules.xml</include>
- <include>spamd_rules.xml</include>
- <include>msauth_rules.xml</include>
- <include>mcafee_av_rules.xml</include>
- <include>trend-osce_rules.xml</include>
- <include>ms-se_rules.xml</include>
- <!-- <include>policy_rules.xml</include> -->
- <include>zeus_rules.xml</include>
- <include>solaris_bsm_rules.xml</include>
- <include>vmware_rules.xml</include>
- <include>ms_dhcp_rules.xml</include>
- <include>asterisk_rules.xml</include>
- <include>ossec_rules.xml</include>
- <include>attack_rules.xml</include>
- <include>dropbear_rules.xml</include>
- <include>unbound_rules.xml</include>
- <include>sysmon_rules.xml</include>
- <include>opensmtpd_rules.xml</include>
- <include>exim_rules.xml</include>
- <include>openbsd-dhcpd_rules.xml</include>
- <include>dnsmasq_rules.xml</include>
- <include>local_rules.xml</include>
- </rules>
-
-
- <syscheck>
- <!-- Frequency that syscheck is executed -- default every 20 hours -->
- <frequency>72000</frequency>
-
- <!-- Directories to check (perform all possible verifications) -->
- <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
- <directories check_all="yes">/bin,/sbin,/boot</directories>
-
- <!-- Files/directories to ignore -->
- <ignore>/etc/mtab</ignore>
- <ignore>/etc/hosts.deny</ignore>
- <ignore>/etc/mail/statistics</ignore>
- <ignore>/etc/random-seed</ignore>
- <ignore>/etc/random.seed</ignore>
- <ignore>/etc/adjtime</ignore>
- <ignore>/etc/httpd/logs</ignore>
-
- <!-- Check the file, but never compute the diff -->
- <nodiff>/etc/ssl/private.key</nodiff>
- </syscheck>
-
- <rootcheck>
- <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
- </rootcheck>
-
- <global>
- <white_list>127.0.0.1</white_list>
- <white_list>::1</white_list>
- <white_list>192.168.2.1</white_list>
- <white_list>192.168.2.190</white_list>
- <white_list>192.168.2.32</white_list>
- <white_list>192.168.2.10</white_list>
- </global>
-
- <remote>
- <connection>secure</connection>
- </remote>
-
- <alerts>
- <log_alert_level>1</log_alert_level>
- <email_alert_level>7</email_alert_level>
- </alerts>
-
- <command>
- <name>host-deny</name>
- <executable>host-deny.sh</executable>
- <expect>srcip</expect>
- <timeout_allowed>yes</timeout_allowed>
- </command>
-
- <command>
- <name>firewall-drop</name>
- <executable>firewall-drop.sh</executable>
- <expect>srcip</expect>
- <timeout_allowed>yes</timeout_allowed>
- </command>
-
- <command>
- <name>disable-account</name>
- <executable>disable-account.sh</executable>
- <expect>user</expect>
- <timeout_allowed>yes</timeout_allowed>
- </command>
-
-
- <!-- Active Response Config -->
- <active-response>
- <!-- This response is going to execute the host-deny
- - command for every event that fires a rule with
- - level (severity) >= 6.
- - The IP is going to be blocked for 600 seconds.
- -->
- <command>host-deny</command>
- <location>local</location>
- <level>7</level>
- <timeout>600</timeout>
- </active-response>
-
- <active-response>
- <!-- Firewall Drop response. Block the IP for
- - 600 seconds on the firewall (iptables,
- - ipfilter, etc).
- -->
- <command>firewall-drop</command>
- <location>local</location>
- <level>7</level>
- <timeout>600</timeout>
- </active-response>
-
- <!-- Files to monitor (localfiles) -->
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/messages</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/authlog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/secure</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/xferlog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/maillog</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
- <location>/var/www/logs/access_log</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
- <location>/var/www/logs/error_log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/exim_mainlog</location>
- </localfile>
-
-</ossec_config>
+++ /dev/null
-<ossec_config>
- <global>
- <email_notification>yes</email_notification>
- <email_to>root@localhost</email_to>
- <smtp_server>127.0.0.1</smtp_server>
- <email_from>ossecm@localhost</email_from>
- </global>
-
- <rules>
- <include>rules_config.xml</include>
- <include>pam_rules.xml</include>
- <include>sshd_rules.xml</include>
- <include>telnetd_rules.xml</include>
- <include>syslog_rules.xml</include>
- <include>arpwatch_rules.xml</include>
- <include>symantec-av_rules.xml</include>
- <include>symantec-ws_rules.xml</include>
- <include>pix_rules.xml</include>
- <include>named_rules.xml</include>
- <include>smbd_rules.xml</include>
- <include>vsftpd_rules.xml</include>
- <include>pure-ftpd_rules.xml</include>
- <include>proftpd_rules.xml</include>
- <include>ms_ftpd_rules.xml</include>
- <include>ftpd_rules.xml</include>
- <include>hordeimp_rules.xml</include>
- <include>roundcube_rules.xml</include>
- <include>wordpress_rules.xml</include>
- <include>vpopmail_rules.xml</include>
- <include>vmpop3d_rules.xml</include>
- <include>courier_rules.xml</include>
- <include>web_rules.xml</include>
- <include>apache_rules.xml</include>
- <include>nginx_rules.xml</include>
- <include>php_rules.xml</include>
- <include>mysql_rules.xml</include>
- <include>postgresql_rules.xml</include>
- <include>ids_rules.xml</include>
- <include>squid_rules.xml</include>
- <include>firewall_rules.xml</include>
- <include>cisco-ios_rules.xml</include>
- <include>netscreenfw_rules.xml</include>
- <include>sonicwall_rules.xml</include>
- <include>postfix_rules.xml</include>
- <include>sendmail_rules.xml</include>
- <include>imapd_rules.xml</include>
- <include>mailscanner_rules.xml</include>
- <include>dovecot_rules.xml</include>
- <include>ms-exchange_rules.xml</include>
- <include>racoon_rules.xml</include>
- <include>vpn_concentrator_rules.xml</include>
- <include>spamd_rules.xml</include>
- <include>msauth_rules.xml</include>
- <include>mcafee_av_rules.xml</include>
- <include>trend-osce_rules.xml</include>
- <!-- <include>policy_rules.xml</include> -->
- <include>zeus_rules.xml</include>
- <include>solaris_bsm_rules.xml</include>
- <include>vmware_rules.xml</include>
- <include>ms_dhcp_rules.xml</include>
- <include>asterisk_rules.xml</include>
- <include>ossec_rules.xml</include>
- <include>attack_rules.xml</include>
- <include>local_rules.xml</include>
- </rules>
-
- <syscheck>
- <!-- Frequency that syscheck is executed - default to every 22 hours -->
- <frequency>79200</frequency>
-
- <!-- Directories to check (perform all possible verifications) -->
- <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
- <directories check_all="yes">/bin,/sbin</directories>
-
- <!-- Files/directories to ignore -->
- <ignore>/etc/mtab</ignore>
- <ignore>/etc/mnttab</ignore>
- <ignore>/etc/hosts.deny</ignore>
- <ignore>/etc/mail/statistics</ignore>
- <ignore>/etc/random-seed</ignore>
- <ignore>/etc/adjtime</ignore>
- <ignore>/etc/httpd/logs</ignore>
- <ignore>/etc/utmpx</ignore>
- <ignore>/etc/wtmpx</ignore>
- <ignore>/etc/cups/certs</ignore>
- <ignore>/etc/dumpdates</ignore>
- <ignore>/etc/svc/volatile</ignore>
- </syscheck>
-
- <rootcheck>
- <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
- <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
- <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
- <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
- <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
- </rootcheck>
-
- <active-response>
- <disabled>yes</disabled>
- </active-response>
-
- <alerts>
- <log_alert_level>1</log_alert_level>
- <email_alert_level>7</email_alert_level>
- </alerts>
- <!-- Files to monitor (localfiles) -->
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/messages</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/auth.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/syslog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/xferlog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/vsftpd.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/mail.info</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/mail.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/dpkg.log</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
- <location>/var/log/apache2/error.log</location>
- </localfile>
-
- <localfile>
- <log_format>apache</log_format>
- <location>/var/log/apache2/access.log</location>
- </localfile>
-</ossec_config>
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# Hardening Checks for Microsoft Office 2016
-# Based on Australian Cyper Security Centre Hardening Microsoft Office Guide - May 2018 (https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf)
-#
-#
-#7 Ensure Attack Surface Reduction is set to 'Enabled'
-[ACSC - Microsoft Office 2016 - 7 Ensure Attack Surface Reduction is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> !ExploitGuard_ASR_Rules;
-#
-#
-#7a Ensure 'Block executable content from email client and webmail' is set to 'Enabled'
-[ACSC - Microsoft Office 2016 - 7a Ensure 'Block executable content from email client and webmail' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550;
-#
-#
-#7b Ensure 'block Office applications from creating child processes' is set to 'Enabled'
-[ACSC - Microsoft Office 2016 - 7b Ensure 'block Office applications from creating child processes' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D4F940AB-401B-4EFC-AADC-AD5F3C50688A;
-#
-#
-#7c Ensure 'block Office applications from creating executable content' is set to 'Enabled'
-[ACSC - Microsoft Office 2016 - 7c Ensure 'block Office applications from creating executable content' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !3B576869-A4EC-4529-8536-B80A7769E899;
-#
-#
-#7d Ensure 'block Office applications from injecting code into other processes' is set to 'Enabled'
-[ACSC - Microsoft Office 2016 - 7d Ensure 'block Office applications from injecting code into other processes' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84;
-#
-#
-#7e Ensure 'block JavaScript and VBScript from launching downloaded executable content' is set to 'Enabled'
-[ACSC - Microsoft Office 2016 - 7e Ensure 'block JavaScript and VBScript from launching downloaded executable content' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D3E037E1-3EB8-44C8-A917-57927947596D;
-#
-#
-#7f Ensure 'block execution of potentially obfuscated scripts' is set to 'Enabled'
-[ACSC - Microsoft Office 2016 - 7f Ensure 'block execution of potentially obfuscated scripts' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !5BEB7EFE-FD9A-4556-801D-275E5FFC04CC;
-#
-#
-#7g Ensure 'block Win32 API calls from Office macro' is set to 'Enabled'
-[ACSC - Microsoft Office 2016 - 7g Ensure 'block Win32 API calls from Office macro' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B;
-#
-#
-#17 Ensure 'Disable All Active X' is set to 'Enabled'
-[ACSC - Microsoft Office 2016 - 17 Ensure 'Disable All Active X' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> !disableallactivex;
-#
-#
-#19a Ensure'Block all unmanaged add-ins' is set to 'Enabled' for Excel
-[ACSC - Microsoft Office 2016 - 19a Ensure'Block all unmanaged add-ins' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> !restricttolist;
-#
-#
-#19b Ensure 'List of managed add-ins' is set to 'Enabled' for Excel
-[ACSC - Microsoft Office 2016 - 19b Ensure 'List of managed add-ins' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> !policyon;
-#
-#
-#19c Ensure'Block all unmanaged add-ins' is set to 'Enabled' for Excel
-[ACSC - Microsoft Office 2016 - 19c Ensure'Block all unmanaged add-ins' is set to 'Enabled' for Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> !restricttolist;
-#
-#
-#19d Ensure 'List of managed add-ins' is set to 'Enabled' for PowerPoint
-[ACSC - Microsoft Office 2016 - 19d Ensure 'List of managed add-ins' is set to 'Enabled' for PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> !policyon;
-#
-#
-#19e Ensure'Block all unmanaged add-ins' is set to 'Enabled' for Word
-[ACSC - Microsoft Office 2016 - 19e Ensure'Block all unmanaged add-ins' is set to 'Enabled' for Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> !restricttolist;
-#
-#
-#19f Ensure 'List of managed add-ins' is set to 'Enabled' for Word
-[ACSC - Microsoft Office 2016 - 19f Ensure 'List of managed add-ins' is set to 'Enabled' for Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> !policyon;
-#
-#
-#21 Ensure if Extension Hardening functionality in Microsoft Excel is enabled
-[ACSC - Microsoft Office 2016 - 21 Ensure if Extension Hardening functionality in Microsoft Excel is enabled] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> !extensionhardening;
-#
-#
-#23a Ensure dBase III / IV files are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23a Ensure dBase III / IV files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !dbasefiles;
-#
-#
-#23b Ensure Dif and Sylk files are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23b Ensure Dif and Sylk files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !difandsylkfiles;
-#
-#
-#23c Ensure Excel 2 macrosheets and add-in files are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23c Ensure Excel 2 macrosheets and add-in files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl2macros;
-#
-#
-#23d Ensure Excel 2 worksheets are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23d Ensure Excel 2 worksheets are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl2worksheets;
-#
-#
-#23e Ensure Excel 3 macrosheets and add-in files are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23e Ensure Excel 3 macrosheets and add-in files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl3macros;
-#
-#
-#23f Ensure Excel 3 worksheets and add-in files are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23f Ensure Excel 3 worksheets and add-in files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl3worksheets;
-#
-#
-#23g Ensure Excel 4 macrosheets and add-in files are blocked in Microsoft Escel
-[ACSC - Microsoft Office 2016 - 23g Ensure Excel 4 macrosheets and add-in files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl4macros;
-#
-#
-#23h Ensure Excel 4 workbooks are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23h Ensure Excel 4 workbooks are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl4workbooks;
-#
-#
-#23i Ensure Excel 4 worksheets are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23i Ensure Excel 4 worksheets are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl4worksheets;
-#
-#
-#23j Ensure Excel 95 workbooks are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23j Ensure Excel 95 workbooks are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl95workbooks;
-#
-#
-#23k Ensure Excel 95-97 workbooks and templates are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23k Ensure Excel 95-97 workbooks and templates are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl9597workbooksandtemplates;
-#
-#
-#23l Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel
-[ACSC - Microsoft Office 2016 - l Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !openinprotectedview;
-#
-#
-#23m Ensure Web pages and Excel 2003 XML spreadsheets are blocked in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 23m Ensure Web pages and Excel 2003 XML spreadsheets are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !htmlandxmlssfiles;
-#
-#
-#23n Ensure PowerPoint beta converters are blocked in Microsoft PowerPoint
-[ACSC - Microsoft Office 2016 - 23n Ensure PowerPoint beta converters are blocked in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> !powerpoint12betafilesfromconverters;
-#
-#
-#23o Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint
-[ACSC - Microsoft Office 2016 - 23o Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> !openinprotectedview;
-#
-#
-#23p Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Word
-[ACSC - Microsoft Office 2016 - 23p Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !openinprotectedview;
-#
-#
-#23q Ensure Word 2 and earlier binary documents and templates are blocked in Microsoft Word
-[ACSC - Microsoft Office 2016 - 23q Ensure Word 2 and earlier binary documents and templates are blocked in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word2files -> !2;
-#
-#
-#23r Ensure Word 6.0 binary documents and templates are blocked in Microsoft Word
-[ACSC - Microsoft Office 2016 - 23r Ensure Word 6.0 binary documents and templates are blocked in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !word60files;
-#
-#
-#23s Ensure Word 95 binary documents and templates are blocked in Microsoft Word
-[ACSC - Microsoft Office 2016 - 23s Ensure Word 95 binary documents and templates are blocked in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !word95files;
-#
-#
-#23t Ensure Word 97 binary documents and templates are blocked in Microsoft Word
-[ACSC - Microsoft Office 2016 - 23t Ensure Word 97 binary documents and templates are blocked in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files -> !2;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !word97files;
-#
-#
-#25a Ensure Make hidden markup visible is set to 'Enabled' in Microsoft PowerPoint
-[ACSC - Microsoft Office 2016 - 25a Ensure Make hidden markup visible is set to 'Enabled' in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> !markupopensave;
-#
-#
-#25b Ensure Make hidden markup visible is set to 'Enabled' in Microsoft Word
-[ACSC - Microsoft Office 2016 - 25b Ensure Make hidden markup visible is set to 'Enabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> !showmarkupopensave;
-#
-#
-#27a Ensure Turn off error reporting for files that fail file validation is set to 'Enabled' in Microsoft Office
-[ACSC - Microsoft Office 2016 - 27a Ensure Turn off error reporting for files that fail file validation is set to 'Enabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> !disablereporting;
-#
-#
-#27b Ensure Turn off file validation ins set to 'Disabled' in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 27b Ensure Turn off file validation ins set to 'Disabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> !enableonload;
-#
-#
-#27c Ensure Turn off file validation ins set to 'Disabled' in Microsoft PowerPoint
-[ACSC - Microsoft Office 2016 - 27c Ensure Turn off file validation ins set to 'Disabled' in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> !enableonload;
-#
-#
-#27d Ensure Turn off file validation ins set to 'Disabled' in Microsoft Word
-[ACSC - Microsoft Office 2016 - 27d Ensure Turn off file validation ins set to 'Disabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> !enableonload;
-#
-#
-#29a Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 29a Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> !disableinternetfilesinpv;
-#
-#
-#29b Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 29b Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> !disableunsafelocationsinpv;
-#
-#
-#29c Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 29c Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> !openinprotectedview;
-#
-#
-#29d Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 29d Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> !disableattachmentsinpv;
-#
-#
-#29e Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft PowerPoint
-[ACSC - Microsoft Office 2016 - 29e Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> !disableinternetfilesinpv;
-#
-#
-#29f Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft PowerPoint
-[ACSC - Microsoft Office 2016 - 29f Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> !disableunsafelocationsinpv;
-#
-#
-#29g Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft PowerPoint
-[ACSC - Microsoft Office 2016 - 29g Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> !openinprotectedview;
-#
-#
-#29h Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft PowerPoint
-[ACSC - Microsoft Office 2016 - 29h Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> !disableattachmentsinpv;
-#
-#
-#29i Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Word
-[ACSC - Microsoft Office 2016 - 29i Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv;
-#
-#
-#29j Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Word
-[ACSC - Microsoft Office 2016 - 29j Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> !disableunsafelocationsinpv;
-#
-#
-#29k Ensure Set document behaviour if file validation fails is set to 'Enable' (Block files) in Microsoft Word
-[ACSC - Microsoft Office 2016 - 29k Ensure Set document behaviour if file validation fails is set to 'Enable' (Block files) in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> !openinprotectedview;
-#
-#
-#29l Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Word
-[ACSC - Microsoft Office 2016 - 29l Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> !disableattachmentsinpv;
-#
-#
-#31a Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 31a Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> !disabletrusteddocuments;
-#
-#
-#31b Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Excel
-[ACSC - Microsoft Office 2016 - 31b Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> !disablenetworktrusteddocuments;
-#
-#
-#31c Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Powerpoint
-[ACSC - Microsoft Office 2016 - 31c Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Powerpoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> disabletrusteddocuments -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> !disabletrusteddocuments;
-#
-#
-#31d Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Powerpoint
-[ACSC - Microsoft Office 2016 - 31d Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Powerpoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> disablenetworktrusteddocuments -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> !disablenetworktrusteddocuments;
-#
-#
-#31e Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Word
-[ACSC - Microsoft Office 2016 - 31e Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> !disabletrusteddocuments;
-#
-#
-#31f Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Word
-[ACSC - Microsoft Office 2016 - 31f Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> !disablenetworktrusteddocuments;
-#
-#
-#34a Ensure Allow including screenshot with Office Feedback is set to 'Disabled' in Microsoft Office
-[ACSC - Microsoft Office 2016 - 34a Ensure Allow including screenshot with Office Feedback is set to 'Disabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> !includescreenshot;
-#
-#
-#34b Ensure Automatically receive small updates to improve reliability is set to 'Disabled' in Microsoft Office
-[ACSC - Microsoft Office 2016 - 34b Ensure Automatically receive small updates to improve reliability is set to 'Disabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> !updatereliabilitydata;
-#
-#
-#34c Ensure Disable Opt-in Wizard on first run is set to 'Enabled' in Microsoft Office
-[ACSC - Microsoft Office 2016 - 34c Ensure Disable Opt-in Wizard on first run is set to 'Enabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin -> !1;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> !shownfirstrunoptin;
-#
-#
-#34d Ensure Enable Customer Experience Improvement Program is set to 'Disabled' in Microsoft Office
-[ACSC - Microsoft Office 2016 - 34d Ensure Enable Customer Experience Improvement Program is set to 'Disabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> !qmenable;
-#
-#
-#34e Ensure Page Send Office Feedback is set to 'Disabled' in Microsoft Office
-[ACSC - Microsoft Office 2016 - 34e Ensure Page Send Office Feedback is set to 'Disabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> !enabled;
-#
-#
-#34f Ensure Send personal information is set to 'Disabled' in Microsoft Office
-[ACSC - Microsoft Office 2016 - 34f Ensure Send personal information is set to 'Disabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf]
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata -> !0;
-r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> !sendcustomerdata;
-#
-#
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry , use "->" to look for a specific entry and another
-# "->" to look for the value.
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Apache Https Server
-# Based on Center for Internet Security Benchmark for Apache HttpSserver 2.4 v1.3.1 and Apache HttpsServer 2.2 v3.4.1 (https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308)
-#
-#
-$main-conf=/etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf;
-$conf-dirs=/etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled,/etc/httpd/conf.d,/etc/httpd/modsecurity.d;
-$ssl-confs=/etc/apache2/mods-enabled/ssl.conf,/etc/httpd/conf.d/ssl.conf;
-$mods-en=/etc/apache2/mods-enabled;
-$request-confs=/etc/httpd/conf/httpd.conf,/etc/apache2/mods-enabled/reqtimeout.conf;
-$traceen=/etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf,/etc/apache2/conf-enabled/security.conf;
-#
-#
-#2.3 Disable WebDAV Modules
-[CIS - Apache Configuration - 2.3: WebDAV Modules are enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sdav;
-d:$conf-dirs -> load -> !r:^# && r:loadmodule\sdav;
-f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sdav;
-d:$mods-en -> dav.load;
-#
-#
-#2.4 Disable Status Module
-[CIS - Apache Configuration - 2.4: Status Module is enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sstatus;
-d:$conf-dirs -> load -> !r:^# && r:loadmodule\sstatus;
-f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sstatus;
-d:$mods-en -> status.load;
-#
-#
-#2.5 Disable Autoindex Module
-[CIS - Apache Configuration - 2.5: Autoindex Module is enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sautoindex;
-d:$conf-dirs -> load -> !r:^# && r:loadmodule\sautoindex;
-f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sautoindex;
-d:$mods-en -> autoindex.load;
-#
-#
-#2.6 Disable Proxy Modules
-[CIS - Apache Configuration - 2.6: Proxy Modules are enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sproxy;
-d:$conf-dirs -> load -> !r:^# && r:loadmodule\sproxy;
-f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sproxy;
-d:$mods-en -> proxy.load;
-#
-#
-#2.7 Disable User Directories Modules
-[CIS - Apache Configuration - 2.7: User Directories Modules are enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:loadmodule\suserdir;
-d:$conf-dirs -> load -> !r:^# && r:loadmodule\suserdir;
-f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\suserdir;
-d:$mods-en -> userdir.load;
-#
-#
-#2.8 Disable Info Module
-[CIS - Apache Configuration - 2.8: Info Module is enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo;
-d:$conf-dirs -> load -> !r:^# && r:loadmodule\sinfo;
-d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo;
-d:$mods-en -> info.load;
-#
-#
-#3.2 Give the Apache User Account an Invalid Shell
-[CIS - Apache Configuration - 3.2: Apache User Account has got a valid shell] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:/etc/passwd -> r:/var/www && !r:\.*/bin/false$|/sbin/nologin$;
-#
-#
-#3.3 Lock the Apache User Account
-[CIS - Apache Configuration - 3.3: Lock the Apache User Account] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:/etc/shadow -> r:^daemon|^wwwrun|^www-data|^apache && !r:\p!\.*$;
-#
-#
-#4.4 Restrict Override for All Directories
-[CIS - Apache Configuration - 4.4: Restrict Override for All Directories] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && !r:\w+ && r:allowoverride && !r:none$;
-d:$conf-dirs -> conf -> !r:^# && !r:\w+ && r:allowoverridelist;
-f:$main-conf -> !r:^# && !r:\w+ && r:allowoverride && !r:none$;
-f:$main-conf -> !r:^# && !r:\w+ && r:allowoverridelist;
-#
-#
-#5.3 Minimize Options for Other Directories
-[CIS - Apache Configuration - 5.3: Minimize Options for other directories] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:options\sincludes;
-f:$main-conf -> !r:^# && r:options\sincludes;
-#
-#
-#5.4.1 Remove default index.html sites
-[CIS - Apache Configuration - 5.4.1: Remove default index.html sites] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:/var/www -> index.html;
-d:/var/www/html -> index.html;
-#
-#
-#5.4.2 Remove the Apache user manual
-[CIS - Apache Configuration - 5.4.2: Remove the Apache user manual] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:/etc/httpd/conf.d -> manual.conf;
-d:/etc/apache2/conf-enabled -> apache2-doc.conf;
-#
-#
-#5.4.5 Verify that no Handler is enabled
-[CIS - Apache Configuration - 5.4.5: A Handler is configured] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:/wsethandler;
-f:$main-conf -> !r:^# && r:/wsethandler;
-#
-#
-#5.5 Remove default CGI content printenv
-[CIS - Apache Configuration - 5.5: Remove default CGI content printenv] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:/var/www/cgi-bin -> printenv;
-d:/usr/lib/cgi-bin -> printenv;
-#
-#
-#5.6 Remove default CGI content test-cgi
-[CIS - Apache Configuration - 5.6: Remove default CGI content test-cgi] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:/var/www/cgi-bin -> test-cgi;
-d:/usr/lib/cgi-bin -> test-cgi;
-#
-#
-#5.7 Limit HTTP Request Method
-[CIS - Apache Configuration - 5.7: Disable HTTP Request Method] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:<limitexcept\sget\spost\soptions>;
-#
-#
-#5.8 Disable HTTP Trace Method
-[CIS - Apache Configuration - 5.8: Disable HTTP Trace Method] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$traceen -> !r:^# && r:traceenable\s+on\s*$;
-#
-#
-#5.9 Restrict HTTP Protocol Versions
-[CIS - Apache Configuration - 5.9: Restrict HTTP Protocol Versions] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:/etc/httpd/conf/httpd.conf -> !r:loadmodule\srewrite;
-d:$mods-en -> !f:rewrite.load;
-f:$main-conf -> !r:rewriteengine\son;
-f:$main-conf -> !r:rewritecond && !r:%{THE_REQUEST} && !r:!HTTP/1\\.1\$;
-f:$main-conf -> !r:rewriterule && !r:.* - [F];
-#
-#
-#5.12 Deny IP Address Based Requests
-[CIS - Apache Configuration - 5.12: Deny IP Address Based Requests] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:/etc/httpd/conf/httpd.conf -> !r:loadmodule\srewrite;
-d:$mods-en -> !f:rewrite.load;
-f:$main-conf -> !r:rewriteengine\son;
-f:$main-conf -> !r:rewritecond && !r:%{HTTP_HOST} && !r:www\\.\w+\\.\w+ [NC]$;
-f:$main-conf -> !r:rewritecond && !r:%{REQUEST_URI} && !r:/error [NC]$;
-f:$main-conf -> !r:rewriterule && !r:.\(.*\) - [L,F]$;
-#
-#
-#5.13 Restrict Listen Directive
-[CIS - Apache Configuration - 5.13: Restrict Listen Directive] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:listen\s80$;
-d:$conf-dirs -> conf -> !r:^# && r:listen\s0.0.0.0\p80;
-d:$conf-dirs -> conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p80;
-f:$main-conf -> !r:^# && r:listen\s80$;
-f:$main-conf -> !r:^# && r:listen\s0.0.0.0\p\d*;
-f:$main-conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*;
-f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s80$;
-f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s0.0.0.0\p\d*;
-f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*;
-f:/etc/apache2/ports.conf -> !r:^# && r:listen\s80$;
-f:/etc/apache2/ports.conf -> !r:^# && r:listen\s0.0.0.0\p\d*;
-f:/etc/apache2/ports.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*;
-#
-#
-#5.14 Restrict Browser Frame Options
-[CIS - Apache Configuration - 5.14: Restrict Browser Frame Options] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:header\salways\sappend\sx-frame-options && !r:sameorigin|deny;
-#
-#
-#6.1 Configure the Error Log to notice at least
-[CIS - Apache Configuration - 6.1: Configure the Error Log to notice at least] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:^# && r:loglevel\snotice\score\p && r:warn|emerg|alert|crit|error|notice;
-f:$main-conf -> !r:loglevel\snotice\score\p && !r:info|debug;
-#
-#
-#6.2 Configure a Syslog facility for Error Log
-[CIS - Apache Configuration - 6.2: Configure a Syslog facility for Error Log] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:errorlog\s+\p*syslog\p\.*\p*;
-#
-#
-#7.6 Disable SSL Insecure Renegotiation
-[CIS - Apache Configuration - 7.6: Disable SSL Insecure Renegotiation] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s+on\s*;
-f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s*$;
-#
-#
-#7.7 Ensure SSL Compression is not enabled
-[CIS - Apache Configuration - 7.7: Ensure SSL Compression is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s+on\s*;
-f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s*$;
-#
-#
-#7.8 Disable SSL TLS v1.0 Protocol
-[CIS - Apache Configuration - 7.8: Disable insecure TLS Protocol] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$ssl-confs -> !r:^\t*\s*sslprotocol;
-f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+all;
-f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+\.*tlsv1\P\s*;
-f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+\.*sslv2\P\s*;
-f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+\.*sslv3\P\s*;
-#
-#
-#7.9 Enable OCSP Stapling
-[CIS - Apache Configuration - 7.9: Enable OCSP Stapling] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+ssl;
-d:$mods-en -> !f:ssl.load;
-f:$ssl-confs -> !r:\t*\s*# && r:sslusestapling\s+off;
-f:$ssl-confs -> !r:\t*\s*sslusestapling\s+on;
-f:$ssl-confs -> !r:\t*\s*sslstaplingcache\s+\.+;
-#
-#
-#7.10 Enable HTTP Strict Transport Security
-[CIS - Apache Configuration - 7.10: Enable HTTP Strict Transport Security] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:/etc/apache2/apache2.conf -> !r:Header\salways\sset\sStrict-Transport-Security\s"max-age=\d\d\d\d*";
-f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=1\d\d";
-f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=2\d\d";
-f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=3\d\d";
-f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=4\d\d";
-f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=5\d\d";
-#
-#
-#8.1 Set ServerToken to Prod or ProductOnly
-[CIS - Apache Configuration - 8.1: Set ServerToken to Prod or ProductOnly] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+major;
-d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minor;
-d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+min;
-d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minimal;
-d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+os;
-d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+full;
-#
-#
-#8.2: Set ServerSignature to Off
-[CIS - Apache Configuration - 8.2: Set ServerSignature to Off] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^# && r:serversignature\s+email;
-d:$conf-dirs -> conf -> !r:^# && r:serversignature\s+on;
-#
-#
-#8.3: Prevent Information Leakage via Default Apache Content
-[CIS - Apache Configuration - 8.3: Prevent Information Leakage via Default Apache Content] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-d:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf;
-d:$conf-dirs -> conf -> !r:^\t*\s*# && r:alias\s*/icons/\s*\.*;
-#
-#
-#9.1:Set TimeOut to 10 or less
-[CIS - Apache Configuration - 9.1: Set TimeOut to 10 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:^# && r:timeout\s+9\d;
-f:$main-conf -> !r:^# && r:timeout\s+8\d;
-f:$main-conf -> !r:^# && r:timeout\s+7\d;
-f:$main-conf -> !r:^# && r:timeout\s+6\d;
-f:$main-conf -> !r:^# && r:timeout\s+5\d;
-f:$main-conf -> !r:^# && r:timeout\s+4\d;
-f:$main-conf -> !r:^# && r:timeout\s+3\d;
-f:$main-conf -> !r:^# && r:timeout\s+2\d;
-f:$main-conf -> !r:^# && r:timeout\s+11;
-f:$main-conf -> !r:^# && r:timeout\s+12;
-f:$main-conf -> !r:^# && r:timeout\s+13;
-f:$main-conf -> !r:^# && r:timeout\s+14;
-f:$main-conf -> !r:^# && r:timeout\s+15;
-f:$main-conf -> !r:^# && r:timeout\s+16;
-f:$main-conf -> !r:^# && r:timeout\s+17;
-f:$main-conf -> !r:^# && r:timeout\s+18;
-f:$main-conf -> !r:^# && r:timeout\s+19;
-f:$main-conf -> !r:^timeout\s+\d\d*;
-f:$main-conf -> !r:^# && r:timeout\s+\d\d\d+;
-#
-#
-#9.2:Set the KeepAlive directive to On
-[CIS - Apache Configuration - 9.2: Set the KeepAlive directive to On] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:^# && r:keepalive\s+off;
-f:$main-conf -> !r:keepalive\s+on;
-#
-#
-#9.3:Set MaxKeepAliveRequests to 100 or greater
-[CIS - Apache Configuration - 9.3: Set MaxKeepAliveRequest to 100 or greater] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:^maxkeepaliverequests\s+\d\d\d+;
-#
-#
-#9.4: Set KeepAliveTimeout Low to Mitigate Denial of Service
-[CIS - Apache Configuration - 9.4: Set KeepAliveTimeout Low] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:keepalivetimeout\s+\d\d*;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+16;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+17;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+18;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+19;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+2\d;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+3\d;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+4\d;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+5\d;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+6\d;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+7\d;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+8\d;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+9\d;
-f:$main-conf -> !r:^# && r:keepalivetimeout\s+\d\d\d+;
-#
-#
-#9.5 Set Timeout Limits for Request Headers
-[CIS - Apache Configuration - 9.5: Set Timeout Limits for Request Headers] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+reqtimeout;
-d:$mods-en -> !f:reqtimeout.load;
-f:$request-confs -> !r:^\t*\s*requestreadtimeout\.+header\p\d\d*\D\d\d*;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D41;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D42;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D43;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D44;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D45;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D46;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D47;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D48;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D49;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D5\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D6\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D7\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D8\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D9\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D\d\d\d+;
-#
-#
-#9.6 Set Timeout Limits for Request Body
-[CIS - Apache Configuration - 9.6: Set Timeout Limits for Request Body] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+reqtimeout;
-d:$mods-en -> !f:reqtimeout.load;
-f:$request-confs -> !r:\t*\s*requestreadtimeout\.+body\p\d\d*;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p21;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p22;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p23;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p24;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p25;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p26;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p27;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p28;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p29;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p3\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p4\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p5\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p6\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p7\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p8\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p9\d;
-f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p\d\d\d+;
-#
-#
-#10.1 Set the LimitRequestLine directive to 512 or less
-[CIS - Apache Configuration - 10.1: Set LimitRequestLine to 512 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:^limitrequestline\s+\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\13;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\14;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\15;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\16;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\17;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\18;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\19;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\2\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\3\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\4\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\5\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\6\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\7\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\8\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+5\9\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+6\d\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+7\d\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+8\d\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+9\d\d;
-f:$main-conf -> !r:^# && r:limitrequestline\s+\d\d\d\d+;
-#
-#
-#10.2 Set the LimitRequestFields directive to 100 or less
-[CIS - Apache Configuration - 10.2: Set LimitRequestFields to 100 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:^limitrequestfields\s\d\d*;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d1;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d2;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d3;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d4;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d5;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d6;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d7;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d8;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d9;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+11\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+12\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+13\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+14\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+15\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+16\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+17\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+18\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+19\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+2\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+3\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+4\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+5\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+6\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+7\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+8\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+9\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfields\s+\d\d\d\d+;
-#
-#
-#10.3 Set the LimitRequestFieldsize directive to 1024 or less
-[CIS - Apache Configuration - 10.3: Set LimitRequestFieldsize to 1024 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:^limitrequestfieldsize\s+\d\d*;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d25;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d26;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d27;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d28;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d29;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d3\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d4\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d5\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d6\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d7\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d8\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d9\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+11\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+12\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+13\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+14\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+15\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+16\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+17\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+18\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+19\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+2\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+3\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+4\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+5\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+6\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+7\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+8\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+9\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+\d\d\d\d\d+;
-#
-#
-#10.4 Set the LimitRequestBody directive to 102400 or less
-[CIS - Apache Configuration - 10.4: Set LimitRequestBody to 102400 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
-f:$main-conf -> !r:^limitrequestbody\s+\d\d*;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+0\s*$;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d1;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d2;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d3;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d4;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d5;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d6;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d7;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d8;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d9;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d241\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d242\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d243\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d244\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d245\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d246\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d247\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d248\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d249\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d25\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d26\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d27\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d28\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d29\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d3\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d4\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d5\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d6\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d7\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d8\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d9\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+11\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+12\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+13\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+14\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+15\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+16\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+17\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+18\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+19\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+2\d\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+3\d\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+4\d\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+5\d\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+6\d\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+7\d\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+8\d\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+9\d\d\d\d\d;
-f:$main-conf -> !r:^# && r:limitrequestbody\s+\d\d\d\d\d\d\d+;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry , use "->" to look for a specific entry and another
-# "->" to look for the value.
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Debian/Ubuntu
-# Based on Center for Internet Security Benchmark for Debian Linux v1.0
-
-# Main one. Only valid for Debian/Ubuntu.
-[CIS - Testing against the CIS Debian Linux Benchmark v1.0] [all required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/debian_version;
-f:/proc/sys/kernel/ostype -> Linux;
-
-
-# Section 1.4 - Partition scheme.
-[CIS - Debian Linux - 1.4 - Robust partition scheme - /tmp is not on its own partition {CIS: 1.4 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/fstab -> !r:/tmp;
-
-[CIS - Debian Linux - 1.4 - Robust partition scheme - /opt is not on its own partition {CIS: 1.4 Debian Linux}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/opt;
-f:/etc/fstab -> !r:/opt;
-
-[CIS - Debian Linux - 1.4 - Robust partition scheme - /var is not on its own partition {CIS: 1.4 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/fstab -> !r:/var;
-
-
-# Section 2.3 - SSH configuration
-[CIS - Debian Linux - 2.3 - SSH Configuration - Protocol version 1 enabled {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
-
-[CIS - Debian Linux - 2.3 - SSH Configuration - IgnoreRHosts disabled {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
-
-[CIS - Debian Linux - 2.3 - SSH Configuration - Empty passwords permitted {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
-
-[CIS - Debian Linux - 2.3 - SSH Configuration - Host based authentication enabled {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
-
-[CIS - Debian Linux - 2.3 - SSH Configuration - Root login allowed {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
-
-
-# Section 2.4 Enable system accounting
-#[CIS - Debian Linux - 2.4 - System Accounting - Sysstat not installed {CIS: 2.4 Debian Linux}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-#f:!/etc/default/sysstat;
-#f:!/var/log/sysstat;
-
-#[CIS - Debian Linux - 2.4 - System Accounting - Sysstat not enabled {CIS: 2.4 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-#f:!/etc/default/sysstat;
-#f:/etc/default/sysstat -> !r:^# && r:ENABLED="false";
-
-
-# Section 2.5 Install and run Bastille
-#[CIS - Debian Linux - 2.5 - System harderning - Bastille is not installed {CIS: 2.5 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-#f:!/etc/Bastille;
-
-
-# Section 2.6 Ensure sources.list Sanity
-[CIS - Debian Linux - 2.6 - Sources list sanity - Security updates not enabled {CIS: 2.6 Debian Linux} {PCI_DSS: 6.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:!/etc/apt/sources.list;
-f:!/etc/apt/sources.list -> !r:^# && r:http://security.debian|http://security.ubuntu;
-
-
-# Section 3 - Minimize inetd services
-[CIS - Debian Linux - 3.3 - Telnet enabled on inetd {CIS: 3.3 Debian Linux} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/inetd.conf -> !r:^# && r:telnet;
-
-[CIS - Debian Linux - 3.4 - FTP enabled on inetd {CIS: 3.4 Debian Linux} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/inetd.conf -> !r:^# && r:/ftp;
-
-[CIS - Debian Linux - 3.5 - rsh/rlogin/rcp enabled on inetd {CIS: 3.5 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/inetd.conf -> !r:^# && r:shell|login;
-
-[CIS - Debian Linux - 3.6 - tftpd enabled on inetd {CIS: 3.6 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/inetd.conf -> !r:^# && r:tftp;
-
-[CIS - Debian Linux - 3.7 - imap enabled on inetd {CIS: 3.7 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/inetd.conf -> !r:^# && r:imap;
-
-[CIS - Debian Linux - 3.8 - pop3 enabled on inetd {CIS: 3.8 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/inetd.conf -> !r:^# && r:pop;
-
-[CIS - Debian Linux - 3.9 - Ident enabled on inetd {CIS: 3.9 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/inetd.conf -> !r:^# && r:ident;
-
-
-# Section 4 - Minimize boot services
-[CIS - Debian Linux - 4.1 - Disable inetd - Inetd enabled but no services running {CIS: 4.1 Debian Linux} {PCI_DSS: 2.2.2}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-p:inetd;
-f:!/etc/inetd.conf -> !r:^# && r:wait;
-
-[CIS - Debian Linux - 4.3 - GUI login enabled {CIS: 4.3 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/inittab -> !r:^# && r:id:5;
-
-[CIS - Debian Linux - 4.6 - Disable standard boot services - Samba Enabled {CIS: 4.6 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/init.d/samba;
-
-[CIS - Debian Linux - 4.7 - Disable standard boot services - NFS Enabled {CIS: 4.7 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/init.d/nfs-common;
-f:/etc/init.d/nfs-user-server;
-f:/etc/init.d/nfs-kernel-server;
-
-[CIS - Debian Linux - 4.9 - Disable standard boot services - NIS Enabled {CIS: 4.9 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/init.d/nis;
-
-[CIS - Debian Linux - 4.13 - Disable standard boot services - Web server Enabled {CIS: 4.13 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/init.d/apache;
-f:/etc/init.d/apache2;
-
-[CIS - Debian Linux - 4.15 - Disable standard boot services - DNS server Enabled {CIS: 4.15 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/init.d/bind;
-
-[CIS - Debian Linux - 4.16 - Disable standard boot services - MySQL server Enabled {CIS: 4.16 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/init.d/mysql;
-
-[CIS - Debian Linux - 4.16 - Disable standard boot services - PostgreSQL server Enabled {CIS: 4.16 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/init.d/postgresql;
-
-[CIS - Debian Linux - 4.17 - Disable standard boot services - Webmin Enabled {CIS: 4.17 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/init.d/webmin;
-
-[CIS - Debian Linux - 4.18 - Disable standard boot services - Squid Enabled {CIS: 4.18 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/init.d/squid;
-
-
-# Section 5 - Kernel tuning
-[CIS - Debian Linux - 5.1 - Network parameters - Source routing accepted {CIS: 5.1 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
-
-[CIS - Debian Linux - 5.1 - Network parameters - ICMP broadcasts accepted {CIS: 5.1 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
-
-[CIS - Debian Linux - 5.2 - Network parameters - IP Forwarding enabled {CIS: 5.2 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/proc/sys/net/ipv4/ip_forward -> 1;
-f:/proc/sys/net/ipv6/ip_forward -> 1;
-
-
-# Section 7 - Permissions
-[CIS - Debian Linux - 7.1 - Partition /var without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev;
-
-[CIS - Debian Linux - 7.1 - Partition /tmp without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev;
-
-[CIS - Debian Linux - 7.1 - Partition /opt without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev;
-
-[CIS - Debian Linux - 7.1 - Partition /home without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ;
-
-[CIS - Debian Linux - 7.2 - Removable partition /media without 'nodev' set {CIS: 7.2 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
-
-[CIS - Debian Linux - 7.2 - Removable partition /media without 'nosuid' set {CIS: 7.2 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
-
-[CIS - Debian Linux - 7.3 - User-mounted removable partition /media {CIS: 7.3 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && r:user;
-
-
-# Section 8 - Access and authentication
-[CIS - Debian Linux - 8.8 - LILO Password not set {CIS: 8.8 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/lilo.conf -> !r:^# && !r:restricted;
-f:/etc/lilo.conf -> !r:^# && !r:password=;
-
-[CIS - Debian Linux - 8.8 - GRUB Password not set {CIS: 8.8 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/boot/grub/menu.lst -> !r:^# && !r:password;
-
-[CIS - Debian Linux - 9.2 - Account with empty password present {CIS: 9.2 Debian Linux} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/shadow -> r:^\w+::;
-
-[CIS - Debian Linux - 13.11 - Non-root account with uid 0 {CIS: 13.11 Debian Linux} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
-f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
-
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# Level 1 CIS Checks for Debian Linux 7 and Debian Linux 8
-# Based on Center for Internet Security Benchmark v1.0.0 for Debian Linux 7 (https://workbench.cisecurity.org/benchmarks/80) and Benchmark v1.0.0 for Debian Linux 8 (https://workbench.cisecurity.org/benchmarks/81)
-#
-$rc_dirs=/etc/rc0.d,/etc/rc1.d,/etc/rc2.d,/etc/rc3.d,/etc/rc4.d,/etc/rc5.d,/etc/rc6.d,/etc/rc7.d,/etc/rc8.d,/etc/rc9.d,/etc/rca.d,/etc/rcb.d,/etc/rcc.d,/etc/rcs.d,/etc/rcS.d;
-$rsyslog_files=/etc/rsyslog.conf,/etc/rsyslog.d/*;
-$profiledfiles=/etc/profile.d/*;
-$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/;
-#
-#
-#2.1 Create Separate Partition for /tmp
-[CIS - Debian Linux 7/8 - 2.1 Create Separate Partition for /tmp] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/tmp;
-#
-#
-#2.2 Set nodev option for /tmp Partition
-[CIS - Debian Linux 7/8 - 2.2 Set nodev option for /tmp Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*nodev;
-#
-#
-#2.3 Set nosuid option for /tmp Partition
-[CIS - Debian Linux 7/8 - 2.3 Set nosuid option for /tmp Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*nosuid;
-#
-#
-#2.4 Set noexec option for /tmp Partition
-[CIS - Debian Linux 7/8 - 2.4 Set noexec option for /tmp Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*noexec;
-#
-#
-#2.5 Create Separate Partition for /var
-[CIS - Debian Linux 7/8 - 2.5 Create Separate Partition for /var] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/var;
-#
-#
-#2.6 Bind Mount the /var/tmp directory to /tmp
-[CIS - Debian Linux 7/8 - 2.6 Bind Mount the /var/tmp directory to /tmp] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/tmp\s+/var/tmp\s+none\s+\.*bind\.*0\s+0;
-#
-#
-#2.7 Create Separate Partition for /var/log
-[CIS - Debian Linux 7/8 - 2.7 Create Separate Partition for /var/log] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/var/log;
-#
-#
-#2.8 Create Separate Partition for /var/log/audit
-[CIS - Debian Linux 7/8 - 2.8 Create Separate Partition for /var/log/audit] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/var/log/audit;
-#
-#
-#2.9 Create Separate Partition for /home
-[CIS - Debian Linux 7/8 - 2.9 Create Separate Partition for /home] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/home;
-#
-#
-#2.10 Add nodev Option to /home
-[CIS - Debian Linux 7/8 - 2.10 Add nodev Option to /home] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/home\s+\w+\s+\.*nodev;
-#
-#
-#2.11 Add nodev Option to Removable Media Partitions
-[CIS - Debian Linux 7/8 - 2.11 Add nodev Option to Removable Media Partitions] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*nodev;
-#
-#
-#2.12 Add noexec Option to Removable Media Partitions
-[CIS - Debian Linux 7/8 - 2.12 Add noexec Option to Removable Media Partitions] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*noexec;
-#
-#
-#2.13 Add nosuid Option to Removable Media Partitions
-[CIS - Debian Linux 7/8 - 2.13 Add nosuid Option to Removable Media Partitions] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*nosuid;
-#
-#
-#2.14 Add nodev Option to /run/shm Partition
-[CIS - Debian Linux 7/8 - 2.14 Add nodev Option to /run/shm Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*nodev;
-#
-#
-#2.15 Add nosuid Option to /run/shm Partition
-[CIS - Debian Linux 7/8 - 2.15 Add nosuid Option to /run/shm Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*nosuid;
-#
-#
-#2.16 Add noexec Option to /run/shm Partition
-[CIS - Debian Linux 7/8 - 2.16 Add noexec Option to /run/shm Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*noexec;
-#
-#
-#2.25 Disable Automounting
-[CIS - Debian Linux 7/8 - 2.25 Disable Automounting] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:autofsc;
-#
-#
-#3.3 Set Boot Loader Password
-[CIS - Debian Linux 7/8 - 3.3 Set Boot Loader Password] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/boot/grub/grub.cfg -> !r:^set superusers;
-f:/boot/grub/grub.cfg -> !r:^password;
-f:/etc/grub.d -> !r:^set superusers;
-f:/etc/grub.d -> !r:^password;
-#
-#
-#3.4 Require Authentication for Single-User Mode
-[CIS - Debian Linux 7/8 - 3.4 Require Authentication for Single-User Mode] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/shadow -> r:^root:!:;
-f:/etc/shadow -> r:^root:*:;
-f:/etc/shadow -> r:^root:*!:;
-f:/etc/shadow -> r:^root:!*:;
-#
-#
-#4.1 Restrict Core Dumps
-[CIS - Debian Linux 7/8 - 4.1 Restrict Core Dumps] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/security/limits.conf -> !r:^* hard core 0;
-f:/etc/sysctl.conf -> !r:^fs.suid_dumpable = 0;
-#
-#
-#4.3 Enable Randomized Virtual Memory Region Placement
-[CIS - Debian Linux 7/8 - 4.3 Enable Randomized Virtual Memory Region Placement] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^kernel.randomize_va_space = 2;
-#
-#
-#5.1.1 Ensure NIS is not installed
-[CIS - Debian Linux 7/8 - 5.1.1 Ensure NIS is not installed] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/init.d/nis;
-#
-#
-#5.1.2 Ensure rsh server is not enabled
-[CIS - Debian Linux 7/8 - 5.1.2 Ensure rsh server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/inetd.conf -> !r:^# && r:shell|login|exec;
-#
-#
-#5.1.4 Ensure talk server is not enabled
-[CIS - Debian Linux 7/8 - 5.1.4 Ensure talk server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/inetd.conf -> !r:^# && r:talk|ntalk;
-#
-#
-#5.1.6 Ensure telnet server is not enabled
-[CIS - Debian Linux 7/8 - 5.1.6 Ensure telnet server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/inetd.conf -> !r:^# && r:telnet;
-#
-#
-#5.1.7 Ensure tftp-server is not enabled
-[CIS - Debian Linux 7/8 - 5.1.7 Ensure tftp-server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/inetd.conf -> !r:^# && r:tftp;
-#
-#
-#5.1.8 Ensure xinetd is not enabled
-[CIS - Debian Linux 7/8 - 5.1.8 Ensure xinetd is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:xinetd;
-#
-#
-#5.2 Ensure chargen is not enabled
-[CIS - Debian Linux 7/8 - 5.2 Ensure chargen is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/inetd.conf -> !r:^# && r:chargen;
-#
-#
-#5.3 Ensure daytime is not enabled
-[CIS - Debian Linux 7/8 - 5.3 Ensure daytime is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/inetd.conf -> !r:^# && r:daytime;
-#
-#
-#5.4 Ensure echo is not enabled
-[CIS - Debian Linux 7/8 - 5.4 Ensure echo is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/inetd.conf -> !r:^# && r:echo;
-#
-#
-#5.5 Ensure discard is not enabled
-[CIS - Debian Linux 7/8 - 5.5 Ensure discard is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/inetd.conf -> !r:^# && r:discard;
-#
-#
-#5.6 Ensure time is not enabled
-[CIS - Debian Linux 7/8 - 5.6 Ensure time is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/inetd.conf -> !r:^# && r:time;
-#
-#
-#6.2 Ensure Avahi Server is not enabled
-[CIS - Debian Linux 7/8 - 6.2 Ensure Avahi Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:avahi-daemon;
-#
-#
-#6.3 Ensure print server is not enabled
-[CIS - Debian Linux 7/8 - 6.3 Ensure print server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:cups;
-d:$rc_dirs -> S -> r:cups-browsed;
-#
-#
-#6.4 Ensure DHCP Server is not enabled
-[CIS - Debian Linux 7/8 - 6.4 Ensure DHCP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:disc-dhcp-server;
-#
-#
-#6.5 Configure Network Time Protocol (NTP)
-[CIS - Debian Linux 7/8 - 6.5 Configure Network Time Protocol (NTP)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ntp.conf -> !r:^restrict -4 default kod nomodify notrap nopeer noquery;
-f:/etc/ntp.conf -> !r:^restrict -6 default kod nomodify notrap nopeer noquery;
-f:/etc/ntp.conf -> !r:^server\s\.+;
-#
-#
-#6.6 Ensure LDAP is not ennabled
-[CIS - Debian Linux 7/8 - 6.6 Ensure LDAP is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:/etc/init.d -> r:ldap;
-#
-#
-#6.7 Ensure NFS and RPC are not enabled
-[CIS - Debian Linux 7/8 - 6.7 Ensure NFS and RPC are not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:rpcbind;
-d:$rc_dirs -> S -> r:nfs-kernel-server;
-#
-#
-#6.8 Ensure DNS Server is not enabled
-[CIS - Debian Linux 7/8 - 6.8 Ensure DNS Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:bind9;
-#
-#
-#6.9 Ensure FTP Server is not enabled
-[CIS - Debian Linux 7/8 - 6.9 Ensure FTP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:vsftpd;
-#
-#
-#6.10 Ensure HTTP Server is not enabled
-[CIS - Debian Linux 7/8 - 6.10 Ensure HTTP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:apache2;
-#
-#
-#6.11 Ensure IMAP and POP server is not enabled
-[CIS - Debian Linux 7/8 - 6.11 Ensure IMAP and POP server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:dovecot;
-#
-#
-#6.12 Ensure Samba is not enabled
-[CIS - Debian Linux 7/8 - 6.12 Ensure Samba is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:samba;
-#
-#
-#6.13 Ensure HTTP Proxy Server is not enabled
-[CIS - Debian Linux 7/8 - 6.13 Ensure HTTP Proxy Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:squid3;
-#
-#
-#6.14 Ensure SNMP Server is not enabled
-[CIS - Debian Linux 7/8 - 6.14 Ensure SNMP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$rc_dirs -> S -> r:snmpd;
-#
-#
-#6.15 Configure Mail Transfer Agent for Local-Only Mode
-[CIS - Debian Linux 7/8 - 6.15 Configure Mail Transfer Agent for Local Only Mode] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && !r:'127.0.0.1\s*\p\s*::1'$|'::1\s*\p\s*127.0.0.1'$|'127.0.0.1'$|'::1'$;
-#
-#
-#6.16 Ensure rsync service is not enabled
-[CIS - Debian Linux 7/8 - 6.16 Ensure rsync service is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE=true|inetd;
-f:/etc/default/rsync -> !r:^RSYNC_ENABLE=false;
-#
-#
-#7.1.1 Disable IP Forwarding
-[CIS - Debian Linux 7/8 - 7.1.1 Disable IP Forwarding] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.ip_forward=1;
-f:/etc/sysctl.conf -> !r:^net.ipv4.ip_forward=0;
-#
-#
-#7.1.2 Disable Send Packet Redirects
-[CIS - Debian Linux 7/8 - 7.1.2 Disable Send Packet Redirects] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.send_redirects=1;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.send_redirects=0;
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.send_redirects=1;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.send_redirects=0;
-#
-#
-#7.2.1 Disable Source Routed Packet Acceptance
-[CIS - Debian Linux 7/8 - 7.2.1 Disable Source Routed Packet Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.accept_source_route=1;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.accept_source_route=0;
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.accept_source_route=1;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.accept_source_route=0;
-#
-#
-#7.2.2 Disable ICMP Redirect Acceptance
-[CIS - Debian Linux 7/8 - 7.2.2 Disable ICMP Redirect Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.accept_redirects=1;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.accept_redirects=0;
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.accept_redirects=1;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.accept_redirects=0;
-#
-#
-#7.2.3 Disable Secure ICMP Redirect Acceptance
-[CIS - Debian Linux 7/8 - 7.2.3 Disable Secure ICMP Redirect Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.secure_redirects=1;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.secure_redirects=0;
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.secure_redirects=1;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.secure_redirects=0;
-#
-#
-#7.2.4 Log Suspicious Packets
-[CIS - Debian Linux 7/8 - 7.2.4 Log Suspicious Packets] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.log_martians=0;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.log_martians=1;
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.log_martians=0;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.log_martians=1;
-#
-#
-#7.2.5 Enable Ignore Broadcast Requests
-[CIS - Debian Linux 7/8 - 7.2.5 Enable Ignore Broadcast Requests] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.icmp_echo_ignore_broadcasts=0;
-f:/etc/sysctl.conf -> !r:^net.ipv4.icmp_echo_ignore_broadcasts=1;
-#
-#
-#7.2.6 Enable Bad Error Message Protection
-[CIS - Debian Linux 7/8 - 7.2.6 Enable Bad Error Message Protection] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.icmp_ignore_bogus_error_responses=0;
-f:/etc/sysctl.conf -> !r:^net.ipv4.icmp_ignore_bogus_error_responses=1;
-#
-#
-#7.2.7 Enable RFC-recommended Source Route Validation
-[CIS - Debian Linux 7/8 - 7.2.7 Enable RFC-recommended Source Route Validation] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.rp_filter=0;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.rp_filter=1;
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.rp_filter=0;
-f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.rp_filter=1;
-#
-#
-#7.2.8 Enable TCP SYN Cookies
-[CIS - Debian Linux 7/8 - 7.2.8 Enable TCP SYN Cookies] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.tcp_syncookies=0;
-f:/etc/sysctl.conf -> !r:^net.ipv4.tcp_syncookies=1;
-#
-#
-#7.3.1 Disable IPv6 Router Advertisements
-[CIS - Debian Linux 7/8 - 7.3.1 Disable IPv6 Router Advertisements] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.all.accept_ra=1;
-f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.accept_ra=0;
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.default.accept_ra=1;
-f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.accept_ra=0;
-#
-#
-#7.3.2 Disable IPv6 Redirect Acceptance
-[CIS - Debian Linux 7/8 - 7.3.2 Disable IPv6 Redirect Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.all.accept_redirects=1;
-f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.accept_redirects=0;
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.default.accept_redirects=1;
-f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.accept_redirects=0;
-#
-#
-#7.3.3 Disable IPv6
-[CIS - Debian Linux 7/8 - 7.3.3 Disable IPv6] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.all.disable_ipv6=0;
-f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.disable_ipv6=1;
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.default.disable_ipv6=0;
-f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.disable_ipv6=1;
-f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.lo.disable_ipv6=0;
-f:/etc/sysctl.conf -> !r:^net.ipv6.conf.lo.disable_ipv6=1;
-#
-#
-#7.4.2 Create /etc/hosts.allow
-[CIS - Debian Linux 7/8 - 7.4.2 Create /etc/hosts.allow] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/hosts.allow;
-f:/etc/hosts.allow -> !r:^ALL:\.*;
-#
-#
-#7.4.4 Create /etc/hosts.deny
-[CIS - Debian Linux 7/8 - 7.4.4 Create /etc/hosts.deny] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/hosts.deny;
-f:/etc/hosts.deny -> !r:^ALL:\s*ALL;
-#
-#
-#7.5.1 Disable DCCP
-[CIS - Debian Linux 7/8 - 7.5.1 Disable DCCP] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install dccp /bin/true;
-#
-#
-#7.5.2 Disable SCTP
-[CIS - Debian Linux 7/8 - 7.5.2 Disable SCTP] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install sctp /bin/true;
-#
-#
-#7.5.3 Disable RDS
-[CIS - Debian Linux 7/8 - 7.5.3 Disable RDS] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install rds /bin/true;
-#
-#
-#7.5.4 Disable TIPC
-[CIS - Debian Linux 7/8 - 7.5.4 Disable TIPC] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install tipc /bin/true;
-#
-#
-#7.7 Ensure Firewall is active (RunLevel 2, 3, 4, 5; Priority 01)
-[CIS - Debian Linux 7/8 - 7.7 Ensure Firewall is active (RunLevel 2, 3, 4, 5; Priority 01)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/rc2.d/S01iptables-persistent;
-f:!/etc/rc3.d/S01iptables-persistent;
-f:!/etc/rc4.d/S01iptables-persistent;
-f:!/etc/rc5.d/S01iptables-persistent;
-#
-#
-#8.2.2 Ensure the rsyslog Service is activated (RunLevel 2, 3, 4, 5; Priority 01)
-[CIS - Debian Linux 7/8 - 8.2.2 Ensure the rsyslog Service is activated (RunLevel 2, 3, 4, 5; Priority 01)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/rc2.d/S01rsyslog;
-f:!/etc/rc3.d/S01rsyslog;
-f:!/etc/rc4.d/S01rsyslog;
-f:!/etc/rc5.d/S01rsyslog;
-#
-#
-#8.2.3 Configure /etc/rsyslog.conf
-[CIS - Debian Linux 7/8 - 8.2.3 Configure /etc/rsyslog.conf] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:$rsyslog_files -> !r:^*.emerg\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^mail.*\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^mail.info\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^mail.warning\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^mail.err\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^news.crit\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^news.err\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^news.notice\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^*.=warning;*.=err\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^*.crit\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^*.*;mail.none;news.none\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^local0,local1.*\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^local2,local3.*\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^local4,local5.*\s*\t*\s*\S;
-f:$rsyslog_files -> !r:^local6,local7.*\s*\t*\s*\S;
-#
-#
-#8.2.5 Configure rsyslog to Send Logs to a Remote Log Host
-[CIS - Debian Linux 7/8 - 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/rsyslog.conf -> !r:^*.* @@\w+.\w+.\w+;
-#
-#
-#8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts
-[CIS - Debian Linux 7/8 - 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:$rsyslog_files -> !r:^\$ModLoad imtcp.so;
-f:$rsyslog_files -> !r:^\$InputTCPServerRun 514;
-#
-#
-#8.4 Configure logrotate
-[CIS - Debian Linux 7/8 - 8.4 Configure logrotate] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/logrotate.d/rsyslog;
-f:/etc/logrotate.d/rsyslog -> !r:\S+;
-#
-#
-#9.1.1 Enable cron Daemon (RunLevel 2, 3, 4, 5; Priority 15)
-[CIS - Debian Linux 7/8 - 9.1.1 Enable cron Daemon (RunLevel 2, 3, 4, 5; Priority 15)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/rc2.d/S15anacron;
-f:!/etc/rc2.d/S15cron;
-f:!/etc/rc3.d/S15anacron;
-f:!/etc/rc3.d/S15cron;
-f:!/etc/rc4.d/S15anacron;
-f:!/etc/rc4.d/S15cron;
-f:!/etc/rc5.d/S15anacron;
-f:!/etc/rc5.d/S15cron;
-#
-#
-#9.1.8 Restrict at/cron to Authorized Users
-[CIS - Debian Linux 7/8 - 9.1.8 Restrict at/cron to Authorized Users] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/cron.allow;
-f:!/etc/at.allow;
-#
-#
-#9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib
-[CIS - Debian Linux 7/8 - 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/pam.d/common-password -> !r:password required pam_cracklib.so retry=\d minlen=\d\d+ dcredit=-\d+ ucredit=-\d+ ocredit=-\d+ lcredit=-\d+;
-#
-#
-#9.2.2 Set Lockout for Failed Password Attempts
-[CIS - Debian Linux 7/8 - 9.2.2 Set Lockout for Failed Password Attempts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/pam.d/login -> !r:auth required pam_tally2.so onerr=fail audit silent deny=\d unlock_time=\d\d\d+;
-#
-#
-#9.2.3 Limit Password Reuse
-[CIS - Debian Linux 7/8 - 9.2.3 Limit Password Reuse] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/pam.d/common-password -> !r:password [success=1 default=ignore] pam_unix.so obscure sha512 remember=\d;
-#
-#
-#9.3.1 Set SSH Protocol to 2
-[CIS - Debian Linux 7/8 - 9.3.1 Set SSH Protocol to 2] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^# && r:protocol 1;
-f:/etc/ssh/sshd_config -> !r:^protocol 2$;
-#
-#
-#9.3.2 Set LogLevel to INFO
-[CIS - Debian Linux 7/8 - 9.3.2 Set LogLevel to INFO] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^LogLevel\s+INFO;
-#
-#
-#9.3.4 Disable SSH X11 Forwarding
-[CIS - Debian Linux 7/8 - 9.3.4 Disable SSH X11 Forwarding] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^X11Forwarding\s+no;
-#
-#
-#9.3.5 Set SSH MaxAuthTries to 4 or Less
-[CIS - Debian Linux 7/8 - 9.3.5 Set SSH MaxAuthTries to 4 or Less] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^MaxAuthTries\s+\d;
-f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+\d\d+;
-f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+5;
-f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+6;
-f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+7;
-f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+8;
-f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+9;
-#
-#
-#9.3.6 Set SSH IgnoreRhosts to Yes
-[CIS - Debian Linux 7/8 - 9.3.6 Set SSH IgnoreRhosts to Yes] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^IgnoreRhosts\s+yes;
-#
-#
-#9.3.7 Set SSH HostbasedAuthentication to No
-[CIS - Debian Linux 7/8 - 9.3.7 Set SSH HostbasedAuthentication to No] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^HostbasedAuthentication\s+no;
-#
-#
-#9.3.8 Disable SSH Root Login
-[CIS - Debian Linux 7/8 - 9.3.8 Disable SSH Root Login] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+yes;
-f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s+no;
-#
-#
-#9.3.9 Set SSH PermitEmptyPasswords to No
-[CIS - Debian Linux 7/8 - 9.3.9 Set SSH PermitEmptyPasswords to No] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+yes;
-f:/etc/ssh/sshd_config -> !r:^PermitEmptyPasswords\s+no;
-#
-#
-#9.3.10 Do Not Allow Users to Set Environment Options
-[CIS - Debian Linux 7/8 - 9.3.10 Do Not Allow Users to Set Environment Options] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+yes;
-f:/etc/ssh/sshd_config -> !r:^PermitUserEnvironment\s+no;
-#
-#
-#9.3.12 Set Idle Timeout Interval for User Login
-[CIS - Debian Linux 7/8 - 9.3.12 Set Idle Timeout Interval for User Login] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^ClientAliveInterval\s+\d+;
-f:/etc/ssh/sshd_config -> !r:^ClientAliveCountMax\s+\d;
-#
-#
-#9.3.13 Limit Access via SSH
-[CIS - Debian Linux 7/8 - 9.3.13 Limit Access via SSH] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+;
-#
-#
-#9.3.14 Set SSH Banner
-[CIS - Debian Linux 7/8 - 9.3.14 Set SSH Banner] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/ssh/sshd_config -> !r:^Banner\s+\S+;
-#
-#
-#9.5 Restrict Access to the su Command
-[CIS - Debian Linux 7/8 - 9.5 Restrict Access to the su Command] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/pam.d/su -> !r:auth required pam_wheel.so use_uid;
-#
-#
-#10.1.1 Set Password Expiration Days
-[CIS - Debian Linux 7/8 - 10.1.1 Set Password Expiration Days] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/login.defs -> !r:^PASS_MAX_DAYS\s+\d+;
-f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+\d\d\d+;
-f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+91;
-f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+92;
-f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+93;
-f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+94;
-f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+95;
-f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+96;
-f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+97;
-f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+98;
-f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+99;
-#
-#
-#10.1.2 Set Password Change Minimum Number of Days
-[CIS - Debian Linux 7/8 - 10.1.2 Set Password Change Minimum Number of Days] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/login.defs -> !r:^PASS_MIN_DAYS\s+\d+;
-f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+1;
-f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+2;
-f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+3;
-f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+4;
-f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+5;
-f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+6;
-#
-#
-#10.1.3 Set Password Expiring Warning Days
-[CIS - Debian Linux 7/8 - 10.1.3 Set Password Expiring Warning Days] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/login.defs -> !r:^PASS_WARN_DAYS\s+\d+;
-f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+1;
-f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+2;
-f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+3;
-f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+4;
-f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+5;
-f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+6;
-#
-#
-#10.3 Set Default Group for root Account
-[CIS - Debian Linux 7/8 - 10.3 Set Default Group for root Account] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/passwd -> !r:^root:\w+:\w+:0:;
-#
-#
-#10.4 Set Default umask for Users
-[CIS - Debian Linux 7/8 - 10.4 Set Default umask for Users] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:$profiledfiles -> !r:^umask 077;
-f:/etc/bash.bashrc -> !r:^umask 077;
-#
-#
-#10.5 Lock Inactive User Accounts
-[CIS - Debian Linux 7/8 - 10.5 Lock Inactive User Accounts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/default/useradd -> !r:^INACTIVE=\d\d*;
-#
-#
-#11.1 Set Warning Banner for Standard Login Services
-[CIS - Debian Linux 7/8 - 11.1 Set Warning Banner for Standard Login Services] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/motd;
-f:!/etc/issue;
-f:!/etc/issue.net;
-#
-#
-#11.2 Remove OS Information from Login Warning Banners
-[CIS - Debian Linux 7/8 - 11.2 Remove OS Information from Login Warning Banners] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/motd -> r:debian|gnu|linux;
-#
-#
-#13.1 Ensure Password Fields are Not Empty
-[CIS - Debian Linux 7/8 - 13.1 Ensure Password Fields are Not Empty] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/shadow -> r:^\w+::;
-#
-#
-#13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File
-[CIS - Debian Linux 7/8 - 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/passwd -> !r:^# && r:^+:;
-#
-#
-#13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File
-[CIS - Debian Linux 7/8 - 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/shadow -> !r:^# && r:^+:;
-#
-#
-#13.4 Verify No Legacy "+" Entries Exist in /etc/group File
-[CIS - Debian Linux 7/8 - 13.4 Verify No Legacy "+" Entries Exist in /etc/group File] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/group -> !r:^# && r:^+:;
-#
-#
-#13.5 Verify No UID 0 Accounts Exist Other Than root
-[CIS - Debian Linux 7/8 - 13.5 Verify No UID 0 Accounts Exist Other Than root] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
-#
-#
-#13.10 Check for Presence of User .rhosts Files
-[CIS - Debian Linux 7/8 - 13.10 Check for Presence of User .rhosts Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$home_dirs -> r:^.rhosts$;
-#
-#
-#13.18 Check for Presence of User .netrc Files
-[CIS - Debian Linux 7/8 - 13.18 Check for Presence of User .netrc Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$home_dirs -> r:^.netrc$;
-#
-#
-#13.19 Check for Presence of User .forward Files
-[CIS - Debian Linux 7/8 - 13.19 Check for Presence of User .forward Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-d:$home_dirs -> r:^.forward$;
-#
-#
-#13.20 Ensure shadow group is empty
-[CIS - Debian Linux 7/8 - 13.20 Ensure shadow group is empty] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# Level 2 CIS Checks for Debian Linux 7 and Debian Linux 8
-# Based on Center for Internet Security Benchmark v1.0.0 for Debian Linux 7 (https://workbench.cisecurity.org/benchmarks/80) and Benchmark v1.0.0 for Debian Linux 8 (https://workbench.cisecurity.org/benchmarks/81)
-#
-#
-$rc_dirfiles=/etc/rc0.d/*,/etc/rc1.d/*,/etc/rc2.d/*,/etc/rc3.d/*,/etc/rc4.d/*,/etc/rc5.d/*,/etc/rc6.d/*,/etc/rc7.d/*,/etc/rc8.d/*,/etc/rc9.d/*,/etc/rca.d/*,/etc/rcb.d/*,/etc/rcc.d/*,/etc/rcs.d/*,/etc/rcS.d/*;
-#
-#
-#2.18 Disable Mounting of cramfs Filesystems
-[CIS - Debian Linux 7/8 - 2.18 Disable Mounting of cramfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install cramfs /bin/true;
-#
-#
-#2.19 Disable Mounting of freevxfs Filesystems
-[CIS - Debian Linux 7/8 - 2.19 Disable Mounting of freevxfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install freevxfs /bin/true;
-#
-#
-#2.20 Disable Mounting of jffs2 Filesystems
-[CIS - Debian Linux 7/8 - 2.20 Disable Mounting of jffs2 Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install jffs2 /bin/true;
-#
-#
-#2.21 Disable Mounting of hfs Filesystems
-[CIS - Debian Linux 7/8 - 2.21 Disable Mounting of hfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install hfs /bin/true;
-#
-#
-#2.22 Disable Mounting of hfsplus Filesystems
-[CIS - Debian Linux 7/8 - 2.22 Disable Mounting of hfsplus Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install hfsplus /bin/true;
-#
-#
-#2.23 Disable Mounting of squashfs Filesystems
-[CIS - Debian Linux 7/8 - 2.23 Disable Mounting of squashfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install squashfs /bin/true;
-#
-#
-#2.24 Disable Mounting of udf Filesystems
-[CIS - Debian Linux 7/8 - 2.24 Disable Mounting of udf Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install udf /bin/true;
-#
-#
-#4.5 Activate AppArmor
-[CIS - Debian Linux 7/8 - 4.5 Activate AppArmor] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/default/grub -> !r:apparmor=1 && !r:security=apparmor;
-#
-#
-#8.1.1.1 Configure Audit Log Storage Size
-[CIS - Debian Linux 7/8 - 8.1.1.1 Configure Audit Log Storage Size] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/auditd.conf;
-f:/etc/audit/auditd.conf -> !r:max_log_file\s*=\s*\d+;
-#
-#
-#8.1.1.2 Disable System on Audit Log Full
-[CIS - Debian Linux 7/8 - 8.1.1.2 Disable System on Audit Log Full] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/auditd.conf;
-f:/etc/audit/auditd.conf -> !r:^space_left_action\s*=\s*email;
-f:/etc/audit/auditd.conf -> !r:^# && r:space_left_action\s*=\s*ignore|syslog|suspend|single|halt;
-f:/etc/audit/auditd.conf -> !r:^action_mail_acct\s*=\s*root;
-f:/etc/audit/auditd.conf -> !r:^admin_space_left_action\s*=\s*halt;
-f:/etc/audit/auditd.conf -> !r:^# && r:admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single;
-#
-#
-#8.1.1.3 Keep All Auditing Information
-[CIS - Debian Linux 7/8 - 8.1.1.3 Keep All Auditing Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/auditd.conf;
-f:/etc/audit/auditd.conf -> !r:^max_log_file_action\s*=\s*keep_logs;
-f:/etc/audit/auditd.conf -> !r:^# && r:max_log_file_action\s*=\s*ignore|syslog|suspend|rotate;
-#
-#
-#8.1.3 Enable Auditing for Processes That Start Prior to auditd
-[CIS - Debian Linux 7/8 - 8.1.3 Enable Auditing for Processes That Start Prior to auditd] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/default/grub -> !r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*;
-#
-#
-#8.1.4 Record Events That Modify Date and Time Information
-[CIS - Debian Linux 7 - 8.1.4 Record Events That Modify Date and Time Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S clock_settime -k time-change;
-f:/etc/audit/audit.rules -> !r:^-w /etc/localtime -p wa -k time-change;
-#
-#
-#8.1.5 Record Events That Modify User/Group Information
-[CIS - Debian Linux 7/8 - 8.1.5 Record Events That Modify User/Group Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /etc/group -p wa -k identity;
-f:/etc/audit/audit.rules -> !r:^-w /etc/passwd -p wa -k identity;
-f:/etc/audit/audit.rules -> !r:^-w /etc/gshadow -p wa -k identity;
-f:/etc/audit/audit.rules -> !r:^-w /etc/shadow -p wa -k identity;
-f:/etc/audit/audit.rules -> !r:^-w /etc/security/opasswd -p wa -k identity;
-#
-#
-#8.1.6 Record Events That Modify the System's Network Environment
-[CIS - Debian Linux 7/8 - 8.1.6 Record Events That Modify the System's Network Environment] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale;
-f:/etc/audit/audit.rules -> !r:^-w /etc/issue -p wa -k system-locale;
-f:/etc/audit/audit.rules -> !r:^-w /etc/issue.net -p wa -k system-locale;
-f:/etc/audit/audit.rules -> !r:^-w /etc/hosts -p wa -k system-locale;
-f:/etc/audit/audit.rules -> !r:^-w /etc/network -p wa -k system-locale;
-#
-#
-#8.1.7 Record Events That Modify the System's Mandatory Access Controls
-[CIS - Debian Linux 7/8 - 8.1.7 Record Events That Modify the System's Mandatory Access Controls] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /etc/selinux/ -p wa -k MAC-policy;
-#
-#
-#8.1.8 Collect Login and Logout Events
-[CIS - Debian Linux 7/8 - 8.1.8 Collect Login and Logout Events] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/faillog -p wa -k logins;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/lastlog -p wa -k logins;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/tallylog -p wa -k logins;
-#
-#
-#8.1.9 Collect Session Initiation Information
-[CIS - Debian Linux 7/8 - 8.1.9 Collect Session Initiation Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /var/run/utmp -p wa -k session;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/wtmp -p wa -k session;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/btmp -p wa -k session;
-#
-#
-#8.1.10 Collect Discretionary Access Control Permission Modification Events
-[CIS - Debian Linux 7/8 - 8.1.10 Collect Discretionary Access Control Permission Modification Events] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\;
-f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\;
-f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\;
-f:/etc/audit/audit.rules -> !r:^lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod;
-#
-#
-#8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files
-[CIS - Debian Linux 7/8 - 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\;
-f:/etc/audit/audit.rules -> !r:^-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\;
-f:/etc/audit/audit.rules -> !r:^-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access;
-#
-#
-#8.1.13 Collect Successful File System Mounts
-[CIS - Debian Linux 7/8 - 8.1.13 Collect Successful File System Mounts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts;
-#
-#
-#8.1.14 Collect File Deletion Events by User
-[CIS - Debian Linux 7/8 - 8.1.14 Collect File Deletion Events by User] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\;
-f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k delete;
-#
-#
-#8.1.15 Collect Changes to System Administration Scope (sudoers)
-[CIS - Debian Linux 7/8 - 8.1.15 Collect Changes to System Administration Scope (sudoers)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /etc/sudoers -p wa -k scope;
-#
-#
-#8.1.16 Collect System Administrator Actions (sudolog)
-[CIS - Debian Linux 7/8 - 8.1.16 Collect System Administrator Actions (sudolog)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/sudo.log -p wa -k actions;
-#
-#
-#8.1.17 Collect Kernel Module Loading and Unloading
-[CIS - Debian Linux 7/8 - 8.1.17 Collect Kernel Module Loading and Unloading] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /sbin/insmod -p x -k modules;
-f:/etc/audit/audit.rules -> !r:^-w /sbin/rmmod -p x -k modules;
-f:/etc/audit/audit.rules -> !r:^-w /sbin/modprobe -p x -k modules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|-a always,exit -F arch=b64 -S init_module -S delete_module -k modules;
-#
-#
-#8.1.18 Make the Audit Configuration Immutable
-[CIS - Debian Linux 7/8 - 8.1.18 Make the Audit Configuration Immutable] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-e 2$;
-#
-#
-#8.3.1 Install AIDE
-[CIS - Debian Linux 7/8 - 8.3.1 Install AIDE] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/usr/sbin/aideinit;
-#
-#
-#8.3.2 Implement Periodic Execution of File Integrity
-[CIS - Debian Linux 7/8 - 8.3.2 Implement Periodic Execution of File Integrity] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/crontab -> !r:/usr/sbin/aide --check;
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry , use "->" to look for a specific entry and another
-# "->" to look for the value.
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for MYSQL
-# Based on Center for Internet Security Benchmark for MYSQL v1.1.0
-#
-$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/;
-$enviroment_files=/*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile;
-$mysql-cnfs=/etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf;
-#
-#
-#1.3 Disable MySQL Command History
-[CIS - MySQL Configuration - 1.3: Disable MySQL Command History] [any] [https://workbench.cisecurity.org/files/1310/download]
-d:$home_dirs -> ^.mysql_history$;
-#
-#
-#1.5 Disable Interactive Login
-[CIS - MySQL Configuration - 1.5: Disable Interactive Login] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:/etc/passwd -> r:^mysql && !r:\.*/bin/false$|/sbin/nologin$;
-#
-#
-#1.6 Verify That 'MYSQL_PWD' Is Not In Use
-[CIS - MySQL Configuration - 1.6: 'MYSQL_PWD' Is in Use] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$enviroment_files -> r:\.*MYSQL_PWD\.*;
-#
-#
-#4.3 Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'
-[CIS - MySQL Configuration - 4.3: 'allow-suspicious-udfs' Is Set in my.cnf'] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:allow-suspicious-udfs\.+true;
-f:$mysql-cnfs -> r:allow-suspicious-udfs\s*$;
-#
-#
-#4.4 Ensure 'local_infile' Is Disabled
-[CIS - MySQL Configuration - 4.4: local_infile is not forbidden in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:local-infile\s*=\s*1;
-f:$mysql-cnfs -> r:local-infile\s*$;
-#
-#
-#4.5 Ensure 'mysqld' Is Not Started with '--skip-grant-tables'
-[CIS - MySQL Configuration - 4.5: skip-grant-tables is set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:skip-grant-tables\s*=\s*true;
-f:$mysql-cnfs -> !r:skip-grant-tables\s*=\s*false;
-f:$mysql-cnfs -> r:skip-grant-tables\s*$;
-#
-#
-#4.6 Ensure '--skip-symbolic-links' Is Enabled
-[CIS - MySQL Configuration - 4.6: skip_symbolic_links is not enabled in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:skip_symbolic_links\s*=\s*no;
-f:$mysql-cnfs -> !r:skip_symbolic_links\s*=\s*yes;
-f:$mysql-cnfs -> r:skip_symbolic_links\s*$;
-#
-#
-#4.8 Ensure 'secure_file_priv' is not empty
-[CIS - MySQL Configuration - 4.8: Ensure 'secure_file_priv' is not empty] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> r:^# && r:secure_file_priv=\s*\S+\s*;
-f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*;
-f:$mysql-cnfs -> r:secure_file_priv\s*$;
-#
-#
-#4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'
-[CIS - MySQL Configuration - 4.9: strict_all_tables is not set at sql_mode section of my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:strict_all_tables\s*$;
-#
-#
-#6.1 Ensure 'log_error' is not empty
-[CIS - MySQL Configuration - 6.1: log-error is not set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> r:^# && r:log_error\s*=\s*\S+\s*;
-f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*;
-f:$mysql-cnfs -> r:log_error\s*$;
-#
-#
-#6.2 Ensure Log Files are not Stored on a non-system partition
-[CIS - MySQL Configuration - 6.2: log files are maybe stored on systempartition] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/\S*\s*;
-f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/var/\S*\s*;
-f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/usr/\S*\s*;
-f:$mysql-cnfs -> r:log_bin\s*$;
-#
-#
-#6.3 Ensure 'log_warning' is set to 2 at least
-[CIS - MySQL Configuration - 6.3: log warnings is set low] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*0;
-f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*1;
-f:$mysql-cnfs -> !r:log_warnings\s*=\s*\d+;
-f:$mysql-cnfs -> r:log_warnings\s*$;
-#
-#
-#6.5 Ensure 'log_raw' is set to 'off'
-[CIS - MySQL Configuration - 6.5: log_raw is not set to off] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:log-raw\s*=\s*on;
-f:$mysql-cnfs -> r:log-raw\s*$;
-#
-#
-#7.1 Ensure 'old_password' is not set to '1' or 'On'
-[CIS - MySQL Configuration - 7.1:Ensure 'old_passwords' is not set to '1' or 'on'] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1;
-f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on;
-f:$mysql-cnfs -> !r:old_passwords\s*=\s*2;
-f:$mysql-cnfs -> r:old_passwords\s*$;
-#
-#
-#7.2 Ensure 'secure_auth' is set to 'ON'
-[CIS - MySQL Configuration - 7.2: Ensure 'secure_auth' is set to 'ON'] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:secure_auth\s*=\s*off;
-f:$mysql-cnfs -> !r:secure_auth\s*=\s*on;
-f:$mysql-cnfs -> r:secure_auth\s*$;
-#
-#
-#7.3 Ensure Passwords Are Not Stored in the Global Configuration
-[CIS - MySQL Configuration - 7.3: Passwords are stored in global configuration] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:^\s*password\.*;
-#
-#
-#7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'
-[CIS - MySQL Configuration - 7.4: Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:no_auto_create_user\s*$;
-f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$;
-#
-#
-#7.6 Ensure Password Policy is in Place
-[CIS - MySQL Configuration - 7.6: Ensure Password Policy is in Place ] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:plugin-load\s*=\s*validate_password.so\s*$;
-f:$mysql-cnfs -> !r:validate-password\s*=\s*force_plus_permanent\s*$;
-f:$mysql-cnfs -> !r:validate_password_length\s*=\s*14\s$;
-f:$mysql-cnfs -> !r:validate_password_mixed_case_count\s*=\s*1\s*$;
-f:$mysql-cnfs -> !r:validate_password_number_count\s*=\s*1\s*$;
-f:$mysql-cnfs -> !r:validate_password_special_char_count\s*=\s*1;
-f:$mysql-cnfs -> !r:validate_password_policy\s*=\s*medium\s*;
-#
-#
-#9.2 Ensure 'master_info_repository' is set to 'Table'
-[CIS - MySQL Configuration - 9.2: Ensure 'master_info_repositrory' is set to 'Table'] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:master_info_repository\s*=\s*file;
-f:$mysql-cnfs -> !r:master_info_repository\s*=\s*table;
-f:$mysql-cnfs -> r:master_info_repository\s*$;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry , use "->" to look for a specific entry and another
-# "->" to look for the value.
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for MYSQL
-# Based on Center for Internet Security Benchmark for MYSQL v1.1.0
-#
-$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/;
-$enviroment_files=/*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile;
-$mysql-cnfs=/etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf;
-#
-#
-#1.3 Disable MySQL Command History
-[CIS - MySQL Configuration - 1.3: Disable MySQL Command History] [any] [https://workbench.cisecurity.org/files/1310/download]
-d:$home_dirs -> ^.mysql_history$;
-#
-#
-#1.5 Disable Interactive Login
-[CIS - MySQL Configuration - 1.5: Disable Interactive Login] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:/etc/passwd -> r:^mysql && !r:\.*/bin/false$|/sbin/nologin$;
-#
-#
-#1.6 Verify That 'MYSQL_PWD' Is Not In Use
-[CIS - MySQL Configuration - 1.6: 'MYSQL_PWD' Is in Use] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$enviroment_files -> r:\.*MYSQL_PWD\.*;
-#
-#
-#4.3 Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'
-[CIS - MySQL Configuration - 4.3: 'allow-suspicious-udfs' Is Set in my.cnf'] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:allow-suspicious-udfs\.+true;
-f:$mysql-cnfs -> r:allow-suspicious-udfs\s*$;
-#
-#
-#4.4 Ensure 'local_infile' Is Disabled
-[CIS - MySQL Configuration - 4.4: local_infile is not forbidden in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:local-infile\s*=\s*1;
-f:$mysql-cnfs -> r:local-infile\s*$;
-#
-#
-#4.5 Ensure 'mysqld' Is Not Started with '--skip-grant-tables'
-[CIS - MySQL Configuration - 4.5: skip-grant-tables is set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:skip-grant-tables\s*=\s*true;
-f:$mysql-cnfs -> !r:skip-grant-tables\s*=\s*false;
-f:$mysql-cnfs -> r:skip-grant-tables\s*$;
-#
-#
-#4.6 Ensure '--skip-symbolic-links' Is Enabled
-[CIS - MySQL Configuration - 4.6: skip_symbolic_links is not enabled in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:skip_symbolic_links\s*=\s*no;
-f:$mysql-cnfs -> !r:skip_symbolic_links\s*=\s*yes;
-f:$mysql-cnfs -> r:skip_symbolic_links\s*$;
-#
-#
-#4.8 Ensure 'secure_file_priv' is not empty
-[CIS - MySQL Configuration - 4.8: Ensure 'secure_file_priv' is not empty] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> r:^# && r:secure_file_priv=\s*\S+\s*;
-f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*;
-f:$mysql-cnfs -> r:secure_file_priv\s*$;
-#
-#
-#4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'
-[CIS - MySQL Configuration - 4.9: strict_all_tables is not set at sql_mode section of my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:strict_all_tables\s*$;
-#
-#
-#6.1 Ensure 'log_error' is not empty
-[CIS - MySQL Configuration - 6.1: log-error is not set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> r:^# && r:log_error\s*=\s*\S+\s*;
-f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*;
-f:$mysql-cnfs -> r:log_error\s*$;
-#
-#
-#6.2 Ensure Log Files are not Stored on a non-system partition
-[CIS - MySQL Configuration - 6.2: log files are maybe stored on systempartition] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/\S*\s*;
-f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/var/\S*\s*;
-f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/usr/\S*\s*;
-f:$mysql-cnfs -> r:log_bin\s*$;
-#
-#
-#6.3 Ensure 'log_warning' is set to 2 at least
-[CIS - MySQL Configuration - 6.3: log warnings is set low] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*0;
-f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*1;
-f:$mysql-cnfs -> !r:log_warnings\s*=\s*\d+;
-f:$mysql-cnfs -> r:log_warnings\s*$;
-#
-#
-#6.4 Ensure 'log_raw' is set to 'off'
-[CIS - MySQL Configuration - 6.4: log_raw is not set to off] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:log-raw\s*=\s*on;
-f:$mysql-cnfs -> r:log-raw\s*$;
-#
-#
-#6.5 Ensure audit_log_connection_policy is not set to 'none'
-[CIS - MySQL Configuration - 6.5: audit_log_connection_policy is set to 'none' change it to all or erros] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r^# && r::audit_log_connection_policy\s*=\s*none;
-f:$mysql-cnfs -> r:audit_log_connection_policy\s*$;
-#
-#
-#6.6 Ensure audit_log_exclude_account is set to Null
-[CIS - MySQL Configuration - 6.6:audit_log_exclude_accounts is not set to Null] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:audit_log_exclude_accounts\s*=\s* && !r:null\s*$;
-f:$mysql-cnfs -> r:audit_log_exclude_accounts\s*$;
-#
-#
-#6.7 Ensure audit_log_include_accounts is set to Null
-[CIS - MySQL Configuration - 6.7:audit_log_include_accounts is not set to Null] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && !r:null\s*$;
-f:$mysql-cnfs -> r:audit_log_include_accounts\s*$;
-#
-#
-#6.9 Ensure audit_log_policy is not set to all
-[CIS - MySQL Configuration - 6.9: audit_log_policy is not set to all] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:audit_log_policy\s*=\s*queries;
-f:$mysql-cnfs -> !r:^# && r:audit_log_policy\s*=\s*none;
-f:$mysql-cnfs -> !r:^# && r:audit_log_policy\s*=\s*logins;
-f:$mysql-cnfs -> r:audit_log_policy\s*$;
-#
-#
-#6.10 Ensure audit_log_statement_policy is set to all
-[CIS - MySQL Configuration - 6.10: Ensure audit_log_statement_policy is set to all] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:audit_log_statement_policy\.+errors;
-f:$mysql-cnfs -> !r:^# && r:audit_log_statement_policy\.+none;
-f:$mysql-cnfs -> r:audit_log_statement_policy\s*$;
-#
-#
-#6.11 Ensure audit_log_strategy is set to synchronous or semisynchronous
-[CIS - MySQL Configuration - 6.11: Ensure audit_log_strategy is set to all] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:audit_log_strategy\.+asynchronous;
-f:$mysql-cnfs -> !r:^# && r:audit_log_strategy\.+performance;
-f:$mysql-cnfs -> !r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous;
-f:$mysql-cnfs -> r:audit_log_strategy\s*$;
-#
-#
-#6.12 Make sure the audit plugin can't be unloaded
-[CIS - MySQL Configuration - 6.12: Audit plugin can be unloaded] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:^audit_log\s*=\s*on\s*;
-f:$mysql-cnfs -> !r:^# && r:^audit_log\s*=\s*off\s*;
-f:$mysql-cnfs -> !r:^# && r:^audit_log\s*=\s*force\s*;
-f:$mysql-cnfs -> !r:^audit_log\s*=\s*force_plus_permanent\s*;
-f:$mysql-cnfs -> r:^audit_log\s$;
-#
-#
-#7.1 Ensure 'old_password' is not set to '1' or 'On'
-[CIS - MySQL Configuration - 7.1:Ensure 'old_passwords' is not set to '1' or 'on'] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1;
-f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on;
-f:$mysql-cnfs -> !r:old_passwords\s*=\s*2;
-f:$mysql-cnfs -> r:old_passwords\s*$;
-#
-#
-#7.2 Ensure 'secure_auth' is set to 'ON'
-[CIS - MySQL Configuration - 7.2: Ensure 'secure_auth' is set to 'ON'] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:secure_auth\s*=\s*off;
-f:$mysql-cnfs -> !r:secure_auth\s*=\s*on;
-f:$mysql-cnfs -> r:secure_auth\s*$;
-#
-#
-#7.3 Ensure Passwords Are Not Stored in the Global Configuration
-[CIS - MySQL Configuration - 7.3: Passwords are stored in global configuration] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:^\s*password\.*;
-#
-#
-#7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'
-[CIS - MySQL Configuration - 7.4: Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:no_auto_create_user\s*$;
-f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$;
-#
-#
-#7.6 Ensure Password Policy is in Place
-[CIS - MySQL Configuration - 7.6: Ensure Password Policy is in Place ] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:plugin-load\s*=\s*validate_password.so\s*$;
-f:$mysql-cnfs -> !r:validate-password\s*=\s*force_plus_permanent\s*$;
-f:$mysql-cnfs -> !r:validate_password_length\s*=\s*14\s$;
-f:$mysql-cnfs -> !r:validate_password_mixed_case_count\s*=\s*1\s*$;
-f:$mysql-cnfs -> !r:validate_password_number_count\s*=\s*1\s*$;
-f:$mysql-cnfs -> !r:validate_password_special_char_count\s*=\s*1;
-f:$mysql-cnfs -> !r:validate_password_policy\s*=\s*medium\s*;
-#
-#
-#9.2 Ensure 'master_info_repository' is set to 'Table'
-[CIS - MySQL Configuration - 9.2: Ensure 'master_info_repositrory' is set to 'Table'] [any] [https://workbench.cisecurity.org/files/1310/download]
-f:$mysql-cnfs -> !r:^# && r:master_info_repository\s*=\s*file;
-f:$mysql-cnfs -> !r:master_info_repository\s*=\s*table;
-f:$mysql-cnfs -> r:master_info_repository\s*$;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-
-# CIS Checks for Red Hat / CentOS 5
-# Based on CIS Benchmark for Red Hat Enterprise Linux 5 v2.1.0
-
-# TODO: URL is invalid currently
-
-# RC scripts location
-$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
-
-
-[CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v2.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 5;
-f:/etc/redhat-release -> r:^CentOS && r:release 5;
-f:/etc/redhat-release -> r:^Cloud && r:release 5;
-f:/etc/redhat-release -> r:^Oracle && r:release 5;
-f:/etc/redhat-release -> r:^Better && r:release 5;
-
-
-# 1.1.1 /tmp: partition
-[CIS - RHEL5 - - Build considerations - Robust partition scheme - /tmp is not on its own partition {CIS: 1.1.1 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:/tmp;
-
-# 1.1.2 /tmp: nodev
-[CIS - RHEL5 - 1.1.2 - Partition /tmp without 'nodev' set {CIS: 1.1.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
-
-# 1.1.3 /tmp: nosuid
-[CIS - RHEL5 - 1.1.3 - Partition /tmp without 'nosuid' set {CIS: 1.1.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
-
-# 1.1.4 /tmp: noexec
-[CIS - RHEL5 - 1.1.4 - Partition /tmp without 'noexec' set {CIS: 1.1.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
-
-# 1.1.5 Build considerations - Partition scheme.
-[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r^# && !r:/var;
-
-# 1.1.6 bind mount /var/tmp to /tmp
-[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
-
-# 1.1.7 /var/log: partition
-[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 1.1.7 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> ^# && !r:/var/log;
-
-# 1.1.8 /var/log/audit: partition
-[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 1.1.8 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> ^# && !r:/var/log/audit;
-
-# 1.1.9 /home: partition
-[CIS - RHEL5 - - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 1.1.9 Debian RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> ^# && !r:/home;
-
-# 1.1.10 /home: nodev
-[CIS - RHEL5 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
-
-# 1.1.11 nodev on removable media partitions (not scored)
-[CIS - RHEL5 - 1.1.11 - Removable partition /media without 'nodev' set {CIS: 1.1.11 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
-
-# 1.1.12 noexec on removable media partitions (not scored)
-[CIS - RHEL5 - 1.1.12 - Removable partition /media without 'noexec' set {CIS: 1.1.12 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
-
-# 1.1.13 nosuid on removable media partitions (not scored)
-[CIS - RHEL5 - 1.1.13 - Removable partition /media without 'nosuid' set {CIS: 1.1.13 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
-
-# 1.1.14 /dev/shm: nodev
-[CIS - RHEL5 - 1.1.11 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
-
-# 1.1.15 /dev/shm: nosuid
-[CIS - RHEL5 - 1.1.11 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
-
-# 1.1.16 /dev/shm: noexec
-[CIS - RHEL5 - 1.1.11 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
-
-# 1.1.17 sticky bit on world writable directories (Scored)
-# TODO
-
-# 1.1.18 disable cramfs (not scored)
-
-# 1.1.19 disable freevxfs (not scored)
-
-# 1.1.20 disable jffs2 (not scored)
-
-# 1.1.21 disable hfs (not scored)
-
-# 1.1.22 disable hfsplus (not scored)
-
-# 1.1.23 disable squashfs (not scored)
-
-# 1.1.24 disable udf (not scored)
-
-
-##########################################
-# 1.2 Software Updates
-##########################################
-
-# 1.2.1 Configure rhn updates (not scored)
-
-# 1.2.2 verify RPM gpg keys (Scored)
-# TODO
-
-# 1.2.3 verify gpgcheck enabled (Scored)
-# TODO
-
-# 1.2.4 Disable rhnsd (not scored)
-
-# 1.2.5 Disable yum-updatesd (Scored)
-[CIS - RHEL5 - 1.2.5 - yum-updatesd not Disabled {CIS: 1.2.5 RHEL5} {PCI_DSS: 6.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
-p:yum-updatesd;
-
-# 1.2.6 Obtain updates with yum (not scored)
-
-# 1.2.7 Verify package integrity (not scored)
-
-
-###############################################
-# 1.3 Advanced Intrusion Detection Environment
-###############################################
-#
-# Skipped, this control is obsoleted by OSSEC
-#
-
-
-###############################################
-# 1.4 Configure SELinux
-###############################################
-
-# 1.4.1 enable selinux in /etc/grub.conf
-[CIS - RHEL5 - 1.4.1 - SELinux Disabled in /etc/grub.conf {CIS: 1.4.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/grub.conf -> !r:selinux=0;
-
-# 1.4.2 Set selinux state
-[CIS - RHEL5 - 1.4.2 - SELinux not set to enforcing {CIS: 1.4.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/selinux/config -> r:SELINUX=enforcing;
-
-# 1.4.3 Set seliux policy
-[CIS - RHEL5 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/selinux/config -> r:SELINUXTYPE=targeted;
-
-# 1.4.4 Remove SETroubleshoot
-[CIS - RHEL5 - 1.4.4 - SELinux setroubleshoot enabled {CIS: 1.4.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsetroubleshoot$;
-
-# 1.4.5 Disable MCS Translation service mcstrans
-[CIS - RHEL5 - 1.4.5 - SELinux mctrans enabled {CIS: 1.4.5 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dmctrans$;
-
-# 1.4.6 Check for unconfined daemons
-# TODO
-
-
-###############################################
-# 1.5 Secure Boot Settings
-###############################################
-
-# 1.5.1 Set User/Group Owner on /etc/grub.conf
-# TODO (no mode tests)
-
-# 1.5.2 Set Permissions on /etc/grub.conf (Scored)
-# TODO (no mode tests)
-
-# 1.5.3 Set Boot Loader Password (Scored)
-[CIS - RHEL5 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/boot/grub/menu.lst -> !r:^# && !r:password;
-
-# 1.5.4 Require Authentication for Single-User Mode (Scored)
-[CIS - RHEL5 - 1.5.4 - Authentication for single user mode not enabled {CIS: 1.5.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/inittab -> !r:^# && r:S:wait;
-
-# 1.5.5 Disable Interactive Boot (Scored)
-[CIS - RHEL5 - 1.5.5 - Interactive Boot not disabled {CIS: 1.5.5 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no;
-
-
-
-###############################################
-# 1.6 Additional Process Hardening
-###############################################
-
-# 1.6.1 Restrict Core Dumps (Scored)
-[CIS - RHEL5 - 1.6.1 - Interactive Boot not disabled {CIS: 1.6.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
-
-# 1.6.2 Configure ExecShield (Scored)
-[CIS - RHEL5 - 1.6.2 - ExecShield not enabled {CIS: 1.6.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/kernel/exec-shield -> 0;
-
-# 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored)
-[CIS - RHEL5 - 1.6.3 - Randomized Virtual Memory Region Placement not enabled {CIS: 1.6.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/kernel/randomize_va_space -> 0;
-
-# 1.6.4 Enable XD/NX Support on 32-bit x86 Systems (Scored)
-# TODO
-
-# 1.6.5 Disable Prelink (Scored)
-[CIS - RHEL5 - 1.6.5 - Prelink not disabled {CIS: 1.6.5 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/sysconfig/prelink -> !r:PRELINKING=no;
-
-
-###############################################
-# 1.7 Use the Latest OS Release
-###############################################
-
-
-###############################################
-# 2 OS Services
-###############################################
-
-###############################################
-# 2.1 Remove Legacy Services
-###############################################
-
-# 2.1.1 Remove telnet-server (Scored)
-# TODO: detect it is installed at all
-[CIS - RHEL5 - 2.1.1 - Telnet enabled on xinetd {CIS: 2.1.1 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
-
-
-# 2.1.2 Remove telnet Clients (Scored)
-# TODO
-
-# 2.1.3 Remove rsh-server (Scored)
-[CIS - RHEL5 - 2.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.1.3 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
-
-# 2.1.4 Remove rsh (Scored)
-# TODO
-
-# 2.1.5 Remove NIS Client (Scored)
-[CIS - RHEL5 - 2.1.5 - Disable standard boot services - NIS (client) Enabled {CIS: 2.1.5 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dypbind$;
-
-# 2.1.6 Remove NIS Server (Scored)
-[CIS - RHEL5 - 2.1.5 - Disable standard boot services - NIS (server) Enabled {CIS: 2.1.6 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dypserv$;
-
-# 2.1.7 Remove tftp (Scored)
-# TODO
-
-# 2.1.8 Remove tftp-server (Scored)
-[CIS - RHEL5 - 2.1.8 - tftpd enabled on xinetd {CIS: 2.1.8 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
-
-# 2.1.9 Remove talk (Scored)
-# TODO
-
-# 2.1.10 Remove talk-server (Scored)
-[CIS - RHEL5 - 2.1.10 - talk enabled on xinetd {CIS: 2.1.10 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
-
-# 2.1.11 Remove xinetd (Scored)
-# TODO
-
-# 2.1.12 Disable chargen-dgram (Scored)
-# TODO
-
-# 2.1.13 Disable chargen-stream (Scored)
-# TODO
-
-# 2.1.14 Disable daytime-dgram (Scored)
-# TODO
-
-# 2.1.15 Disable daytime-stream (Scored)
-# TODO
-
-# 2.1.16 Disable echo-dgram (Scored)
-# TODO
-
-# 2.1.17 Disable echo-stream (Scored)
-# TODO
-
-# 2.1.18 Disable tcpmux-server (Scored)
-# TODO
-
-
-###############################################
-# 3 Special Purpose Services
-###############################################
-
-###############################################
-# 3.1 Disable Avahi Server
-###############################################
-
-# 3.1.1 Disable Avahi Server (Scored)
-[CIS - RHEL5 - 3.1.1 - Avahi daemon not disabled {CIS: 3.1.1 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-p:avahi-daemon;
-
-# 3.1.2 Service Only via Required Protocol (Not Scored)
-# TODO
-
-# 3.1.3 Check Responses TTL Field (Scored)
-# TODO
-
-# 3.1.4 Prevent Other Programs from Using Avahi’s Port (Not Scored)
-# TODO
-
-# 3.1.5 Disable Publishing (Not Scored)
-
-# 3.1.6 Restrict Published Information (if publishing is required) (Not scored)
-
-# 3.2 Set Daemon umask (Scored)
-[CIS - RHEL5 - 3.2 - Set daemon umask - Default umask is higher than 027 {CIS: 3.2 RHEL5}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/init.d/functions -> !r:^# && r:^umask && <:umask 027;
-
-# 3.3 Remove X Windows (Scored)
-[CIS - RHEL5 - 3.3 - X11 not disabled {CIS: 3.3 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/inittab -> !r:^# && r:id:5;
-
-# 3.4 Disable Print Server - CUPS (Not Scored)
-
-# 3.5 Remove DHCP Server (Not Scored)
-# TODO
-
-# 3.6 Configure Network Time Protocol (NTP) (Scored)
-#[CIS - RHEL5 - 3.6 - NTPD not disabled {CIS: 3.6 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-# TODO.
-
-# 3.7 Remove LDAP (Not Scored)
-
-# 3.8 Disable NFS and RPC (Not Scored)
-[CIS - RHEL5 - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dnfs$;
-d:$rc_dirs -> ^S\d\dnfslock$;
-
-# 3.9 Remove DNS Server (Not Scored)
-# TODO
-
-# 3.10 Remove FTP Server (Not Scored)
-[CIS - RHEL5 - 3.10 - VSFTP enabled on xinetd {CIS: 3.10 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
-
-# 3.11 Remove HTTP Server (Not Scored)
-[CIS - RHEL5 - 3.11 - Disable standard boot services - Apache web server Enabled {CIS: 3.11 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dhttpd$;
-
-# 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored)
-[CIS - RHEL5 - 3.12 - imap enabled on xinetd {CIS: 3.12 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
-
-[CIS - RHEL5 - 3.12 - pop3 enabled on xinetd {CIS: 3.12 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
-
-# 3.13 Remove Samba (Not Scored)
-[CIS - RHEL5 - 3.13 - Disable standard boot services - Samba Enabled {CIS: 3.13 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsamba$;
-d:$rc_dirs -> ^S\d\dsmb$;
-
-# 3.14 Remove HTTP Proxy Server (Not Scored)
-[CIS - RHEL5 - 3.14 - Disable standard boot services - Squid Enabled {CIS: 3.14 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsquid$;
-
-# 3.15 Remove SNMP Server (Not Scored)
-[CIS - RHEL5 - 3.15 - Disable standard boot services - SNMPD process Enabled {CIS: 3.15 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsnmpd$;
-
-# 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored)
-# TODO
-
-
-###############################################
-# 4 Network Configuration and Firewalls
-###############################################
-
-###############################################
-# 4.1 Modify Network Parameters (Host Only)
-###############################################
-
-# 4.1.1 Disable IP Forwarding (Scored)
-[CIS - RHEL5 - 4.1.1 - Network parameters - IP Forwarding enabled {CIS: 4.1.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/net/ipv4/ip_forward -> 1;
-f:/proc/sys/net/ipv6/ip_forward -> 1;
-
-# 4.1.2 Disable Send Packet Redirects (Scored)
-[CIS - RHEL5 - 4.1.2 - Network parameters - IP send redirects enabled {CIS: 4.1.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
-f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
-
-
-###############################################
-# 4.2 Modify Network Parameters (Host and Router)
-###############################################
-
-# 4.2.1 Disable Source Routed Packet Acceptance (Scored)
-[CIS - RHEL5 - 4.2.1 - Network parameters - Source routing accepted {CIS: 4.2.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
-
-# 4.2.2 Disable ICMP Redirect Acceptance (Scored)
-[CIS - RHEL5 - 4.2.2 - Network parameters - ICMP redirects accepted {CIS: 4.2.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
-f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
-
-# 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
-[CIS - RHEL5 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
-f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
-
-# 4.2.4 Log Suspicious Packets (Scored)
-[CIS - RHEL5 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
-
-# 4.2.5 Enable Ignore Broadcast Requests (Scored)
-[CIS - RHEL5 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
-
-# 4.2.6 Enable Bad Error Message Protection (Scored)
-[CIS - RHEL5 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
-
-# 4.2.7 Enable RFC-recommended Source Route Validation (Scored)
-[CIS - RHEL5 - 4.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 4.2.7 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
-f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
-
-# 4.2.8 Enable TCP SYN Cookies (Scored)
-[CIS - RHEL5 - 4.2.8 - Network parameters - SYN Cookies not enabled {CIS: 4.2.8 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
-
-
-###############################################
-# 4.3 Wireless Networking
-###############################################
-
-# 4.3.1 Deactivate Wireless Interfaces (Not Scored)
-
-
-###############################################
-# 4.4 Disable ipv6
-###############################################
-
-###############################################
-# 4.4.1 Configure IPv6
-###############################################
-
-# 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored)
-
-# 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)
-
-# 4.4.2 Disable IPv6 (Not Scored)
-
-
-###############################################
-# 4.5 Install TCP Wrappers
-###############################################
-
-# 4.5.1 Install TCP Wrappers (Not Scored)
-
-# 4.5.2 Create /etc/hosts.allow (Not Scored)
-
-# 4.5.3 Verify Permissions on /etc/hosts.allow (Scored)
-# TODO
-
-# 4.5.4 Create /etc/hosts.deny (Not Scored)
-
-# 4.5.5 Verify Permissions on /etc/hosts.deny (Scored)
-# TODO
-
-
-###############################################
-# 4.6 Uncommon Network Protocols
-###############################################
-
-# 4.6.1 Disable DCCP (Not Scored)
-
-# 4.6.2 Disable SCTP (Not Scored)
-
-# 4.6.3 Disable RDS (Not Scored)
-
-# 4.6.4 Disable TIPC (Not Scored)
-
-# 4.7 Enable IPtables (Scored)
-# TODO
-
-# 4.8 Enable IP6tables (Not Scored)
-
-
-###############################################
-# 5 Logging and Auditing
-###############################################
-
-###############################################
-# 5.1 Configure Syslog
-###############################################
-
-# 5.1.1 Configure /etc/syslog.conf (Not Scored)
-
-# 5.1.2 Create and Set Permissions on syslog Log Files (Scored)
-
-# 5.1.3 Configure syslog to Send Logs to a Remote Log Host (Scored)
-
-# 5.1.4 Accept Remote syslog Messages Only on Designated Log Hosts (Not Scored)
-
-
-###############################################
-# 5.2 Configure rsyslog
-###############################################
-
-# 5.2.1 Install the rsyslog package (Not Scored)
-
-# 5.2.2 Activate the rsyslog Service (Not Scored)
-
-# 5.2.3 Configure /etc/rsyslog.conf (Not Scored)
-
-# 5.2.4 Create and Set Permissions on rsyslog Log Files (Not Scored)
-
-# 5.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Not Scored)
-
-# 5.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
-
-
-###############################################
-# 5.3 Configure System Accounting (auditd)
-###############################################
-
-###############################################
-# 5.3.1 Configure Data Retention
-###############################################
-
-# 5.3.1.1 Configure Audit Log Storage Size (Not Scored)
-
-# 5.3.1.2 Disable System on Audit Log Full (Not Scored)
-
-# 5.3.1.3 Keep All Auditing Information (Scored)
-
-# 5.3.2 Enable auditd Service (Scored)
-
-# 5.3.3 Configure Audit Log Storage Size (Not Scored)
-
-# 5.3.4 Disable System on Audit Log Full (Not Scored)
-
-# 5.3.5 Keep All Auditing Information (Scored)
-
-# 5.3.6 Enable Auditing for Processes That Start Prior to auditd (Scored)
-
-# 5.3.7 Record Events That Modify Date and Time Information (Scored)
-
-# 5.3.8 Record Events That Modify User/Group Information (Scored)
-
-# 5.3.9 Record Events That Modify the System’s Network Environment (Scored)
-
-# 5.3.10 Record Events That Modify the System’s Mandatory Access Controls (Scored)
-
-# 5.3.11 Collect Login and Logout Events (Scored)
-
-# 5.3.12 Collect Session Initiation Information (Scored)
-
-# 5.3.13 Collect Discretionary Access Control Permission Modification Events (Scored)
-
-# 5.3.14 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
-
-# 5.3.15 Collect Use of Privileged Commands (Scored)
-
-# 5.3.16 Collect Successful File System Mounts (Scored)
-
-# 5.3.17 Collect File Deletion Events by User (Scored)
-
-# 5.3.18 Collect Changes to System Administration Scope (sudoers) (Scored)
-
-# 5.3.19 Collect System Administrator Actions (sudolog) (Scored)
-
-# 5.3.20 Collect Kernel Module Loading and Unloading (Scored)
-
-# 5.3.21 Make the Audit Configuration Immutable (Scored)
-
-# 5.4 Configure logrotate (Not Scored)
-
-
-###############################################
-# 6 System Access, Authentication and Authorization
-###############################################
-
-###############################################
-# 6.1 Configure cron and anacron
-###############################################
-
-# 6.1.1 Enable anacron Daemon (Scored)
-
-# 6.1.2 Enable cron Daemon (Scored)
-
-# 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)
-
-# 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)
-
-# 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
-
-# 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
-
-# 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
-
-# 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
-
-# 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored)
-
-# 6.1.10 Restrict at Daemon (Scored)
-
-# 6.1.11 Restrict at/cron to Authorized Users (Scored)
-
-###############################################
-# 6.1 Configure SSH
-###############################################
-
-# 6.2.1 Set SSH Protocol to 2 (Scored)
-[CIS - RHEL5 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
-
-# 6.2.2 Set LogLevel to INFO (Scored)
-
-# 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
-
-# 6.2.4 Disable SSH X11 Forwarding (Scored)
-
-# 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
-
-# 6.2.6 Set SSH IgnoreRhosts to Yes (Scored)
-[CIS - RHEL5 - 6.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 6.2.6 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
-
-# 6.2.7 Set SSH HostbasedAuthentication to No (Scored)
-[CIS - RHEL5 - 6.2.7 - SSH Configuration - Host based authentication enabled {CIS: 6.2.7 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
-
-# 6.2.8 Disable SSH Root Login (Scored)
-[CIS - RHEL5 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
-
-# 6.2.9 Set SSH PermitEmptyPasswords to No (Scored)
-[CIS - RHEL5 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
-
-# 6.2.10 Do Not Allow Users to Set Environment Options (Scored)
-
-# 6.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
-
-# 6.2.12 Set Idle Timeout Interval for User Login (Not Scored)
-
-# 6.2.13 Limit Access via SSH (Scored)
-
-# 6.2.14 Set SSH Banner (Scored)
-
-# 6.2.15 Enable SSH UsePrivilegeSeparation (Scored)
-
-
-###############################################
-# 6.3 Configure PAM
-###############################################
-
-# 6.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
-
-# 6.3.2 Set Lockout for Failed Password Attempts (Not Scored)
-
-# 6.3.3 Use pam_deny.so to Deny Services (Not Scored)
-
-# 6.3.4 Upgrade Password Hashing Algorithm to SHA-512 (Scored)
-
-# 6.3.5 Limit Password Reuse (Scored)
-
-# 6.3.6 Remove the pam_ccreds Package (Scored)
-
-# 6.4 Restrict root Login to System Console (Not Scored)
-
-# 6.5 Restrict Access to the su Command (Scored)
-
-
-###############################################
-# 7 User Accounts and Environment
-###############################################
-
-###############################################
-# 7.1 Set Shadow Password Suite Parameters (/etc/login.defs)
-###############################################
-
-# 7.1.1 Set Password Expiration Days (Scored)
-
-# 7.1.2 Set Password Change Minimum Number of Days (Scored)
-
-# 7.1.3 Set Password Expiring Warning Days (Scored)
-
-# 7.2 Disable System Accounts (Scored)
-
-# 7.3 Set Default Group for root Account (Scored)
-
-# 7.4 Set Default umask for Users (Scored)
-
-# 7.5 Lock Inactive User Accounts (Scored)
-
-
-###############################################
-# 8 Warning Banners
-###############################################
-
-###############################################
-# 8.1 Warning Banners for Standard Login Services
-###############################################
-
-# 8.1.1 Set Warning Banner for Standard Login Services (Scored)
-
-# 8.1.2 Remove OS Information from Login Warning Banners (Scored)
-
-# 8.2 Set GNOME Warning Banner (Not Scored)
-
-
-###############################################
-# 9 System Maintenance
-###############################################
-
-###############################################
-# 9.1 Verify System File Permissions
-###############################################
-
-# 9.1.1 Verify System File Permissions (Not Scored)
-
-# 9.1.2 Verify Permissions on /etc/passwd (Scored)
-
-# 9.1.3 Verify Permissions on /etc/shadow (Scored)
-
-# 9.1.4 Verify Permissions on /etc/gshadow (Scored)
-
-# 9.1.5 Verify Permissions on /etc/group (Scored)
-
-# 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored)
-
-# 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored)
-
-# 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored)
-
-# 9.1.9 Verify User/Group Ownership on /etc/group (Scored)
-
-# 9.1.10 Find World Writable Files (Not Scored)
-
-# 9.1.11 Find Un-owned Files and Directories (Scored)
-
-# 9.1.12 Find Un-grouped Files and Directories (Scored)
-
-# 9.1.13 Find SUID System Executables (Not Scored)
-
-# 9.1.14 Find SGID System Executables (Not Scored)
-
-
-###############################################
-# 9.2 Review User and Group Settings
-###############################################
-
-# 9.2.1 Ensure Password Fields are Not Empty (Scored)
-
-# 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
-
-# 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
-
-# 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
-
-# 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
-[CIS - RHEL5 - 9.2.5 - Non-root account with uid 0 {CIS: 9.2.5 RHEL5} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
-
-# 9.2.6 Ensure root PATH Integrity (Scored)
-
-# 9.2.7 Check Permissions on User Home Directories (Scored)
-
-# 9.2.8 Check User Dot File Permissions (Scored)
-
-# 9.2.9 Check Permissions on User .netrc Files (Scored)
-
-# 9.2.10 Check for Presence of User .rhosts Files (Scored)
-
-# 9.2.11 Check Groups in /etc/passwd (Scored)
-
-# 9.2.12 Check That Users Are Assigned Home Directories (Scored)
-
-# 9.2.13 Check That Defined Home Directories Exist (Scored)
-
-# 9.2.14 Check User Home Directory Ownership (Scored)
-
-# 9.2.15 Check for Duplicate UIDs (Scored)
-
-# 9.2.16 Check for Duplicate GIDs (Scored)
-
-# 9.2.17 Check That Reserved UIDs Are Assigned to System Accounts
-
-# 9.2.18 Check for Duplicate User Names (Scored)
-
-# 9.2.19 Check for Duplicate Group Names (Scored)
-
-# 9.2.20 Check for Presence of User .netrc Files (Scored)
-
-# 9.2.21 Check for Presence of User .forward Files (Scored)
-
-# Other/Legacy Tests
-[CIS - RHEL5 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/shadow -> r:^\w+::;
-
-[CIS - RHEL5 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
-f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
-
-[CIS - RHEL5 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dkudzu$;
-
-[CIS - RHEL5 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dpostgresql$;
-
-[CIS - RHEL5 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dmysqld$;
-
-[CIS - RHEL5 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dnamed$;
-
-[CIS - RHEL5 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
-d:$rc_dirs -> ^S\d\dnetfs$;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-
-# CIS Checks for Red Hat / CentOS 6
-# Based on CIS Benchmark for Red Hat Enterprise Linux 6 v1.3.0
-
-# RC scripts location
-$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
-
-
-[CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v2.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 6;
-f:/etc/redhat-release -> r:^CentOS && r:release 6;
-f:/etc/redhat-release -> r:^Cloud && r:release 6;
-f:/etc/redhat-release -> r:^Oracle && r:release 6;
-f:/etc/redhat-release -> r:^Better && r:release 6;
-
-# 1.1.1 /tmp: partition
-[CIS - RHEL6 - Build considerations - Robust partition scheme - /tmp is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:/tmp;
-
-# 1.1.2 /tmp: nodev
-[CIS - RHEL6 - 1.1.2 - Partition /tmp without 'nodev' set {CIS: 1.1.2 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
-
-# 1.1.3 /tmp: nosuid
-[CIS - RHEL6 - 1.1.3 - Partition /tmp without 'nosuid' set {CIS: 1.1.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
-
-# 1.1.4 /tmp: noexec
-[CIS - RHEL6 - 1.1.4 - Partition /tmp without 'noexec' set {CIS: 1.1.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
-
-# 1.1.5 Build considerations - Partition scheme.
-[CIS - RHEL6 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r^# && !r:/var;
-
-# 1.1.6 bind mount /var/tmp to /tmp
-[CIS - RHEL6 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
-
-# 1.1.7 /var/log: partition
-[CIS - RHEL6 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 1.1.7 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> ^# && !r:/var/log;
-
-# 1.1.8 /var/log/audit: partition
-[CIS - RHEL6 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 1.1.8 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> ^# && !r:/var/log/audit;
-
-# 1.1.9 /home: partition
-[CIS - RHEL6 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 1.1.9 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> ^# && !r:/home;
-
-# 1.1.10 /home: nodev
-[CIS - RHEL6 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
-
-# 1.1.11 nodev on removable media partitions (not scored)
-[CIS - RHEL6 - 1.1.11 - Removable partition /media without 'nodev' set {CIS: 1.1.11 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
-
-# 1.1.12 noexec on removable media partitions (not scored)
-[CIS - RHEL6 - 1.1.12 - Removable partition /media without 'noexec' set {CIS: 1.1.12 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
-
-# 1.1.13 nosuid on removable media partitions (not scored)
-[CIS - RHEL6 - 1.1.13 - Removable partition /media without 'nosuid' set {CIS: 1.1.13 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
-
-# 1.1.14 /dev/shm: nodev
-[CIS - RHEL6 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
-
-# 1.1.15 /dev/shm: nosuid
-[CIS - RHEL6 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
-
-# 1.1.16 /dev/shm: noexec
-[CIS - RHEL6 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
-
-# 1.1.17 sticky bit on world writable directories (Scored)
-# TODO
-
-# 1.1.18 disable cramfs (not scored)
-
-# 1.1.19 disable freevxfs (not scored)
-
-# 1.1.20 disable jffs2 (not scored)
-
-# 1.1.21 disable hfs (not scored)
-
-# 1.1.22 disable hfsplus (not scored)
-
-# 1.1.23 disable squashfs (not scored)
-
-# 1.1.24 disable udf (not scored)
-
-
-##########################################
-# 1.2 Software Updates
-##########################################
-
-# 1.2.1 Configure rhn updates (not scored)
-
-# 1.2.2 verify RPM gpg keys (Scored)
-# TODO
-
-# 1.2.3 verify gpgcheck enabled (Scored)
-# TODO
-
-# 1.2.4 Disable rhnsd (not scored)
-
-# 1.2.5 Obtain Software Package Updates with yum (Not Scored)
-
-# 1.2.6 Obtain updates with yum (not scored)
-
-
-###############################################
-# 1.3 Advanced Intrusion Detection Environment
-###############################################
-#
-# Skipped, this control is obsoleted by OSSEC
-#
-
-###############################################
-# 1.4 Configure SELinux
-###############################################
-
-# 1.4.1 enable selinux in /etc/grub.conf
-[CIS - RHEL6 - 1.4.1 - SELinux Disabled in /etc/grub.conf {CIS: 1.4.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/grub.conf -> !r:selinux=0;
-
-# 1.4.2 Set selinux state
-[CIS - RHEL6 - 1.4.2 - SELinux not set to enforcing {CIS: 1.4.2 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/selinux/config -> r:SELINUX=enforcing;
-
-# 1.4.3 Set seliux policy
-[CIS - RHEL6 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/selinux/config -> r:SELINUXTYPE=targeted;
-
-# 1.4.4 Remove SETroubleshoot
-[CIS - RHEL6 - 1.4.4 - SELinux setroubleshoot enabled {CIS: 1.4.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dsetroubleshoot$;
-
-# 1.4.5 Disable MCS Translation service mcstrans
-[CIS - RHEL6 - 1.4.5 - SELinux mctrans enabled {CIS: 1.4.5 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dmctrans$;
-
-# 1.4.6 Check for unconfined daemons
-# TODO
-
-
-###############################################
-# 1.5 Secure Boot Settings
-###############################################
-
-# 1.5.1 Set User/Group Owner on /etc/grub.conf
-# TODO (no mode tests)
-
-# 1.5.2 Set Permissions on /etc/grub.conf (Scored)
-# TODO (no mode tests)
-
-# 1.5.3 Set Boot Loader Password (Scored)
-[CIS - RHEL6 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/boot/grub/menu.lst -> !r:^# && !r:password;
-
-# 1.5.4 Require Authentication for Single-User Mode (Scored)
-[CIS - RHEL6 - 1.5.4 - Authentication for single user mode not enabled {CIS: 1.5.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/inittab -> !r:^# && r:S:wait;
-
-# 1.5.5 Disable Interactive Boot (Scored)
-[CIS - RHEL6 - 1.5.5 - Interactive Boot not disabled {CIS: 1.5.5 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no;
-
-
-###############################################
-# 1.6 Additional Process Hardening
-###############################################
-
-# 1.6.1 Restrict Core Dumps (Scored)
-[CIS - RHEL6 - 1.6.1 - Interactive Boot not disabled {CIS: 1.6.1 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
-
-# 1.6.2 Configure ExecShield (Scored)
-[CIS - RHEL6 - 1.6.2 - ExecShield not enabled {CIS: 1.6.2 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/kernel/exec-shield -> 0;
-
-# 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored)
-[CIS - RHEL6 - 1.6.3 - Randomized Virtual Memory Region Placement not enabled {CIS: 1.6.3 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/kernel/randomize_va_space -> 0;
-
-
-###############################################
-# 1.7 Use the Latest OS Release (Not Scored)
-###############################################
-
-
-###############################################
-# 2 OS Services
-###############################################
-
-###############################################
-# 2.1 Remove Legacy Services
-###############################################
-
-# 2.1.1 Remove telnet-server (Scored)
-# TODO: detect it is installed at all
-[CIS - RHEL6 - 2.1.1 - Telnet enabled on xinetd {CIS: 2.1.1 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
-
-
-# 2.1.2 Remove telnet Clients (Scored)
-# TODO
-
-# 2.1.3 Remove rsh-server (Scored)
-[CIS - RHEL6 - 2.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.1.3 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
-
-# 2.1.4 Remove rsh (Scored)
-# TODO
-
-# 2.1.5 Remove NIS Client (Scored)
-[CIS - RHEL6 - 2.1.5 - Disable standard boot services - NIS (client) Enabled {CIS: 2.1.5 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dypbind$;
-
-# 2.1.6 Remove NIS Server (Scored)
-[CIS - RHEL6 - 2.1.6 - Disable standard boot services - NIS (server) Enabled {CIS: 2.1.6 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dypserv$;
-
-# 2.1.7 Remove tftp (Scored)
-# TODO
-
-# 2.1.8 Remove tftp-server (Scored)
-[CIS - RHEL6 - 2.1.8 - tftpd enabled on xinetd {CIS: 2.1.8 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
-
-# 2.1.9 Remove talk (Scored)
-# TODO
-
-# 2.1.10 Remove talk-server (Scored)
-[CIS - RHEL6 - 2.1.10 - talk enabled on xinetd {CIS: 2.1.10 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
-
-# 2.1.11 Remove xinetd (Scored)
-# TODO
-
-# 2.1.12 Disable chargen-dgram (Scored)
-# TODO
-
-# 2.1.13 Disable chargen-stream (Scored)
-# TODO
-
-# 2.1.14 Disable daytime-dgram (Scored)
-# TODO
-
-# 2.1.15 Disable daytime-stream (Scored)
-# TODO
-
-# 2.1.16 Disable echo-dgram (Scored)
-# TODO
-
-# 2.1.17 Disable echo-stream (Scored)
-# TODO
-
-# 2.1.18 Disable tcpmux-server (Scored)
-# TODO
-
-
-###############################################
-# 3 Special Purpose Services
-###############################################
-
-# 3.1 Set Daemon umask (Scored)
-[CIS - RHEL6 - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 RHEL6} {PCI_DSS: 2.2.2}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/init.d/functions -> !r:^# && r:^umask && <:umask 027;
-
-# 3.2 Remove X Windows (Scored)
-[CIS - RHEL6 - 3.2 - X11 not disabled {CIS: 3.2 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/inittab -> !r:^# && r:id:5;
-
-# 3.3 Disable Avahi Server (Scored)
-[CIS - RHEL6 - 3.2 - Avahi daemon not disabled {CIS: 3.3 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-p:avahi-daemon;
-
-# 3.4 Disable Print Server - CUPS (Not Scored)
-
-# 3.5 Remove DHCP Server (Not Scored)
-# TODO
-
-# 3.6 Configure Network Time Protocol (NTP) (Scored)
-#[CIS - RHEL6 - 3.6 - NTPD not disabled {CIS: 1.1.1 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-# TODO.
-
-# 3.7 Remove LDAP (Not Scored)
-
-# 3.8 Disable NFS and RPC (Not Scored)
-[CIS - RHEL6 - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dnfs$;
-d:$rc_dirs -> ^S\d\dnfslock$;
-
-# 3.9 Remove DNS Server (Not Scored)
-# TODO
-
-# 3.10 Remove FTP Server (Not Scored)
-[CIS - RHEL6 - 3.10 - VSFTP enabled on xinetd {CIS: 3.10 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
-
-# 3.11 Remove HTTP Server (Not Scored)
-[CIS - RHEL6 - 3.11 - Disable standard boot services - Apache web server Enabled {CIS: 3.11 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dhttpd$;
-
-# 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored)
-[CIS - RHEL6 - 3.12 - imap enabled on xinetd {CIS: 3.12 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
-
-[CIS - RHEL6 - 3.12 - pop3 enabled on xinetd {CIS: 3.12 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
-
-# 3.13 Remove Samba (Not Scored)
-[CIS - RHEL6 - 3.13 - Disable standard boot services - Samba Enabled {CIS: 3.13 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dsamba$;
-d:$rc_dirs -> ^S\d\dsmb$;
-
-# 3.14 Remove HTTP Proxy Server (Not Scored)
-[CIS - RHEL6 - 3.14 - Disable standard boot services - Squid Enabled {CIS: 3.14 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dsquid$;
-
-# 3.15 Remove SNMP Server (Not Scored)
-[CIS - RHEL6 - 3.15 - Disable standard boot services - SNMPD process Enabled {CIS: 3.15 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dsnmpd$;
-
-# 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored)
-# TODO
-
-
-###############################################
-# 4 Network Configuration and Firewalls
-###############################################
-
-###############################################
-# 4.1 Modify Network Parameters (Host Only)
-###############################################
-
-# 4.1.1 Disable IP Forwarding (Scored)
-[CIS - RHEL6 - 4.1.1 - Network parameters - IP Forwarding enabled {CIS: 4.1.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/net/ipv4/ip_forward -> 1;
-f:/proc/sys/net/ipv6/ip_forward -> 1;
-
-# 4.1.2 Disable Send Packet Redirects (Scored)
-[CIS - RHEL6 - 4.1.2 - Network parameters - IP send redirects enabled {CIS: 4.1.2 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
-f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
-
-
-###############################################
-# 4.2 Modify Network Parameters (Host and Router)
-###############################################
-
-# 4.2.1 Disable Source Routed Packet Acceptance (Scored)
-[CIS - RHEL6 - 4.2.1 - Network parameters - Source routing accepted {CIS: 4.2.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
-
-# 4.2.2 Disable ICMP Redirect Acceptance (Scored)
-#[CIS - RHEL6 - 4.2.2 - Network parameters - ICMP redirects accepted {CIS: 1.1.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-#f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
-#f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
-
-# 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
-[CIS - RHEL6 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
-f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
-
-# 4.2.4 Log Suspicious Packets (Scored)
-[CIS - RHEL6 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
-
-# 4.2.5 Enable Ignore Broadcast Requests (Scored)
-[CIS - RHEL6 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
-
-# 4.2.6 Enable Bad Error Message Protection (Scored)
-[CIS - RHEL6 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
-
-# 4.2.7 Enable RFC-recommended Source Route Validation (Scored)
-[CIS - RHEL6 - 4.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 4.2.7 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
-f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
-
-# 4.2.8 Enable TCP SYN Cookies (Scored)
-[CIS - RHEL6 - 4.2.8 - Network parameters - SYN Cookies not enabled {CIS: 4.2.8 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
-
-
-###############################################
-# 4.3 Wireless Networking
-###############################################
-
-# 4.3.1 Deactivate Wireless Interfaces (Not Scored)
-
-
-###############################################
-# 4.4 Disable ipv6
-###############################################
-
-###############################################
-# 4.4.1 Configure IPv6
-###############################################
-
-# 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored)
-
-# 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)
-
-# 4.4.2 Disable IPv6 (Not Scored)
-
-
-###############################################
-# 4.5 Install TCP Wrappers
-###############################################
-
-# 4.5.1 Install TCP Wrappers (Not Scored)
-
-# 4.5.2 Create /etc/hosts.allow (Not Scored)
-
-# 4.5.3 Verify Permissions on /etc/hosts.allow (Scored)
-# TODO
-
-# 4.5.4 Create /etc/hosts.deny (Not Scored)
-
-# 4.5.5 Verify Permissions on /etc/hosts.deny (Scored)
-# TODO
-
-
-###############################################
-# 4.6 Uncommon Network Protocols
-###############################################
-
-# 4.6.1 Disable DCCP (Not Scored)
-
-# 4.6.2 Disable SCTP (Not Scored)
-
-# 4.6.3 Disable RDS (Not Scored)
-
-# 4.6.4 Disable TIPC (Not Scored)
-
-# 4.7 Enable IPtables (Scored)
-# TODO
-
-# 4.8 Enable IP6tables (Not Scored)
-
-
-###############################################
-# 5 Logging and Auditing
-###############################################
-
-###############################################
-# 5.1 Configure Syslog
-###############################################
-
-# 5.1.1 Install the rsyslog package (Scored)
-# TODO
-
-# 5.1.2 Activate the rsyslog Service (Scored)
-# TODO
-
-# 5.1.3 Configure /etc/rsyslog.conf (Not Scored)
-
-# 5.1.4 Create and Set Permissions on rsyslog Log Files (Scored)
-
-# 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)
-
-# 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
-
-
-###############################################
-# 5.2 Configure System Accounting (auditd)
-###############################################
-
-###############################################
-# 5.2.1 Configure Data Retention
-###############################################
-
-# 5.2.1.1 Configure Audit Log Storage Size (Not Scored)
-
-# 5.2.1.2 Disable System on Audit Log Full (Not Scored)
-
-# 5.2.1.3 Keep All Auditing Information (Scored)
-
-# 5.2.2 Enable auditd Service (Scored)
-
-# 5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
-
-# 5.2.4 Record Events That Modify Date and Time Information (Scored)
-
-# 5.2.5 Record Events That Modify User/Group Information (Scored)
-
-# 5.2.6 Record Events That Modify the System’s Network Environment (Scored)
-
-# 5.2.7 Record Events That Modify the System’s Mandatory Access Controls (Scored)
-
-# 5.2.8 Collect Login and Logout Events (Scored)
-
-# 5.2.9 Collect Session Initiation Information (Scored)
-
-# 5.2.10 Collect Discretionary Access Control Permission Modification Events (Scored)
-
-# 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
-
-# 5.2.12 Collect Use of Privileged Commands (Scored)
-
-# 5.2.13 Collect Successful File System Mounts (Scored)
-
-# 5.2.14 Collect File Deletion Events by User (Scored)
-
-# 5.2.15 Collect Changes to System Administration Scope (sudoers) (Scored)
-
-# 5.2.16 Collect System Administrator Actions (sudolog) (Scored)
-
-# 5.2.17 Collect Kernel Module Loading and Unloading (Scored)
-
-# 5.2.18 Make the Audit Configuration Immutable (Scored)
-
-# 5.3 Configure logrotate (Not Scored)
-
-
-###############################################
-# 6 System Access, Authentication and Authorization
-###############################################
-
-###############################################
-# 6.1 Configure cron and anacron
-###############################################
-
-# 6.1.1 Enable anacron Daemon (Scored)
-
-# 6.1.2 Enable cron Daemon (Scored)
-
-# 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)
-
-# 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)
-
-# 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
-
-# 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
-
-# 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
-
-# 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
-
-# 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored)
-
-# 6.1.10 Restrict at Daemon (Scored)
-
-# 6.1.11 Restrict at/cron to Authorized Users (Scored)
-
-###############################################
-# 6.1 Configure SSH
-###############################################
-
-# 6.2.1 Set SSH Protocol to 2 (Scored)
-[CIS - RHEL6 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
-
-# 6.2.2 Set LogLevel to INFO (Scored)
-
-# 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
-
-# 6.2.4 Disable SSH X11 Forwarding (Scored)
-
-# 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
-
-# 6.2.6 Set SSH IgnoreRhosts to Yes (Scored)
-[CIS - RHEL6 - 6.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 6.2.6 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
-
-# 6.2.7 Set SSH HostbasedAuthentication to No (Scored)
-[CIS - RHEL6 - 6.2.7 - SSH Configuration - Host based authentication enabled {CIS: 6.2.7 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
-
-# 6.2.8 Disable SSH Root Login (Scored)
-[CIS - RHEL6 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
-
-# 6.2.9 Set SSH PermitEmptyPasswords to No (Scored)
-[CIS - RHEL6 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
-
-# 6.2.10 Do Not Allow Users to Set Environment Options (Scored)
-
-# 6.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
-
-# 6.2.12 Set Idle Timeout Interval for User Login (Not Scored)
-
-# 6.2.13 Limit Access via SSH (Scored)
-
-# 6.2.14 Set SSH Banner (Scored)
-
-
-###############################################
-# 6.3 Configure PAM
-###############################################
-
-# 6.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
-
-# 6.3.2 Set Lockout for Failed Password Attempts (Not Scored)
-
-# 6.3.3 Use pam_deny.so to Deny Services (Not Scored)
-
-# 6.3.4 Upgrade Password Hashing Algorithm to SHA-512 (Scored)
-
-# 6.3.5 Limit Password Reuse (Scored)
-
-# 6.4 Restrict root Login to System Console (Not Scored)
-
-# 6.5 Restrict Access to the su Command (Scored)
-
-
-###############################################
-# 7 User Accounts and Environment
-###############################################
-
-###############################################
-# 7.1 Set Shadow Password Suite Parameters (/etc/login.defs)
-###############################################
-
-# 7.1.1 Set Password Expiration Days (Scored)
-
-# 7.1.2 Set Password Change Minimum Number of Days (Scored)
-
-# 7.1.3 Set Password Expiring Warning Days (Scored)
-
-# 7.2 Disable System Accounts (Scored)
-
-# 7.3 Set Default Group for root Account (Scored)
-
-# 7.4 Set Default umask for Users (Scored)
-
-# 7.5 Lock Inactive User Accounts (Scored)
-
-
-###############################################
-# 8 Warning Banners
-###############################################
-
-###############################################
-# 8.1 Warning Banners for Standard Login Services
-###############################################
-
-# 8.1 Set Warning Banner for Standard Login Services (Scored)
-
-# 8.2 Remove OS Information from Login Warning Banners (Scored)
-
-# 8.3 Set GNOME Warning Banner (Not Scored)
-
-
-###############################################
-# 9 System Maintenance
-###############################################
-
-###############################################
-# 9.1 Verify System File Permissions
-###############################################
-
-# 9.1.1 Verify System File Permissions (Not Scored)
-
-# 9.1.2 Verify Permissions on /etc/passwd (Scored)
-
-# 9.1.3 Verify Permissions on /etc/shadow (Scored)
-
-# 9.1.4 Verify Permissions on /etc/gshadow (Scored)
-
-# 9.1.5 Verify Permissions on /etc/group (Scored)
-
-# 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored)
-
-# 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored)
-
-# 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored)
-
-# 9.1.9 Verify User/Group Ownership on /etc/group (Scored)
-
-# 9.1.10 Find World Writable Files (Not Scored)
-
-# 9.1.11 Find Un-owned Files and Directories (Scored)
-
-# 9.1.12 Find Un-grouped Files and Directories (Scored)
-
-# 9.1.13 Find SUID System Executables (Not Scored)
-
-# 9.1.14 Find SGID System Executables (Not Scored)
-
-
-###############################################
-# 9.2 Review User and Group Settings
-###############################################
-
-# 9.2.1 Ensure Password Fields are Not Empty (Scored)
-
-# 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
-
-# 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
-
-# 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
-
-# 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
-[CIS - RHEL6 - 9.2.5 - Non-root account with uid 0 {CIS: 9.2.5 RHEL6} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
-
-# 9.2.6 Ensure root PATH Integrity (Scored)
-
-# 9.2.7 Check Permissions on User Home Directories (Scored)
-
-# 9.2.8 Check User Dot File Permissions (Scored)
-
-# 9.2.9 Check Permissions on User .netrc Files (Scored)
-
-# 9.2.10 Check for Presence of User .rhosts Files (Scored)
-
-# 9.2.11 Check Groups in /etc/passwd (Scored)
-
-# 9.2.12 Check That Users Are Assigned Valid Home Directories (Scored)
-
-# 9.2.13 Check User Home Directory Ownership (Scored)
-
-# 9.2.14 Check for Duplicate UIDs (Scored)
-
-# 9.2.15 Check for Duplicate GIDs (Scored)
-
-# 9.2.16 Check for Duplicate User Names (Scored)
-
-# 9.2.17 Check for Duplicate Group Names (Scored)
-
-# 9.2.18 Check for Presence of User .netrc Files (Scored)
-
-# 9.2.19 Check for Presence of User .forward Files (Scored)
-
-
-# Other/Legacy Tests
-[CIS - RHEL6 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/shadow -> r:^\w+::;
-
-[CIS - RHEL6 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
-f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
-
-[CIS - RHEL6 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dkudzu$;
-
-[CIS - RHEL6 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dpostgresql$;
-
-[CIS - RHEL6 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dmysqld$;
-
-[CIS - RHEL6 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dnamed$;
-
-[CIS - RHEL6 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
-d:$rc_dirs -> ^S\d\dnetfs$;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-
-# CIS Checks for Red Hat / CentOS 7
-# Based on CIS Benchmark for Red Hat Enterprise Linux 7 v1.1.0
-
-# Vars
-$sshd_file=/etc/ssh/sshd_config;
-
-# RC scripts location
-$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
-
-
-[CIS - Testing against the CIS Red Hat Enterprise Linux 7 Benchmark v1.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 7;
-f:/etc/redhat-release -> r:^CentOS && r:release 7;
-f:/etc/redhat-release -> r:^Cloud && r:release 7;
-f:/etc/redhat-release -> r:^Oracle && r:release 7;
-f:/etc/redhat-release -> r:^Better && r:release 7;
-f:/etc/redhat-release -> r:^OpenVZ && r:release 7;
-
-# 1.1.1 /tmp: partition
-[CIS - RHEL7 - Build considerations - Robust partition scheme - /tmp is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:/tmp;
-
-# 1.1.2 /tmp: nodev
-[CIS - RHEL7 - 1.1.2 - Partition /tmp without 'nodev' set {CIS: 1.1.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
-
-# 1.1.3 /tmp: nosuid
-[CIS - RHEL7 - 1.1.3 - Partition /tmp without 'nosuid' set {CIS: 1.1.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
-
-# 1.1.4 /tmp: noexec
-[CIS - RHEL7 - 1.1.4 - Partition /tmp without 'noexec' set {CIS: 1.1.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:noexec;
-
-# 1.1.5 Build considerations - Partition scheme.
-[CIS - RHEL7 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r^# && !r:/var;
-
-# 1.1.6 bind mount /var/tmp to /tmp
-[CIS - RHEL7 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
-
-# 1.1.7 /var/log: partition
-[CIS - RHEL7 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 1.1.7 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> ^# && !r:/var/log;
-
-# 1.1.8 /var/log/audit: partition
-[CIS - RHEL7 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 1.1.8 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> ^# && !r:/var/log/audit;
-
-# 1.1.9 /home: partition
-[CIS - RHEL7 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 1.1.9 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> ^# && !r:/home;
-
-# 1.1.10 /home: nodev
-[CIS - RHEL7 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
-
-# 1.1.11 nodev on removable media partitions (not scored)
-[CIS - RHEL7 - 1.1.11 - Removable partition /media without 'nodev' set {CIS: 1.1.11 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
-
-# 1.1.12 noexec on removable media partitions (not scored)
-[CIS - RHEL7 - 1.1.12 - Removable partition /media without 'noexec' set {CIS: 1.1.12 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
-
-# 1.1.13 nosuid on removable media partitions (not scored)
-[CIS - RHEL7 - 1.1.13 - Removable partition /media without 'nosuid' set {CIS: 1.1.13 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
-
-# 1.1.14 /dev/shm: nodev
-[CIS - RHEL7 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
-
-# 1.1.15 /dev/shm: nosuid
-[CIS - RHEL7 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
-
-# 1.1.16 /dev/shm: noexec
-[CIS - RHEL7 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
-
-# 1.1.17 sticky bit on world writable directories (Scored)
-# TODO
-
-# 1.1.18 disable cramfs (not scored)
-
-# 1.1.19 disable freevxfs (not scored)
-
-# 1.1.20 disable jffs2 (not scored)
-
-# 1.1.21 disable hfs (not scored)
-
-# 1.1.22 disable hfsplus (not scored)
-
-# 1.1.23 disable squashfs (not scored)
-
-# 1.1.24 disable udf (not scored)
-
-
-##########################################
-# 1.2 Software Updates
-##########################################
-
-# 1.2.1 Configure rhn updates (not scored)
-
-# 1.2.2 verify RPM gpg keys (Scored)
-# TODO
-
-# 1.2.3 verify gpgcheck enabled (Scored)
-# TODO
-
-# 1.2.4 Disable rhnsd (not scored)
-
-# 1.2.5 Obtain Software Package Updates with yum (Not Scored)
-
-# 1.2.6 Obtain updates with yum (not scored)
-
-
-###############################################
-# 1.3 Advanced Intrusion Detection Environment
-###############################################
-#
-# Skipped, this control is obsoleted by OSSEC
-#
-
-###############################################
-# 1.4 Configure SELinux
-###############################################
-
-# 1.4.1 enable selinux in /etc/grub.conf
-[CIS - RHEL7 - 1.4.1 - SELinux Disabled in /etc/grub.conf {CIS: 1.4.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/grub.conf -> r:selinux=0;
-f:/etc/grub2.cfg -> r:selinux=0;
-
-# 1.4.2 Set selinux state
-[CIS - RHEL7 - 1.4.2 - SELinux not set to enforcing {CIS: 1.4.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/selinux/config -> !r:SELINUX=enforcing;
-
-# 1.4.3 Set seliux policy
-[CIS - RHEL7 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;
-
-# 1.4.4 Remove SETroubleshoot
-[CIS - RHEL7 - 1.4.4 - SELinux setroubleshoot enabled {CIS: 1.4.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsetroubleshoot$;
-f:/usr/share/dbus-1/services/sealert.service -> r:Exec=/usr/bin/sealert;
-
-# 1.4.5 Disable MCS Translation service mcstrans
-[CIS - RHEL7 - 1.4.5 - SELinux mctrans enabled {CIS: 1.4.5 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dmctrans$;
-f:/usr/lib/systemd/system/mcstransd.service -> r:ExecStart=/usr/sbin/mcstransd;
-
-# 1.4.6 Check for unconfined daemons
-# TODO
-
-
-###############################################
-# 1.5 Secure Boot Settings
-###############################################
-
-# 1.5.1 Set User/Group Owner on /etc/grub.conf
-# TODO (no mode tests)
-# stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0"
-
-# 1.5.2 Set Permissions on /etc/grub.conf (Scored)
-# TODO (no mode tests)
-# stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00"
-
-# 1.5.3 Set Boot Loader Password (Scored)
-[CIS - RHEL7 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/boot/grub2/grub.cfg -> !r:^# && !r:password;
-
-
-
-###############################################
-# 1.6 Additional Process Hardening
-###############################################
-
-# 1.6.1 Restrict Core Dumps (Scored)
-[CIS - RHEL7 - 1.6.1 - Interactive Boot not disabled {CIS: 1.6.1 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
-
-# 1.6.1 Enable Randomized Virtual Memory Region Placement (Scored)
-# Note this is also labeled 1.6.1 in the CIS benchmark.
-[CIS - RHEL7 - 1.6.1 - Randomized Virtual Memory Region Placement not enabled {CIS: 1.6.3 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/kernel/randomize_va_space -> !r:^2$;
-
-
-###############################################
-# 1.7 Use the Latest OS Release (Not Scored)
-###############################################
-
-
-###############################################
-# 2 OS Services
-###############################################
-
-###############################################
-# 2.1 Remove Legacy Services
-###############################################
-
-# 2.1.1 Remove telnet-server (Scored)
-# TODO: detect it is installed at all
-[CIS - RHEL7 - 2.1.1 - Telnet enabled on xinetd {CIS: 2.1.1 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
-f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd;
-
-
-# 2.1.2 Remove telnet Clients (Scored)
-# TODO
-
-# 2.1.3 Remove rsh-server (Scored)
-[CIS - RHEL7 - 2.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.1.3 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
-# TODO (finish this)
-f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart;
-f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart;
-f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart;
-
-# 2.1.4 Remove rsh (Scored)
-# TODO
-
-# 2.1.5 Remove NIS Client (Scored)
-[CIS - RHEL7 - 2.1.5 - Disable standard boot services - NIS (client) Enabled {CIS: 2.1.5 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dypbind$;
-f:/usr/lib/systemd/system/ypbind.service -> r:Exec;
-
-# 2.1.6 Remove NIS Server (Scored)
-[CIS - RHEL7 - 2.1.6 - Disable standard boot services - NIS (server) Enabled {CIS: 2.1.6 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dypserv$;
-f:/usr/lib/systemd/system/ypserv.service -> r:Exec;
-
-# 2.1.7 Remove tftp (Scored)
-# TODO
-
-# 2.1.8 Remove tftp-server (Scored)
-[CIS - RHEL7 - 2.1.8 - tftpd enabled on xinetd {CIS: 2.1.8 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
-f:/usr/lib/systemd/system/tftp.service -> r:Exec;
-
-# 2.1.9 Remove talk (Scored)
-# TODO
-
-# 2.1.10 Remove talk-server (Scored)
-[CIS - RHEL7 - 2.1.10 - talk enabled on xinetd {CIS: 2.1.10 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
-f:/usr/lib/systemd/system/ntalk.service -> r:Exec;
-
-# 2.1.11 Remove xinetd (Scored)
-[CIS - RHEL7 - 2.1.11 - xinetd detected {CIS: 2.1.11 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/usr/lib/systemd/system/xinetd.service -> r:Exec;
-
-# 2.1.12 Disable chargen-dgram (Scored)
-[CIS - RHEL7 - 2.1.12 - chargen-dgram enabled on xinetd {CIS: 2.1.12 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/chargen-dgram -> !r:^# && r:disable && r:no;
-
-# 2.1.13 Disable chargen-stream (Scored)
-[CIS - RHEL7 - 2.1.13 - chargen-stream enabled on xinetd {CIS: 2.1.13 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/chargen-stream -> !r:^# && r:disable && r:no;
-
-# 2.1.14 Disable daytime-dgram (Scored)
-[CIS - RHEL7 - 2.1.14 - daytime-dgram enabled on xinetd {CIS: 2.1.14 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/daytime-dgram -> !r:^# && r:disable && r:no;
-
-# 2.1.15 Disable daytime-stream (Scored)
-[CIS - RHEL7 - 2.1.15 - daytime-stream enabled on xinetd {CIS: 2.1.15 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/daytime-stream -> !r:^# && r:disable && r:no;
-
-
-# 2.1.16 Disable echo-dgram (Scored)
-[CIS - RHEL7 - 2.1.16 - echo-dgram enabled on xinetd {CIS: 2.1.16 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/echo-dgram -> !r:^# && r:disable && r:no;
-
-# 2.1.17 Disable echo-stream (Scored)
-[CIS - RHEL7 - 2.1.17 - echo-stream enabled on xinetd {CIS: 2.1.17 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/echo-stream -> !r:^# && r:disable && r:no;
-
-# 2.1.18 Disable tcpmux-server (Scored)
-[CIS - RHEL7 - 2.1.18 - tcpmux-server enabled on xinetd {CIS: 2.1.18 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/tcpmux-server -> !r:^# && r:disable && r:no;
-
-
-###############################################
-# 3 Special Purpose Services
-###############################################
-
-# 3.1 Set Daemon umask (Scored)
-[CIS - RHEL7 - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 RHEL7} {PCI_DSS: 2.2.2}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/sysconfig/init -> !r:^# && r:^umask && <:umask 027;
-
-# 3.2 Remove X Windows (Scored)
-[CIS - RHEL7 - 3.2 - X11 not disabled {CIS: 3.2 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/usr/lib/systemd/system/default.target -> r:Graphical;
-p:gdm-x-session;
-
-# 3.3 Disable Avahi Server (Scored)
-[CIS - RHEL7 - 3.2 - Avahi daemon not disabled {CIS: 3.3 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-p:avahi-daemon;
-
-# 3.4 Disable Print Server - CUPS (Not Scored)
-
-# 3.5 Remove DHCP Server (Scored)
-[CIS - RHEL7 - 3.5 - DHCPnot disabled {CIS: 3.5 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/usr/lib/systemd/system/dhcpd.service -> r:Exec;
-
-# 3.6 Configure Network Time Protocol (NTP) (Scored)
-[CIS - RHEL7 - 3.6 - NTPD not Configured {CIS: 3.6 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server;
-f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";
-
-# 3.7 Remove LDAP (Not Scored)
-
-# 3.8 Disable NFS and RPC (Not Scored)
-[CIS - RHEL7 - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dnfs$;
-d:$rc_dirs -> ^S\d\dnfslock$;
-
-# 3.9 Remove DNS Server (Not Scored)
-# TODO
-
-# 3.10 Remove FTP Server (Not Scored)
-[CIS - RHEL7 - 3.10 - VSFTP enabled on xinetd {CIS: 3.10 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
-
-# 3.11 Remove HTTP Server (Not Scored)
-[CIS - RHEL7 - 3.11 - Disable standard boot services - Apache web server Enabled {CIS: 3.11 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dhttpd$;
-
-# 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored)
-[CIS - RHEL7 - 3.12 - imap enabled on xinetd {CIS: 3.12 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
-
-[CIS - RHEL7 - 3.12 - pop3 enabled on xinetd {CIS: 3.12 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
-
-# 3.13 Remove Samba (Not Scored)
-[CIS - RHEL7 - 3.13 - Disable standard boot services - Samba Enabled {CIS: 3.13 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsamba$;
-d:$rc_dirs -> ^S\d\dsmb$;
-
-# 3.14 Remove HTTP Proxy Server (Not Scored)
-[CIS - RHEL7 - 3.14 - Disable standard boot services - Squid Enabled {CIS: 3.14 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsquid$;
-
-# 3.15 Remove SNMP Server (Not Scored)
-[CIS - RHEL7 - 3.15 - Disable standard boot services - SNMPD process Enabled {CIS: 3.15 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsnmpd$;
-
-# 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored)
-# TODO
-
-
-###############################################
-# 4 Network Configuration and Firewalls
-###############################################
-
-###############################################
-# 4.1 Modify Network Parameters (Host Only)
-###############################################
-
-# 4.1.1 Disable IP Forwarding (Scored)
-[CIS - RHEL7 - 4.1.1 - Network parameters - IP Forwarding enabled {CIS: 4.1.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/ip_forward -> 1;
-f:/proc/sys/net/ipv6/ip_forward -> 1;
-
-# 4.1.2 Disable Send Packet Redirects (Scored)
-[CIS - RHEL7 - 4.1.2 - Network parameters - IP send redirects enabled {CIS: 4.1.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
-f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
-
-
-###############################################
-# 4.2 Modify Network Parameters (Host and Router)
-###############################################
-
-# 4.2.1 Disable Source Routed Packet Acceptance (Scored)
-[CIS - RHEL7 - 4.2.1 - Network parameters - Source routing accepted {CIS: 4.2.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
-
-# 4.2.2 Disable ICMP Redirect Acceptance (Scored)
-[CIS - RHEL7 - 4.2.2 - Network parameters - ICMP redirects accepted {CIS: 1.1.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
-f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
-
-# 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
-[CIS - RHEL7 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
-f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
-
-# 4.2.4 Log Suspicious Packets (Scored)
-[CIS - RHEL7 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
-
-# 4.2.5 Enable Ignore Broadcast Requests (Scored)
-[CIS - RHEL7 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
-
-# 4.2.6 Enable Bad Error Message Protection (Scored)
-[CIS - RHEL7 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
-
-# 4.2.7 Enable RFC-recommended Source Route Validation (Scored)
-[CIS - RHEL7 - 4.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 4.2.7 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
-f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
-
-# 4.2.8 Enable TCP SYN Cookies (Scored)
-[CIS - RHEL7 - 4.2.8 - Network parameters - SYN Cookies not enabled {CIS: 4.2.8 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
-
-
-###############################################
-# 4.3 Wireless Networking
-###############################################
-
-# 4.3.1 Deactivate Wireless Interfaces (Not Scored)
-
-
-###############################################
-# 4.4 Disable ipv6
-###############################################
-
-###############################################
-# 4.4.1 Configure IPv6
-###############################################
-
-# 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored)
-
-# 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)
-
-# 4.4.2 Disable IPv6 (Not Scored)
-
-
-###############################################
-# 4.5 Install TCP Wrappers
-###############################################
-
-# 4.5.1 Install TCP Wrappers (Not Scored)
-
-# 4.5.2 Create /etc/hosts.allow (Not Scored)
-
-# 4.5.3 Verify Permissions on /etc/hosts.allow (Scored)
-# TODO
-
-# 4.5.4 Create /etc/hosts.deny (Not Scored)
-
-# 4.5.5 Verify Permissions on /etc/hosts.deny (Scored)
-# TODO
-
-
-###############################################
-# 4.6 Uncommon Network Protocols
-###############################################
-
-# 4.6.1 Disable DCCP (Not Scored)
-
-# 4.6.2 Disable SCTP (Not Scored)
-
-# 4.6.3 Disable RDS (Not Scored)
-
-# 4.6.4 Disable TIPC (Not Scored)
-
-# 4.7 Enable IPtables (Scored)
-#[CIS - RHEL7 - 4.7 - Uncommon Network Protocols - Firewalld not enabled {CIS: 4.7 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-#f:/usr/lib/systemd/system/firewalld.service -> TODO;
-
-
-###############################################
-# 5 Logging and Auditing
-###############################################
-
-###############################################
-# 5.1 Configure Syslog
-###############################################
-
-# 5.1.1 Install the rsyslog package (Scored)
-# TODO
-
-# 5.1.2 Activate the rsyslog Service (Scored)
-# TODO
-
-# 5.1.3 Configure /etc/rsyslog.conf (Not Scored)
-
-# 5.1.4 Create and Set Permissions on rsyslog Log Files (Scored)
-
-# 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)
-
-# 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
-
-
-###############################################
-# 5.2 Configure System Accounting (auditd)
-###############################################
-
-###############################################
-# 5.2.1 Configure Data Retention
-###############################################
-
-# 5.2.1.1 Configure Audit Log Storage Size (Not Scored)
-
-# 5.2.1.2 Disable System on Audit Log Full (Not Scored)
-
-# 5.2.1.3 Keep All Auditing Information (Scored)
-
-# 5.2.2 Enable auditd Service (Scored)
-
-# 5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
-
-# 5.2.4 Record Events That Modify Date and Time Information (Scored)
-
-# 5.2.5 Record Events That Modify User/Group Information (Scored)
-
-# 5.2.6 Record Events That Modify the System’s Network Environment (Scored)
-
-# 5.2.7 Record Events That Modify the System’s Mandatory Access Controls (Scored)
-
-# 5.2.8 Collect Login and Logout Events (Scored)
-
-# 5.2.9 Collect Session Initiation Information (Scored)
-
-# 5.2.10 Collect Discretionary Access Control Permission Modification Events (Scored)
-
-# 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
-
-# 5.2.12 Collect Use of Privileged Commands (Scored)
-
-# 5.2.13 Collect Successful File System Mounts (Scored)
-
-# 5.2.14 Collect File Deletion Events by User (Scored)
-
-# 5.2.15 Collect Changes to System Administration Scope (sudoers) (Scored)
-
-# 5.2.16 Collect System Administrator Actions (sudolog) (Scored)
-
-# 5.2.17 Collect Kernel Module Loading and Unloading (Scored)
-
-# 5.2.18 Make the Audit Configuration Immutable (Scored)
-
-# 5.3 Configure logrotate (Not Scored)
-
-
-###############################################
-# 6 System Access, Authentication and Authorization
-###############################################
-
-###############################################
-# 6.1 Configure cron and anacron
-###############################################
-
-# 6.1.1 Enable anacron Daemon (Scored)
-
-# 6.1.2 Enable cron Daemon (Scored)
-
-# 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)
-
-# 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)
-
-# 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
-
-# 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
-
-# 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
-
-# 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
-
-# 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored)
-
-# 6.1.10 Restrict at Daemon (Scored)
-
-# 6.1.11 Restrict at/cron to Authorized Users (Scored)
-
-###############################################
-# 6.1 Configure SSH
-###############################################
-
-# 6.2.1 Set SSH Protocol to 2 (Scored)
-[CIS - RHEL7 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
-
-# 6.2.2 Set LogLevel to INFO (Scored)
-[CIS - RHEL7 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;
-
-# 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
-# TODO
-
-# 6.2.4 Disable SSH X11 Forwarding (Scored)
-# TODO
-
-# 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
-[ CIS - RHEL7 - 6.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less {CIS - RHEL7 - 6.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$;
-f:$sshd_file -> r:^#\s*MaxAuthTries;
-f:$sshd_file -> !r:MaxAuthTries;
-
-# 6.2.6 Set SSH IgnoreRhosts to Yes (Scored)
-[CIS - RHEL7 - 6.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 6.2.6 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
-
-# 6.2.7 Set SSH HostbasedAuthentication to No (Scored)
-[CIS - RHEL7 - 6.2.7 - SSH Configuration - Host based authentication enabled {CIS: 6.2.7 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
-
-# 6.2.8 Disable SSH Root Login (Scored)
-[CIS - RHEL7 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
-f:/etc/ssh/sshd_config -> r:^#\s*PermitRootLogin;
-
-# 6.2.9 Set SSH PermitEmptyPasswords to No (Scored)
-[CIS - RHEL7 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
-f:/etc/ssh/sshd_config -> r:^#\s*PermitEmptyPasswords;
-
-# 6.2.10 Do Not Allow Users to Set Environment Options (Scored)
-
-# 6.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
-
-# 6.2.12 Set Idle Timeout Interval for User Login (Not Scored)
-
-# 6.2.13 Limit Access via SSH (Scored)
-
-# 6.2.14 Set SSH Banner (Scored)
-
-
-###############################################
-# 6.3 Configure PAM
-###############################################
-
-# 6.3.1 Upgrade Password Hashing Algorithm to SHA-512 (Scored)
-# authconfig --test | grep hashing | grep sha512
-
-# 6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
-
-# 6.3.3 Set Lockout for Failed Password Attempts (Not Scored)
-
-# 6.3.4 Limit Password Reuse (Scored)
-
-
-# 6.4 Restrict root Login to System Console (Not Scored)
-
-# 6.5 Restrict Access to the su Command (Scored)
-
-
-###############################################
-# 7 User Accounts and Environment
-###############################################
-
-###############################################
-# 7.1 Set Shadow Password Suite Parameters (/etc/login.defs)
-###############################################
-
-# 7.1.1 Set Password Expiration Days (Scored)
-
-# 7.1.2 Set Password Change Minimum Number of Days (Scored)
-
-# 7.1.3 Set Password Expiring Warning Days (Scored)
-
-# 7.2 Disable System Accounts (Scored)
-
-# 7.3 Set Default Group for root Account (Scored)
-
-# 7.4 Set Default umask for Users (Scored)
-
-# 7.5 Lock Inactive User Accounts (Scored)
-
-
-###############################################
-# 8 Warning Banners
-###############################################
-
-###############################################
-# 8.1 Warning Banners for Standard Login Services
-###############################################
-
-# 8.1 Set Warning Banner for Standard Login Services (Scored)
-
-# 8.2 Remove OS Information from Login Warning Banners (Scored)
-
-# 8.3 Set GNOME Warning Banner (Not Scored)
-
-
-###############################################
-# 9 System Maintenance
-###############################################
-
-###############################################
-# 9.1 Verify System File Permissions
-###############################################
-
-# 9.1.1 Verify System File Permissions (Not Scored)
-
-# 9.1.2 Verify Permissions on /etc/passwd (Scored)
-
-# 9.1.3 Verify Permissions on /etc/shadow (Scored)
-
-# 9.1.4 Verify Permissions on /etc/gshadow (Scored)
-
-# 9.1.5 Verify Permissions on /etc/group (Scored)
-
-# 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored)
-
-# 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored)
-
-# 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored)
-
-# 9.1.9 Verify User/Group Ownership on /etc/group (Scored)
-
-# 9.1.10 Find World Writable Files (Not Scored)
-
-# 9.1.11 Find Un-owned Files and Directories (Scored)
-
-# 9.1.12 Find Un-grouped Files and Directories (Scored)
-
-# 9.1.13 Find SUID System Executables (Not Scored)
-
-# 9.1.14 Find SGID System Executables (Not Scored)
-
-
-###############################################
-# 9.2 Review User and Group Settings
-###############################################
-
-# 9.2.1 Ensure Password Fields are Not Empty (Scored)
-
-# 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
-
-# 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
-
-# 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
-
-# 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
-[CIS - RHEL7 - 9.2.5 - Non-root account with uid 0 {CIS: 9.2.5 RHEL7} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
-
-# 9.2.6 Ensure root PATH Integrity (Scored)
-
-# 9.2.7 Check Permissions on User Home Directories (Scored)
-
-# 9.2.8 Check User Dot File Permissions (Scored)
-
-# 9.2.9 Check Permissions on User .netrc Files (Scored)
-
-# 9.2.10 Check for Presence of User .rhosts Files (Scored)
-
-# 9.2.11 Check Groups in /etc/passwd (Scored)
-
-# 9.2.12 Check That Users Are Assigned Valid Home Directories (Scored)
-
-# 9.2.13 Check User Home Directory Ownership (Scored)
-
-# 9.2.14 Check for Duplicate UIDs (Scored)
-
-# 9.2.15 Check for Duplicate GIDs (Scored)
-
-# 9.2.16 Check That Reserved UIDs Are Assigned to System Accounts (Scored)
-
-# 9.2.17 Check for Duplicate User Names (Scored)
-
-# 9.2.18 Check for Duplicate Group Names (Scored)
-
-# 9.2.19 Check for Presence of User .netrc Files (Scored)
-
-# 9.2.20 Check for Presence of User .forward Files (Scored)
-
-
-# Other/Legacy Tests
-[CIS - RHEL7 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/shadow -> r:^\w+::;
-
-[CIS - RHEL7 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
-f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
-
-[CIS - RHEL7 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dkudzu$;
-
-[CIS - RHEL7 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dpostgresql$;
-
-[CIS - RHEL7 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dmysqld$;
-
-[CIS - RHEL7 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dnamed$;
-
-[CIS - RHEL7 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dnetfs$;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-
-# CIS Checks for Red Hat (RHEL 2.1, 3.0, 4.0 and Fedora Core 1,2,3,4 and 5).
-# Based on CIS Benchmark for Red Hat Enterprise Linux v1.0.5
-
-
-
-# RC scripts location
-$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
-
-
-
-# Main one. Only valid for Red Hat/Fedora.
-[CIS - Testing against the CIS Red Hat Enterprise Linux Benchmark v1.0.5] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 4;
-f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 3;
-f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 2.1;
-f:/etc/fedora-release -> r:^Fedora && r:release 1;
-f:/etc/fedora-release -> r:^Fedora && r:release 2;
-f:/etc/fedora-release -> r:^Fedora && r:release 3;
-f:/etc/fedora-release -> r:^Fedora && r:release 4;
-f:/etc/fedora-release -> r:^Fedora && r:release 5;
-
-
-# Build considerations - Partition scheme.
-[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /var is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/fstab -> !r:/var;
-
-[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /home is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/fstab -> !r:/home;
-
-
-# Section 1.3 - SSH configuration
-[CIS - Red Hat Linux - 1.3 - SSH Configuration - Protocol version 1 enabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
-
-[CIS - Red Hat Linux - 1.3 - SSH Configuration - IgnoreRHosts disabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
-
-[CIS - Red Hat Linux - 1.3 - SSH Configuration - Empty passwords permitted {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
-
-[CIS - Red Hat Linux - 1.3 - SSH Configuration - Host based authentication enabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
-
-[CIS - Red Hat Linux - 1.3 - SSH Configuration - Root login allowed {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
-
-
-# Section 1.4 Enable system accounting
-#[CIS - Red Hat Linux - 1.4 - System Accounting - Sysstat not installed] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-#f:!/var/log/sa;
-
-
-# Section 2.5 Install and run Bastille
-#[CIS - Red Hat Linux - 1.5 - System harderning - Bastille is not installed] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-#f:!/etc/Bastille;
-
-
-# Section 2 - Minimize xinetd services
-[CIS - Red Hat Linux - 2.3 - Telnet enabled on xinetd {CIS: 2.3 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/xinetd.c/telnet -> !r:^# && r:disable && r:no;
-
-[CIS - Red Hat Linux - 2.4 - VSFTP enabled on xinetd {CIS: 2.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/xinetd.c/vsftpd -> !r:^# && r:disable && r:no;
-
-[CIS - Red Hat Linux - 2.4 - WU-FTP enabled on xinetd {CIS: 2.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/xinetd.c/wu-ftpd -> !r:^# && r:disable && r:no;
-
-[CIS - Red Hat Linux - 2.5 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.5 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/xinetd.c/rlogin -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.c/rsh -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.c/shell -> !r:^# && r:disable && r:no;
-
-[CIS - Red Hat Linux - 2.6 - tftpd enabled on xinetd {CIS: 2.6 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/xinetd.c/tftpd -> !r:^# && r:disable && r:no;
-
-[CIS - Red Hat Linux - 2.7 - imap enabled on xinetd {CIS: 2.7 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/xinetd.c/imap -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.c/imaps -> !r:^# && r:disable && r:no;
-
-[CIS - Red Hat Linux - 2.8 - pop3 enabled on xinetd {CIS: 2.8 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/xinetd.c/ipop3 -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.c/pop3s -> !r:^# && r:disable && r:no;
-
-
-# Section 3 - Minimize boot services
-[CIS - Red Hat Linux - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 Red Hat Linux}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/init.d/functions -> !r:^# && r:^umask && >:umask 027;
-
-[CIS - Red Hat Linux - 3.4 - GUI login enabled {CIS: 3.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/inittab -> !r:^# && r:id:5;
-
-[CIS - Red Hat Linux - 3.7 - Disable standard boot services - Samba Enabled {CIS: 3.7 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dsamba$;
-d:$rc_dirs -> ^S\d\dsmb$;
-
-[CIS - Red Hat Linux - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dnfs$;
-d:$rc_dirs -> ^S\d\dnfslock$;
-
-[CIS - Red Hat Linux - 3.10 - Disable standard boot services - NIS Enabled {CIS: 3.10 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dypbind$;
-d:$rc_dirs -> ^S\d\dypserv$;
-
-[CIS - Red Hat Linux - 3.13 - Disable standard boot services - NetFS Enabled {CIS: 3.13 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dnetfs$;
-
-[CIS - Red Hat Linux - 3.15 - Disable standard boot services - Apache web server Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dapache$;
-d:$rc_dirs -> ^S\d\dhttpd$;
-
-[CIS - Red Hat Linux - 3.15 - Disable standard boot services - TUX web server Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dtux$;
-
-[CIS - Red Hat Linux - 3.16 - Disable standard boot services - SNMPD process Enabled {CIS: 3.16 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dsnmpd$;
-
-[CIS - Red Hat Linux - 3.17 - Disable standard boot services - DNS server Enabled {CIS: 3.17 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dnamed$;
-
-[CIS - Red Hat Linux - 3.18 - Disable standard boot services - MySQL server Enabled {CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dmysqld$;
-
-[CIS - Red Hat Linux - 3.18 - Disable standard boot services - PostgreSQL server Enabled {CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dpostgresql$;
-
-[CIS - Red Hat Linux - 3.19 - Disable standard boot services - Webmin Enabled {CIS: 3.19 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dwebmin$;
-
-[CIS - Red Hat Linux - 3.20 - Disable standard boot services - Squid Enabled {CIS: 3.20 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dsquid$;
-
-[CIS - Red Hat Linux - 3.21 - Disable standard boot services - Kudzu hardware detection Enabled {CIS: 3.21 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-d:$rc_dirs -> ^S\d\dkudzu$;
-
-
-# Section 4 - Kernel tuning
-[CIS - Red Hat Linux - 4.1 - Network parameters - Source routing accepted {CIS: 4.1 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
-
-[CIS - Red Hat Linux - 4.1 - Network parameters - ICMP broadcasts accepted {CIS: 4.1 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
-
-[CIS - Red Hat Linux - 4.2 - Network parameters - IP Forwarding enabled {CIS: 4.2 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/proc/sys/net/ipv4/ip_forward -> 1;
-f:/proc/sys/net/ipv6/ip_forward -> 1;
-
-
-# Section 6 - Permissions
-[CIS - Red Hat Linux - 6.1 - Partition /var without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev;
-
-[CIS - Red Hat Linux - 6.1 - Partition /tmp without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev;
-
-[CIS - Red Hat Linux - 6.1 - Partition /opt without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev;
-
-[CIS - Red Hat Linux - 6.1 - Partition /home without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ;
-
-[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nodev' set {CIS: 6.2 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
-
-[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nosuid' set {CIS: 6.2 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
-
-[CIS - Red Hat Linux - 6.3 - User-mounted removable partition allowed on the console {CIS: 6.3 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
-f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
-
-
-# Section 7 - Access and authentication
-[CIS - Red Hat Linux - 7.8 - LILO Password not set {CIS: 7.8 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/lilo.conf -> !r:^# && !r:restricted;
-f:/etc/lilo.conf -> !r:^# && !r:password=;
-
-[CIS - Red Hat Linux - 7.8 - GRUB Password not set {CIS: 7.8 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/boot/grub/menu.lst -> !r:^# && !r:password;
-
-[CIS - Red Hat Linux - 8.2 - Account with empty password present {CIS: 8.2 Red Hat Linux} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/shadow -> r:^\w+::;
-
-[CIS - Red Hat Linux - SN.11 - Non-root account with uid 0 {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
-f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
-
-
-# Tests specific for VMware ESX - Runs on Red Hat Linux -
-# Will not be tested anywhere else.
-[VMware ESX - Testing against the Security Harderning benchmark VI3 for ESX 3.5] [any required] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-f:/etc/vmware-release -> r:^VMware ESX;
-
-
-# Virtual Machine Files and Settings - 1
-# 1.1
-[VMware ESX - VM settings - Copy operation between guest and console enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.copy.disable;
-d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.copy.disable && r:false;
-
-# 1.2
-[VMware ESX - VM settings - Paste operation between guest and console enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.paste.disable;
-d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.paste.disable && r:false;
-
-# 1.3
-[VMware ESX - VM settings - GUI Options enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.setGUIOptions.enable && r:true;
-
-# 1.4
-[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Rotate size not 100KB] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> !r:^log.rotateSize;
-d:/vmfs/volumes -> .vmx$ -> r:^log.rotateSize && !r:"100000";
-
-# 1.5
-[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Maximum number of logs not 10] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> !r:^log.keepOld;
-d:/vmfs/volumes -> .vmx$ -> r:^log.keepOld && r:"10";
-
-# 1.6
-[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Guests allowed to write SetInfo data to config] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.setinfo.disable;
-d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.setinfo.disable && r:false;
-
-# 1.7
-[VMware ESX - VM settings - Nonpersistent Disks being used] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> r:^scsi\d:\d.mode && r:!independent-nonpersistent;
-
-# 1.8
-[VMware ESX - VM settings - Floppy drive present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> r:^floppy\d+.present && r:!false;
-
-[VMware ESX - VM settings - Serial port present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> r:^serial\d+.present && r:!false;
-
-[VMware ESX - VM settings - Parallel port present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> r:^parallel\d+.present && r:!false;
-
-# 1.9
-[VMware ESX - VM settings - Unauthorized Removal or Connection of Devices allowed] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> !r:^Isolation.tools.connectable.disable;
-d:/vmfs/volumes -> .vmx$ -> r:^Isolation.tools.connectable.disable && r:false;
-
-# 1.10
-[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk Modification Operations - diskWiper enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.diskWiper.disable;
-d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.diskWiper.disable && r:false;
-
-[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk Modification Operations - diskShrink enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
-d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.diskShrink.disable;
-d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.diskShrink.disable && r:false;
-
-
-# Configuring the Service Console in ESX 3.5 - 2
-# 2.1
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-
-# CIS Checks for SUSE SLES 11
-# Based on CIS Benchmark for SUSE Linux Enterprise Server 11 v1.1.0
-
-# RC scripts location
-$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
-
-
-[CIS - Testing against the CIS SUSE Linux Enterprise Server 11 Benchmark v1.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11";
-f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP1";
-f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP2";
-f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP3";
-f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4";
-
-# 2.1 /tmp: partition
-[CIS - SLES11 - 2.1 - Build considerations - Robust partition scheme - /tmp is not on its own partition {CIS: 2.2 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:/tmp;
-
-# 2.2 /tmp: nodev
-[CIS - SLES11 - 2.2 - Partition /tmp without 'nodev' set {CIS: 2.2 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
-
-# 2.3 /tmp: nosuid
-[CIS - SLES11 - 2.3 - Partition /tmp without 'nosuid' set {CIS: 2.3 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
-
-# 2.4 /tmp: noexec
-[CIS - SLES11 - 2.4 - Partition /tmp without 'noexec' set {CIS: 2.4 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
-
-# 2.5 Build considerations - Partition scheme.
-[CIS - SLES11 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 2.5 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r^# && !r:/var;
-
-# 2.6 bind mount /var/tmp to /tmp
-[CIS - SLES11 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 2.6 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
-
-# 2.7 /var/log: partition
-[CIS - SLES11 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 2.7 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> ^# && !r:/var/log;
-
-# 2.8 /var/log/audit: partition
-[CIS - SLES11 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 2.8 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> ^# && !r:/var/log/audit;
-
-# 2.9 /home: partition
-[CIS - SLES11 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 2.9 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> ^# && !r:/home;
-
-# 2.10 /home: nodev
-[CIS - SLES11 - 2.10 - Partition /home without 'nodev' set {CIS: 2.10 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
-
-# 2.11 nodev on removable media partitions (not scored)
-[CIS - SLES11 - 2.11 - Removable partition /media without 'nodev' set {CIS: 2.11 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
-
-# 2.12 noexec on removable media partitions (not scored)
-[CIS - SLES11 - 2.12 - Removable partition /media without 'noexec' set {CIS: 2.12 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
-
-# 2.13 nosuid on removable media partitions (not scored)
-[CIS - SLES11 - 2.13 - Removable partition /media without 'nosuid' set {CIS: 2.13 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
-
-# 2.14 /dev/shm: nodev
-[CIS - SLES11 - 2.14 - /dev/shm without 'nodev' set {CIS: 2.14 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
-
-# 2.15 /dev/shm: nosuid
-[CIS - SLES11 - 2.15 - /dev/shm without 'nosuid' set {CIS: 2.15 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
-
-# 2.16 /dev/shm: noexec
-[CIS - SLES11 - 2.16 - /dev/shm without 'noexec' set {CIS: 2.16 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
-
-# 2.17 sticky bit on world writable directories (Scored)
-# TODO
-
-# 2.18 disable cramfs (not scored)
-
-# 2.19 disable freevxfs (not scored)
-
-# 2.20 disable jffs2 (not scored)
-
-# 2.21 disable hfs (not scored)
-
-# 2.22 disable hfsplus (not scored)
-
-# 2.23 disable squashfs (not scored)
-
-# 2.24 disable udf (not scored)
-
-# 2.25 disable automounting (Scored)
-# TODO
-
-###############################################
-# 3 Secure Boot Settings
-###############################################
-
-# 3.1 Set User/Group Owner on /etc/grub.conf
-# TODO (no mode tests)
-# stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0"
-
-# 3.2 Set Permissions on /etc/grub.conf (Scored)
-# TODO (no mode tests)
-# stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00"
-
-# 3.3 Set Boot Loader Password (Scored)
-[CIS - SLES11 - 3.3 - GRUB Password not set {CIS: 3.3 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/boot/grub2/grub.cfg -> !r:^# && !r:password;
-
-# 3.4 Require Authentication for Single-User Mode (Scored)
-
-# 3.5 Disable Interactive Boot (Scored)
-
-###############################################
-# 4 Additional Process Hardening
-###############################################
-
-# 4.1 Restrict Core Dumps (Scored)
-[CIS - SLES11 - 4.1 - Interactive Boot not disabled {CIS: 4.1 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
-
-# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
-# TODO
-
-# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
-[CIS - SLES11 - 4.3 - Randomized Virtual Memory Region Placement not enabled {CIS: 4.3 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/kernel/randomize_va_space -> 2;
-
-# 4.4 Disable Prelink (Scored)
-# TODO
-
-# 4.5 Activate AppArmor (Scored)
-# TODO
-
-###############################################
-# 5 OS Services
-###############################################
-
-###############################################
-# 5.1 Remove Legacy Services
-###############################################
-
-# 5.1.1 Remove NIS Server (Scored)
-[CIS - SLES11 - 5.1.1 - Disable standard boot services - NIS (server) Enabled {CIS: 5.1.1 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dypserv$;
-
-# 5.1.2 Remove NIS Client (Scored)
-[CIS - SLES11 - 5.1.2 - Disable standard boot services - NIS (client) Enabled {CIS: 51.2 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dypbind$;
-
-# 5.1.3 Remove rsh-server (Scored)
-[CIS - SLES11 - 5.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 5.1.3 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
-
-# 5.1.4 Remove rsh client (Scored)
-# TODO
-
-# 5.1.5 Remove talk-server (Scored)
-[CIS - SLES11 - 5.1.5 - talk enabled on xinetd {CIS: 5.1.5 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
-
-# 5.1.6 Remove talk client (Scored)
-# TODO
-
-# 5.1.7 Remove telnet-server (Scored)
-# TODO: detect it is installed at all
-[CIS - SLES11 - 5.1.7 - Telnet enabled on xinetd {CIS: 5.1.7 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
-
-# 5.1.8 Remove tftp-server (Scored)
-[CIS - SLES11 - 5.1.8 - tftpd enabled on xinetd {CIS: 5.1.8 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
-
-# 5.1.9 Remove xinetd (Scored)
-[CIS - SLES11 - 5.1.9 - xinetd detected {CIS: 5.1.9 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-
-# 5.2 Disable chargen-udp (Scored)
-[CIS - SLES11 - 5.2 - chargen-udp enabled on xinetd {CIS: 5.2 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no;
-
-# 5.3 Disable chargen (Scored)
-[CIS - SLES11 - 5.3 - chargen enabled on xinetd {CIS: 5.3 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no;
-
-# 5.4 Disable daytime-udp (Scored)
-[CIS - SLES11 - 5.4 - daytime-udp enabled on xinetd {CIS: 5.4 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no;
-
-# 5.5 Disable daytime (Scored)
-[CIS - SLES11 - 5.5 - daytime enabled on xinetd {CIS: 5.5 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no;
-
-
-# 5.6 Disable echo-udp (Scored)
-[CIS - SLES11 - 5.6 - echo-udp enabled on xinetd {CIS: 5.6 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no;
-
-# 5.7 Disable echo (Scored)
-[CIS - SLES11 - 5.7 - echo enabled on xinetd {CIS: 5.7 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no;
-
-# 5.8 Disable discard-udp (Scored)
-[CIS - SLES11 - 5.8 - discard-udp enabled on xinetd {CIS: 5.8 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no;
-
-# 5.9 Disable discard (Scored)
-[CIS - SLES11 - 5.9 - discard enabled on xinetd {CIS: 5.9 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no;
-
-# 5.10 Disable time-udp (Scored)
-[CIS - SLES11 - 5.10 - time-udp enabled on xinetd {CIS: 5.10 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no;
-
-# 5.11 Disable time (Scored)
-[CIS - SLES11 - 5.11 - time enabled on xinetd {CIS: 5.11 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no;
-
-###############################################
-# 6 Special Purpose Services
-###############################################
-
-# 6.1 Remove X Windows (Scored)
-[CIS - SLES11 - 6.1 - X11 not disabled {CIS: 6.1 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/inittab -> !r:^# && r:id:5;
-
-# 6.2 Disable Avahi Server (Scored)
-[CIS - SLES11 - 6.2 - Avahi daemon not disabled {CIS: 6.2 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-p:avahi-daemon;
-
-# 6.3 Disable Print Server - CUPS (Not Scored)
-#TODO
-
-# 6.4 Remove DHCP Server (Scored)
-#[CIS - SLES11 - 6.4 - DHCPnot disabled {CIS: 6.4 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dhcpd$;
-d:$rc_dirs -> ^S\d\dhcpd6$;
-
-# 6.5 Configure Network Time Protocol (NTP) (Scored)
-#TODO Chrony
-[CIS - SLES11 - 6.5 - NTPD not Configured {CIS: 6.5 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server;
-f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";
-
-# 6.6 Remove LDAP (Not Scored)
-#TODO
-
-# 6.7 Disable NFS and RPC (Not Scored)
-[CIS - SLES11 - 6.7 - Disable standard boot services - NFS Enabled {CIS: 6.7 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dnfs$;
-d:$rc_dirs -> ^S\d\dnfslock$;
-
-# 6.8 Remove DNS Server (Not Scored)
-# TODO
-
-# 6.9 Remove FTP Server (Not Scored)
-[CIS - SLES11 - 6.9 - VSFTP enabled on xinetd {CIS: 6.9 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
-
-# 6.10 Remove HTTP Server (Not Scored)
-[CIS - SLES11 - 6.10 - Disable standard boot services - Apache web server Enabled {CIS: 6.10 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dapache2$;
-
-# 6.11 Remove Dovecot (IMAP and POP3 services) (Not Scored)
-[CIS - SLES11 - 6.11 - imap enabled on xinetd {CIS: 6.11 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
-
-[CIS - SLES11 - 6.11 - pop3 enabled on xinetd {CIS: 6.11 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
-
-# 6.12 Remove Samba (Not Scored)
-[CIS - SLES11 - 6.12 - Disable standard boot services - Samba Enabled {CIS: 6.12 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsamba$;
-d:$rc_dirs -> ^S\d\dsmb$;
-
-# 6.13 Remove HTTP Proxy Server (Not Scored)
-[CIS - SLES11 - 6.13 - Disable standard boot services - Squid Enabled {CIS: 6.13 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsquid$;
-
-# 6.14 Remove SNMP Server (Not Scored)
-[CIS - SLES11 - 6.14 - Disable standard boot services - SNMPD process Enabled {CIS: 6.14 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dsnmpd$;
-
-# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
-# TODO
-
-# 6.16 Ensure rsync service is not enabled (Scored)
-[CIS - SLES11 - 6.16 - Disable standard boot services - rsyncd process Enabled {CIS: 6.16 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\drsyncd$;
-
-# 6.17 Ensure Biosdevname is not enabled (Scored)
-# TODO
-
-###############################################
-# 7 Network Configuration and Firewalls
-###############################################
-
-###############################################
-# 7.1 Modify Network Parameters (Host Only)
-###############################################
-
-# 7.1.1 Disable IP Forwarding (Scored)
-[CIS - SLES11 - 7.1.1 - Network parameters - IP Forwarding enabled {CIS: 7.1.1 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/ip_forward -> 1;
-f:/proc/sys/net/ipv6/ip_forward -> 1;
-
-# 7.1.2 Disable Send Packet Redirects (Scored)
-[CIS - SLES11 - 7.1.2 - Network parameters - IP send redirects enabled {CIS: 7.1.2 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
-f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
-
-###############################################
-# 7.2 Modify Network Parameters (Host and Router)
-###############################################
-
-# 7.2.1 Disable Source Routed Packet Acceptance (Scored)
-[CIS - SLES11 - 7.2.1 - Network parameters - Source routing accepted {CIS: 7.2.1 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
-
-# 7.2.2 Disable ICMP Redirect Acceptance (Scored)
-[CIS - SLES11 - 7.2.2 - Network parameters - ICMP redirects accepted {CIS: 7.2.2 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
-f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
-
-# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
-[CIS - SLES11 - 7.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 7.2.3 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
-f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
-
-# 7.2.4 Log Suspicious Packets (Scored)
-[CIS - SLES11 - 7.2.4 - Network parameters - martians not logged {CIS: 7.2.4 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
-
-# 7.2.5 Enable Ignore Broadcast Requests (Scored)
-[CIS - SLES11 - 7.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 7.2.5 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
-
-# 7.2.6 Enable Bad Error Message Protection (Scored)
-[CIS - SLES11 - 7.2.6 - Network parameters - Bad error message protection not enabled {CIS: 7.2.6 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
-
-# 7.2.7 Enable RFC-recommended Source Route Validation (Scored)
-[CIS - SLES11 - 7.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 7.2.7 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
-f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
-
-# 7.2.8 Enable TCP SYN Cookies (Scored)
-[CIS - SLES11 - 7.2.8 - Network parameters - SYN Cookies not enabled {CIS: 7.2.8 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
-
-###############################################
-# 7.3 Configure IPv6
-###############################################
-
-# 7.3.1 Disable IPv6 Router Advertisements (Not Scored)
-
-# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored)
-
-# 7.3.3 Disable IPv6 (Not Scored)
-
-###############################################
-# 7.4 Install TCP Wrappers
-###############################################
-
-# 7.4.1 Install TCP Wrappers (Not Scored)
-
-# 7.4.2 Create /etc/hosts.allow (Not Scored)
-
-# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored)
-# TODO
-
-# 7.4.4 Create /etc/hosts.deny (Not Scored)
-
-# 7.5.5 Verify Permissions on /etc/hosts.deny (Scored)
-# TODO
-
-###############################################
-# 7.5 Uncommon Network Protocols
-###############################################
-
-# 7.5.1 Disable DCCP (Not Scored)
-
-# 7.5.2 Disable SCTP (Not Scored)
-
-# 7.5.3 Disable RDS (Not Scored)
-
-# 7.5.4 Disable TIPC (Not Scored)
-
-# 7.6 Deactivate Wireless Interfaces (Not Scored)
-
-# 7.7 Enable SuSEfirewall2 (Scored)
-
-# 7.8 Limit access to trusted networks (Not Scored)
-
-###############################################
-# 8 Logging and Auditing
-###############################################
-
-###############################################
-# 8.1 Configure System Accounting (auditd)
-###############################################
-
-###############################################
-# 8.1.1 Configure Data Retention
-###############################################
-
-# 8.1.1.1 Configure Audit Log Storage Size (Not Scored)
-
-# 8.1.1.2 Disable System on Audit Log Full (Not Scored)
-
-# 8.1.1.3 Keep All Auditing Information (Scored)
-
-# 8.1.2 Enable auditd Service (Scored)
-
-# 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
-
-# 8.1.4 Record Events That Modify Date and Time Information (Scored)
-
-# 8.1.5 Record Events That Modify User/Group Information (Scored)
-
-# 8.1.6 Record Events That Modify the System’s Network Environment (Scored)
-
-# 8.1.7 Record Events That Modify the System’s Mandatory Access Controls (Scored)
-
-# 8.1.8 Collect Login and Logout Events (Scored)
-
-# 8.1.9 Collect Session Initiation Information (Scored)
-
-# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored)
-
-# 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
-
-# 8.1.12 Collect Use of Privileged Commands (Scored)
-
-# 8.1.13 Collect Successful File System Mounts (Scored)
-
-# 8.1.14 Collect File Deletion Events by User (Scored)
-
-# 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored)
-
-# 8.1.16 Collect System Administrator Actions (sudolog) (Scored)
-
-# 8.1.17 Collect Kernel Module Loading and Unloading (Scored)
-
-# 8.1.18 Make the Audit Configuration Immutable (Scored)
-
-###############################################
-# 8.2 Configure rsyslog
-###############################################
-
-# 8.2.1 Install the rsyslog package (Scored)
-# TODO
-
-# 8.2.2 Activate the rsyslog Service (Scored)
-# TODO
-
-# 8.2.3 Configure /etc/rsyslog.conf (Not Scored)
-
-# 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored)
-
-# 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)
-
-# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
-
-###############################################
-# 8.3 Advanced Intrusion Detection Environment (AIDE)
-###############################################
-
-# 8.3.1 Install AIDE (Scored)
-
-# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
-
-# 8.4 Configure logrotate (Not Scored)
-
-###############################################
-# 9 System Access, Authentication and Authorization
-###############################################
-
-###############################################
-# 9.1 Configure cron and anacron
-###############################################
-
-# 9.1.1 Enable cron Daemon (Scored)
-
-# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored)
-
-# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
-
-# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
-
-# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
-
-# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
-
-# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored)
-
-# 9.1.8 Restrict at/cron to Authorized Users (Scored)
-
-###############################################
-# 9.2 Configure SSH
-###############################################
-
-# 9.2.1 Set SSH Protocol to 2 (Scored)
-[CIS - SLES11 - 9.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 9.2.1 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
-
-# 9.2.2 Set LogLevel to INFO (Scored)
-[CIS - SLES11 - 9.2.1 - SSH Configuration - Loglevel not INFO {CIS: 9.2.1 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;
-
-# 9.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
-# TODO
-
-# 9.2.4 Disable SSH X11 Forwarding (Scored)
-# TODO
-
-# 9.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
-[ CIS - SLES11 - 9.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less {CIS - SLES11 - 9.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:MaxAuthTries && !r:3\s*$;
-f:/etc/ssh/sshd_config -> r:^#\s*MaxAuthTries;
-f:/etc/ssh/sshd_config -> !r:MaxAuthTries;
-
-# 9.2.6 Set SSH IgnoreRhosts to Yes (Scored)
-[CIS - SLES11 - 9.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 9.2.6 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
-
-# 9.2.7 Set SSH HostbasedAuthentication to No (Scored)
-[CIS - SLES11 - 9.2.7 - SSH Configuration - Host based authentication enabled {CIS: 9.2.7 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
-
-# 9.2.8 Disable SSH Root Login (Scored)
-[CIS - SLES11 - 9.2.8 - SSH Configuration - Root login allowed {CIS: 9.2.8 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
-f:/etc/ssh/sshd_config -> r:^#\s*PermitRootLogin;
-
-# 9.2.9 Set SSH PermitEmptyPasswords to No (Scored)
-[CIS - SLES11 - 9.2.9 - SSH Configuration - Empty passwords permitted {CIS: 9.2.9 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
-f:/etc/ssh/sshd_config -> r:^#\s*PermitEmptyPasswords;
-
-# 9.2.10 Do Not Allow Users to Set Environment Options (Scored)
-
-# 9.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
-
-# 9.2.12 Set Idle Timeout Interval for User Login (Not Scored)
-
-# 9.2.13 Limit Access via SSH (Scored)
-
-# 9.2.14 Set SSH Banner (Scored)
-
-###############################################
-# 9.3 Configure PAM
-###############################################
-
-# 9.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
-
-# 9.3.2 Set Lockout for Failed Password Attempts (Not Scored)
-
-# 9.3.3 Limit Password Reuse (Scored)
-
-# 9.4 Restrict root Login to System Console (Not Scored)
-
-# 9.5 Restrict Access to the su Command (Scored)
-
-###############################################
-# 10 User Accounts and Environment
-###############################################
-
-###############################################
-# 10.1 Set Shadow Password Suite Parameters (/etc/login.defs)
-###############################################
-
-# 10.1.1 Set Password Expiration Days (Scored)
-
-# 10.1.2 Set Password Change Minimum Number of Days (Scored)
-
-# 10.1.3 Set Password Expiring Warning Days (Scored)
-
-# 10.2 Disable System Accounts (Scored)
-
-# 10.3 Set Default Group for root Account (Scored)
-
-# 10.4 Set Default umask for Users (Scored)
-
-# 10.5 Lock Inactive User Accounts (Scored)
-
-
-###############################################
-# 11 Warning Banners
-###############################################
-
-# 11.1 Set Warning Banner for Standard Login Services (Scored)
-
-# 11.2 Remove OS Information from Login Warning Banners (Scored)
-
-# 11.3 Set Graphical Warning Banner (Not Scored)
-
-###############################################
-# 12 Verify System File Permissions
-###############################################
-
-# 12.1 Verify System File Permissions (Not Scored)
-
-# 12.2 Verify Permissions on /etc/passwd (Scored)
-
-# 12.3 Verify Permissions on /etc/shadow (Scored)
-
-# 12.4 Verify Permissions on /etc/group (Scored)
-
-# 12.5 Verify User/Group Ownership on /etc/passwd (Scored)
-
-# 12.6 Verify User/Group Ownership on /etc/shadow (Scored)
-
-# 12.7 Verify User/Group Ownership on /etc/group (Scored)
-
-# 12.8 Find World Writable Files (Not Scored)
-
-# 12.9 Find Un-owned Files and Directories (Scored)
-
-# 12.10 Find Un-grouped Files and Directories (Scored)
-
-# 12.11 Find SUID System Executables (Not Scored)
-
-# 12.12 Find SGID System Executables (Not Scored)
-
-###############################################
-# 13 Review User and Group Settings
-###############################################
-
-# 13.1 Ensure Password Fields are Not Empty (Scored)
-
-# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
-
-# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
-
-# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
-
-# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
-[CIS - SLES11 - 13.5 - Non-root account with uid 0 {CIS: 13.5 SLES11} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
-
-# 13.6 Ensure root PATH Integrity (Scored)
-
-# 13.7 Check Permissions on User Home Directories (Scored)
-
-# 13.8 Check User Dot File Permissions (Scored)
-
-# 13.9 Check Permissions on User .netrc Files (Scored)
-
-# 13.10 Check for Presence of User .rhosts Files (Scored)
-
-# 13.11 Check Groups in /etc/passwd (Scored)
-
-# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
-
-# 13.13 Check User Home Directory Ownership (Scored)
-
-# 13.14 Check for Duplicate UIDs (Scored)
-
-# 13.15 Check for Duplicate GIDs (Scored)
-
-# 13.16 Check for Duplicate User Names (Scored)
-
-# 13.17 Check for Duplicate Group Names (Scored)
-
-# 13.18 Check for Presence of User .netrc Files (Scored)
-
-# 13.19 Check for Presence of User .forward Files (Scored)
-
-# 13.20 Ensure shadow group is empty (Scored)
-
-
-# Other/Legacy Tests
-[CIS - SLES11 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/shadow -> r:^\w+::;
-
-[CIS - SLES11 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
-f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
-
-[CIS - SLES11 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dkudzu$;
-
-[CIS - SLES11 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dpostgresql$;
-
-[CIS - SLES11 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dmysqld$;
-
-[CIS - SLES11 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dnamed$;
-
-[CIS - SLES11 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
-d:$rc_dirs -> ^S\d\dnetfs$;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-
-# CIS Checks for SUSE SLES 12
-# Based on CIS Benchmark for SUSE Linux Enterprise Server 12 v1.0.0
-
-# RC scripts location
-$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
-
-
-[CIS - Testing against the CIS SUSE Linux Enterprise Server 12 Benchmark v1.0.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12";
-f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP1";
-f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP2";
-f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP3";
-f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP4";
-
-# 2.1 /tmp: partition
-[CIS - SLES12 - 2.1 - Build considerations - Robust partition scheme - /tmp is not on its own partition {CIS: 2.2 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:/tmp;
-
-# 2.2 /tmp: nodev
-[CIS - SLES12 - 2.2 - Partition /tmp without 'nodev' set {CIS: 2.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
-
-# 2.3 /tmp: nosuid
-[CIS - SLES12 - 2.3 - Partition /tmp without 'nosuid' set {CIS: 2.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
-
-# 2.4 /tmp: noexec
-[CIS - SLES12 - 2.4 - Partition /tmp without 'noexec' set {CIS: 2.4 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
-
-# 2.5 Build considerations - Partition scheme.
-[CIS - SLES12 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 2.5 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r^# && !r:/var;
-
-# 2.6 bind mount /var/tmp to /tmp
-[CIS - SLES12 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 2.6 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
-
-# 2.7 /var/log: partition
-[CIS - SLES12 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 2.7 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> ^# && !r:/var/log;
-
-# 2.8 /var/log/audit: partition
-[CIS - SLES12 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 2.8 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> ^# && !r:/var/log/audit;
-
-# 2.9 /home: partition
-[CIS - SLES12 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 2.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> ^# && !r:/home;
-
-# 2.10 /home: nodev
-[CIS - SLES12 - 2.10 - Partition /home without 'nodev' set {CIS: 2.10 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
-
-# 2.11 nodev on removable media partitions (not scored)
-[CIS - SLES12 - 2.11 - Removable partition /media without 'nodev' set {CIS: 2.11 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
-
-# 2.12 noexec on removable media partitions (not scored)
-[CIS - SLES12 - 2.12 - Removable partition /media without 'noexec' set {CIS: 2.12 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
-
-# 2.13 nosuid on removable media partitions (not scored)
-[CIS - SLES12 - 2.13 - Removable partition /media without 'nosuid' set {CIS: 2.13 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
-
-# 2.14 /dev/shm: nodev
-[CIS - SLES12 - 2.14 - /dev/shm without 'nodev' set {CIS: 2.14 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
-
-# 2.15 /dev/shm: nosuid
-[CIS - SLES12 - 2.15 - /dev/shm without 'nosuid' set {CIS: 2.15 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
-
-# 2.16 /dev/shm: noexec
-[CIS - SLES12 - 2.16 - /dev/shm without 'noexec' set {CIS: 2.16 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
-
-# 2.17 sticky bit on world writable directories (Scored)
-# TODO
-
-# 2.18 disable cramfs (not scored)
-
-# 2.19 disable freevxfs (not scored)
-
-# 2.20 disable jffs2 (not scored)
-
-# 2.21 disable hfs (not scored)
-
-# 2.22 disable hfsplus (not scored)
-
-# 2.23 disable squashfs (not scored)
-
-# 2.24 disable udf (not scored)
-
-# 2.25 disable automounting (Scored)
-# TODO
-
-###############################################
-# 3 Secure Boot Settings
-###############################################
-
-# 3.1 Set User/Group Owner on /etc/grub.conf
-# TODO (no mode tests)
-# stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0"
-
-# 3.2 Set Permissions on /etc/grub.conf (Scored)
-# TODO (no mode tests)
-# stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00"
-
-# 3.3 Set Boot Loader Password (Scored)
-[CIS - SLES12 - 3.3 - GRUB Password not set {CIS: 3.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/boot/grub2/grub.cfg -> !r:^# && !r:password;
-
-###############################################
-# 4 Additional Process Hardening
-###############################################
-
-# 4.1 Restrict Core Dumps (Scored)
-[CIS - SLES12 - 4.1 - Interactive Boot not disabled {CIS: 4.1 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
-
-# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
-# TODO
-
-# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
-[CIS - SLES12 - 4.3 - Randomized Virtual Memory Region Placement not enabled {CIS: 4.3 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/kernel/randomize_va_space -> 2;
-
-# 4.4 Disable Prelink (Scored)
-# TODO
-
-# 4.5 Activate AppArmor (Scored)
-# TODO
-
-###############################################
-# 5 OS Services
-###############################################
-
-###############################################
-# 5.1 Remove Legacy Services
-###############################################
-
-# 5.1.1 Remove NIS Server (Scored)
-[CIS - SLES12 - 5.1.1 - Disable standard boot services - NIS (server) Enabled {CIS: 5.1.1 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dypserv$;
-f:/usr/lib/systemd/system/ypserv.service -> r:Exec;
-
-# 5.1.2 Remove NIS Client (Scored)
-[CIS - SLES12 - 5.1.2 - Disable standard boot services - NIS (client) Enabled {CIS: 51.2 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dypbind$;
-f:/usr/lib/systemd/system/ypbind.service -> r:Exec;
-
-# 5.1.3 Remove rsh-server (Scored)
-[CIS - SLES12 - 5.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 5.1.3 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
-f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
-# TODO (finish this)
-f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart;
-f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart;
-f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart;
-
-# 5.1.4 Remove rsh client (Scored)
-# TODO
-
-# 5.1.5 Remove talk-server (Scored)
-[CIS - SLES12 - 5.1.5 - talk enabled on xinetd {CIS: 5.1.5 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
-f:/usr/lib/systemd/system/ntalk.service -> r:Exec;
-
-# 5.1.6 Remove talk client (Scored)
-# TODO
-
-# 5.1.7 Remove telnet-server (Scored)
-# TODO: detect it is installed at all
-[CIS - SLES12 - 5.1.7 - Telnet enabled on xinetd {CIS: 5.1.7 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
-f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd;
-
-# 5.1.8 Remove tftp-server (Scored)
-[CIS - SLES12 - 5.1.8 - tftpd enabled on xinetd {CIS: 5.1.8 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
-f:/usr/lib/systemd/system/tftp.service -> r:Exec;
-
-# 5.1.9 Remove xinetd (Scored)
-[CIS - SLES12 - 5.1.9 - xinetd detected {CIS: 5.1.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/usr/lib/systemd/system/xinetd.service -> r:Exec;
-
-# 5.2 Disable chargen-udp (Scored)
-[CIS - SLES12 - 5.2 - chargen-udp enabled on xinetd {CIS: 5.2 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no;
-
-# 5.3 Disable chargen (Scored)
-[CIS - SLES12 - 5.3 - chargen enabled on xinetd {CIS: 5.3 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no;
-
-# 5.4 Disable daytime-udp (Scored)
-[CIS - SLES12 - 5.4 - daytime-udp enabled on xinetd {CIS: 5.4 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no;
-
-# 5.5 Disable daytime (Scored)
-[CIS - SLES12 - 5.5 - daytime enabled on xinetd {CIS: 5.5 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no;
-
-
-# 5.6 Disable echo-udp (Scored)
-[CIS - SLES12 - 5.6 - echo-udp enabled on xinetd {CIS: 5.6 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no;
-
-# 5.7 Disable echo (Scored)
-[CIS - SLES12 - 5.7 - echo enabled on xinetd {CIS: 5.7 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no;
-
-# 5.8 Disable discard-udp (Scored)
-[CIS - SLES12 - 5.8 - discard-udp enabled on xinetd {CIS: 5.8 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no;
-
-# 5.9 Disable discard (Scored)
-[CIS - SLES12 - 5.9 - discard enabled on xinetd {CIS: 5.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no;
-
-# 5.10 Disable time-udp (Scored)
-[CIS - SLES12 - 5.10 - time-udp enabled on xinetd {CIS: 5.10 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no;
-
-# 5.11 Disable time (Scored)
-[CIS - SLES12 - 5.11 - time enabled on xinetd {CIS: 5.11 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no;
-
-###############################################
-# 6 Special Purpose Services
-###############################################
-
-# 6.1 Remove X Windows (Scored)
-[CIS - SLES12 - 6.1 - X11 not disabled {CIS: 6.1 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/usr/lib/systemd/system/default.target -> r:Graphical;
-p:gdm-x-session;
-
-# 6.2 Disable Avahi Server (Scored)
-[CIS - SLES12 - 6.2 - Avahi daemon not disabled {CIS: 6.2 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-p:avahi-daemon;
-
-# 6.3 Disable Print Server - CUPS (Not Scored)
-#TODO
-
-# 6.4 Remove DHCP Server (Scored)
-[CIS - SLES12 - 6.4 - DHCPnot disabled {CIS: 6.4 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/usr/lib/systemd/system/dhcpd.service -> r:Exec;
-
-# 6.5 Configure Network Time Protocol (NTP) (Scored)
-#TODO Chrony
-[CIS - SLES12 - 6.5 - NTPD not Configured {CIS: 6.5 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server;
-f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";
-
-# 6.6 Remove LDAP (Not Scored)
-#TODO
-
-# 6.7 Disable NFS and RPC (Not Scored)
-[CIS - SLES12 - 6.7 - Disable standard boot services - NFS Enabled {CIS: 6.7 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dnfs$;
-d:$rc_dirs -> ^S\d\dnfslock$;
-
-# 6.8 Remove DNS Server (Not Scored)
-# TODO
-
-# 6.9 Remove FTP Server (Not Scored)
-[CIS - SLES12 - 6.9 - VSFTP enabled on xinetd {CIS: 6.9 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
-
-# 6.10 Remove HTTP Server (Not Scored)
-[CIS - SLES12 - 6.10 - Disable standard boot services - Apache web server Enabled {CIS: 6.10 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dapache2$;
-
-# 6.11 Remove Dovecot (IMAP and POP3 services) (Not Scored)
-[CIS - SLES12 - 6.11 - imap enabled on xinetd {CIS: 6.11 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
-
-[CIS - SLES12 - 6.11 - pop3 enabled on xinetd {CIS: 6.11 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
-
-# 6.12 Remove Samba (Not Scored)
-[CIS - SLES12 - 6.12 - Disable standard boot services - Samba Enabled {CIS: 6.12 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dsamba$;
-d:$rc_dirs -> ^S\d\dsmb$;
-
-# 6.13 Remove HTTP Proxy Server (Not Scored)
-[CIS - SLES12 - 6.13 - Disable standard boot services - Squid Enabled {CIS: 6.13 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dsquid$;
-
-# 6.14 Remove SNMP Server (Not Scored)
-[CIS - SLES12 - 6.14 - Disable standard boot services - SNMPD process Enabled {CIS: 6.14 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dsnmpd$;
-
-# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
-# TODO
-
-# 6.16 Ensure rsync service is not enabled (Scored)
-[CIS - SLES12 - 6.16 - Disable standard boot services - rsyncd process Enabled {CIS: 6.16 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\drsyncd$;
-
-# 6.17 Ensure Biosdevname is not enabled (Scored)
-# TODO
-
-###############################################
-# 7 Network Configuration and Firewalls
-###############################################
-
-###############################################
-# 7.1 Modify Network Parameters (Host Only)
-###############################################
-
-# 7.1.1 Disable IP Forwarding (Scored)
-[CIS - SLES12 - 7.1.1 - Network parameters - IP Forwarding enabled {CIS: 7.1.1 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/net/ipv4/ip_forward -> 1;
-f:/proc/sys/net/ipv6/ip_forward -> 1;
-
-# 7.1.2 Disable Send Packet Redirects (Scored)
-[CIS - SLES12 - 7.1.2 - Network parameters - IP send redirects enabled {CIS: 7.1.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
-f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
-
-###############################################
-# 7.2 Modify Network Parameters (Host and Router)
-###############################################
-
-# 7.2.1 Disable Source Routed Packet Acceptance (Scored)
-[CIS - SLES12 - 7.2.1 - Network parameters - Source routing accepted {CIS: 7.2.1 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
-
-# 7.2.2 Disable ICMP Redirect Acceptance (Scored)
-[CIS - SLES12 - 7.2.2 - Network parameters - ICMP redirects accepted {CIS: 7.2.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
-f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
-
-# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
-[CIS - SLES12 - 7.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 7.2.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
-f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
-
-# 7.2.4 Log Suspicious Packets (Scored)
-[CIS - SLES12 - 7.2.4 - Network parameters - martians not logged {CIS: 7.2.4 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
-
-# 7.2.5 Enable Ignore Broadcast Requests (Scored)
-[CIS - SLES12 - 7.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 7.2.5 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
-
-# 7.2.6 Enable Bad Error Message Protection (Scored)
-[CIS - SLES12 - 7.2.6 - Network parameters - Bad error message protection not enabled {CIS: 7.2.6 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
-
-# 7.2.7 Enable RFC-recommended Source Route Validation (Scored)
-[CIS - SLES12 - 7.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 7.2.7 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
-f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
-
-# 7.2.8 Enable TCP SYN Cookies (Scored)
-[CIS - SLES12 - 7.2.8 - Network parameters - SYN Cookies not enabled {CIS: 7.2.8 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
-
-###############################################
-# 7.3 Configure IPv6
-###############################################
-
-# 7.3.1 Disable IPv6 Router Advertisements (Not Scored)
-
-# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored)
-
-# 7.3.3 Disable IPv6 (Not Scored)
-
-###############################################
-# 7.4 Install TCP Wrappers
-###############################################
-
-# 7.4.1 Install TCP Wrappers (Not Scored)
-
-# 7.4.2 Create /etc/hosts.allow (Not Scored)
-
-# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored)
-# TODO
-
-# 7.4.4 Create /etc/hosts.deny (Not Scored)
-
-# 7.5.5 Verify Permissions on /etc/hosts.deny (Scored)
-# TODO
-
-###############################################
-# 7.5 Uncommon Network Protocols
-###############################################
-
-# 7.5.1 Disable DCCP (Not Scored)
-
-# 7.5.2 Disable SCTP (Not Scored)
-
-# 7.5.3 Disable RDS (Not Scored)
-
-# 7.5.4 Disable TIPC (Not Scored)
-
-# 7.6 Deactivate Wireless Interfaces (Not Scored)
-
-# 7.7 Enable SuSEfirewall2 (Scored)
-
-# 7.8 Limit access to trusted networks (Not Scored)
-
-###############################################
-# 8 Logging and Auditing
-###############################################
-
-###############################################
-# 8.1 Configure System Accounting (auditd)
-###############################################
-
-###############################################
-# 8.1.1 Configure Data Retention
-###############################################
-
-# 8.1.1.1 Configure Audit Log Storage Size (Not Scored)
-
-# 8.1.1.2 Disable System on Audit Log Full (Not Scored)
-
-# 8.1.1.3 Keep All Auditing Information (Scored)
-
-# 8.1.2 Enable auditd Service (Scored)
-
-# 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
-
-# 8.1.4 Record Events That Modify Date and Time Information (Scored)
-
-# 8.1.5 Record Events That Modify User/Group Information (Scored)
-
-# 8.1.6 Record Events That Modify the System’s Network Environment (Scored)
-
-# 8.1.7 Record Events That Modify the System’s Mandatory Access Controls (Scored)
-
-# 8.1.8 Collect Login and Logout Events (Scored)
-
-# 8.1.9 Collect Session Initiation Information (Scored)
-
-# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored)
-
-# 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
-
-# 8.1.12 Collect Use of Privileged Commands (Scored)
-
-# 8.1.13 Collect Successful File System Mounts (Scored)
-
-# 8.1.14 Collect File Deletion Events by User (Scored)
-
-# 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored)
-
-# 8.1.16 Collect System Administrator Actions (sudolog) (Scored)
-
-# 8.1.17 Collect Kernel Module Loading and Unloading (Scored)
-
-# 8.1.18 Make the Audit Configuration Immutable (Scored)
-
-###############################################
-# 8.2 Configure rsyslog
-###############################################
-
-# 8.2.1 Install the rsyslog package (Scored)
-# TODO
-
-# 8.2.2 Activate the rsyslog Service (Scored)
-# TODO
-
-# 8.2.3 Configure /etc/rsyslog.conf (Not Scored)
-
-# 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored)
-
-# 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)
-
-# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
-
-###############################################
-# 8.3 Advanced Intrusion Detection Environment (AIDE)
-###############################################
-
-# 8.3.1 Install AIDE (Scored)
-
-# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
-
-# 8.4 Configure logrotate (Not Scored)
-
-###############################################
-# 9 System Access, Authentication and Authorization
-###############################################
-
-###############################################
-# 9.1 Configure cron and anacron
-###############################################
-
-# 9.1.1 Enable cron Daemon (Scored)
-
-# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored)
-
-# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
-
-# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
-
-# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
-
-# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
-
-# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored)
-
-# 9.1.8 Restrict at/cron to Authorized Users (Scored)
-
-###############################################
-# 9.2 Configure SSH
-###############################################
-
-# 9.2.1 Set SSH Protocol to 2 (Scored)
-[CIS - SLES12 - 9.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 9.2.1 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
-
-# 9.2.2 Set LogLevel to INFO (Scored)
-[CIS - SLES12 - 9.2.1 - SSH Configuration - Loglevel not INFO {CIS: 9.2.1 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;
-
-# 9.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
-# TODO
-
-# 9.2.4 Disable SSH X11 Forwarding (Scored)
-# TODO
-
-# 9.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
-[ CIS - SLES12 - 9.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less {CIS - SLES12 - 9.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:MaxAuthTries && !r:3\s*$;
-f:/etc/ssh/sshd_config -> r:^#\s*MaxAuthTries;
-f:/etc/ssh/sshd_config -> !r:MaxAuthTries;
-
-# 9.2.6 Set SSH IgnoreRhosts to Yes (Scored)
-[CIS - SLES12 - 9.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 9.2.6 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
-
-# 9.2.7 Set SSH HostbasedAuthentication to No (Scored)
-[CIS - SLES12 - 9.2.7 - SSH Configuration - Host based authentication enabled {CIS: 9.2.7 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
-
-# 9.2.8 Disable SSH Root Login (Scored)
-[CIS - SLES12 - 9.2.8 - SSH Configuration - Root login allowed {CIS: 9.2.8 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
-f:/etc/ssh/sshd_config -> r:^#\s*PermitRootLogin;
-
-# 9.2.9 Set SSH PermitEmptyPasswords to No (Scored)
-[CIS - SLES12 - 9.2.9 - SSH Configuration - Empty passwords permitted {CIS: 9.2.9 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
-f:/etc/ssh/sshd_config -> r:^#\s*PermitEmptyPasswords;
-
-# 9.2.10 Do Not Allow Users to Set Environment Options (Scored)
-
-# 9.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
-
-# 9.2.12 Set Idle Timeout Interval for User Login (Not Scored)
-
-# 9.2.13 Limit Access via SSH (Scored)
-
-# 9.2.14 Set SSH Banner (Scored)
-
-###############################################
-# 9.3 Configure PAM
-###############################################
-
-# 9.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
-
-# 9.3.2 Set Lockout for Failed Password Attempts (Not Scored)
-
-# 9.3.3 Limit Password Reuse (Scored)
-
-# 9.4 Restrict root Login to System Console (Not Scored)
-
-# 9.5 Restrict Access to the su Command (Scored)
-
-###############################################
-# 10 User Accounts and Environment
-###############################################
-
-###############################################
-# 10.1 Set Shadow Password Suite Parameters (/etc/login.defs)
-###############################################
-
-# 10.1.1 Set Password Expiration Days (Scored)
-
-# 10.1.2 Set Password Change Minimum Number of Days (Scored)
-
-# 10.1.3 Set Password Expiring Warning Days (Scored)
-
-# 10.2 Disable System Accounts (Scored)
-
-# 10.3 Set Default Group for root Account (Scored)
-
-# 10.4 Set Default umask for Users (Scored)
-
-# 10.5 Lock Inactive User Accounts (Scored)
-
-
-###############################################
-# 11 Warning Banners
-###############################################
-
-# 11.1 Set Warning Banner for Standard Login Services (Scored)
-
-# 11.2 Remove OS Information from Login Warning Banners (Scored)
-
-# 11.3 Set Graphical Warning Banner (Not Scored)
-
-###############################################
-# 12 Verify System File Permissions
-###############################################
-
-# 12.1 Verify System File Permissions (Not Scored)
-
-# 12.2 Verify Permissions on /etc/passwd (Scored)
-
-# 12.3 Verify Permissions on /etc/shadow (Scored)
-
-# 12.4 Verify Permissions on /etc/group (Scored)
-
-# 12.5 Verify User/Group Ownership on /etc/passwd (Scored)
-
-# 12.6 Verify User/Group Ownership on /etc/shadow (Scored)
-
-# 12.7 Verify User/Group Ownership on /etc/group (Scored)
-
-# 12.8 Find World Writable Files (Not Scored)
-
-# 12.9 Find Un-owned Files and Directories (Scored)
-
-# 12.10 Find Un-grouped Files and Directories (Scored)
-
-# 12.11 Find SUID System Executables (Not Scored)
-
-# 12.12 Find SGID System Executables (Not Scored)
-
-###############################################
-# 13 Review User and Group Settings
-###############################################
-
-# 13.1 Ensure Password Fields are Not Empty (Scored)
-
-# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
-
-# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
-
-# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
-
-# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
-[CIS - SLES12 - 13.5 - Non-root account with uid 0 {CIS: 13.5 SLES12} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
-
-# 13.6 Ensure root PATH Integrity (Scored)
-
-# 13.7 Check Permissions on User Home Directories (Scored)
-
-# 13.8 Check User Dot File Permissions (Scored)
-
-# 13.9 Check Permissions on User .netrc Files (Scored)
-
-# 13.10 Check for Presence of User .rhosts Files (Scored)
-
-# 13.11 Check Groups in /etc/passwd (Scored)
-
-# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
-
-# 13.13 Check User Home Directory Ownership (Scored)
-
-# 13.14 Check for Duplicate UIDs (Scored)
-
-# 13.15 Check for Duplicate GIDs (Scored)
-
-# 13.16 Check for Duplicate User Names (Scored)
-
-# 13.17 Check for Duplicate Group Names (Scored)
-
-# 13.18 Check for Presence of User .netrc Files (Scored)
-
-# 13.19 Check for Presence of User .forward Files (Scored)
-
-# 13.20 Ensure shadow group is empty (Scored)
-
-
-# Other/Legacy Tests
-[CIS - SLES12 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/shadow -> r:^\w+::;
-
-[CIS - SLES12 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
-f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
-
-[CIS - SLES12 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dkudzu$;
-
-[CIS - SLES12 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dpostgresql$;
-
-[CIS - SLES12 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dmysqld$;
-
-[CIS - SLES12 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dnamed$;
-
-[CIS - SLES12 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
-d:$rc_dirs -> ^S\d\dnetfs$;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2017 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry , use "->" to look for a specific entry and another
-# "->" to look for the value.
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Solaris 11
-# Based on Center for Internet Security Benchmark for Solaris 11 Benchmark v1.1.0 https://workbench.cisecurity.org/benchmarks/410
-#
-$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/;
-#
-#
-#2.1 Disable Local-only Graphical Login Environment
-[CIS - Solaris 11 Configuration - 2.1 Disable Local-only Graphical Login Environment] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:gdm;
-p:cde;
-#
-#
-#2.2 Configure sendmail Service for Local-Only Mode
-[CIS - Solaris 11 Configuration - 2.2 Configure sendmail Service for Local-Only Mode] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:!/etc/mail/local.cf;
-#
-#
-#2.3 Disable RPC Encryption Key
-[CIS - Solaris 11 Configuration - 2.3 Disable RPC Encryption Key] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:keyserv;
-#
-#
-#2.4 Disable NIS Server Services
-[CIS - Solaris 11 Configuration - 2.4 Disable NIS Server Services] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:ypserv;
-p:ypbind;
-p:ypxfr;
-p:rpc.yppasswdd;
-p:rpc.ypupdated;
-f:/etc/init.d/nis;
-#
-#
-#2.5 Disable NIS Client Services
-[CIS - Solaris 11 Configuration - 2.5 Disable NIS Client Services] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:ypserv;
-p:ypbind;
-p:ypxfr;
-p:rpc.yppasswdd;
-p:rpc.ypupdated;
-f:/etc/init.d/nis;
-#
-#
-#2.6 Disable Kerberos TGT Expiration Warning
-[CIS - Solaris 11 Configuration - 2.6 Disable Kerberos TGT Expiration Warning] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:ktkt_warnd;
-#
-#
-#2.7 Disable Generic Security Services (GSS)
-[CIS - Solaris 11 Configuration - 2.7 Disable Generic Security Services (GSS)] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:gssd;
-#
-#
-#2.8 Disable Removable Volume Manager
-[CIS - Solaris 11 Configuration - 2.8 Disable Removable Volume Manager] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:smserverd;
-#
-#
-#2.9 Disable automount Service
-[CIS - Solaris 11 Configuration - 2.9 Disable automount Service] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:automountd;
-#
-#
-#2.10 Disable Apache Service
-[CIS - Solaris 11 Configuration - 2.10 Disable Apache Service] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:apache;
-p:httpd;
-#
-#
-#2.11 Disable Local-only RPC Port Mapping Service
-[CIS - Solaris 11 Configuration - 2.11 Disable Local-only RPC Port Mapping Service] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:rpcbind;
-#
-#
-#2.12 Configure TCP Wrappers
-[CIS - Solaris 11 Configuration - 2.12 Configure TCP Wrappers] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:!/etc/hosts.allow;
-f:!/etc/hosts.deny;
-#
-#
-#2.13 Disable Telnet Service
-[CIS - Solaris 11 Configuration - 2.13 Disable Telnet Service] [any] [https://workbench.cisecurity.org/benchmarks/410]
-p:telnetd;
-#
-#
-#3.1 Restrict Core Dumps to Protected Directory
-[CIS - Solaris 11 Configuration - 3.1 Restrict Core Dumps to Protected Directory] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/coreadm.conf -> !r:^COREADM_GLOB_PATTERN\p\.+;
-f:/etc/coreadm.conf -> !r:^COREADM_GLOB_CONTENT\pdefault;
-f:/etc/coreadm.conf -> !r:^COREADM_INIT_PATTERN\pcore;
-f:/etc/coreadm.conf -> !r:^COREADM_INIT_CONTENT\pdefault;
-f:/etc/coreadm.conf -> !r:^COREADM_GLOB_ENABLED\pyes|^COREADM_GLOB_ENABLED\pno;
-f:/etc/coreadm.conf -> !r:^COREADM_PROC_ENABLED\pno;
-f:/etc/coreadm.conf -> !r:^COREADM_GLOB_SETID_ENABLED\pyes|^COREADM_GLOB_SETID_ENABLED\pno;
-f:/etc/coreadm.conf -> !r:^COREADM_PROC_SETID_ENABLED\pno;
-f:/etc/coreadm.conf -> !r:^COREADM_GLOB_LOG_ENABLED\pyes;
-#
-#
-#3.2 Enable Stack Protection
-[CIS - Solaris 11 Configuration - 3.2 Enable Stack Protection] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:!/etc/system;
-f:/etc/system -> !r:^\s*\t*noexec_user_stack\p1;
-f:/etc/system -> !r:^# && r:\s*\t*noexec_user_stack\p0;
-f:/etc/system -> !r:^\s*\t*noexec_user_stack_log\p1;
-f:/etc/system -> !r:^# && r:\s*\t*noexec_user_stack_log\p0;
-#
-#
-#3.3 Enable Strong TCP Sequence Number Generation
-[CIS - Solaris 11 Configuration - 3.3 Enable Strong TCP Sequence Number Generation] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/default/inetinit -> !r:^TCP_STRONG_ISS\p2;
-f:/etc/default/inetinit -> !r:^# && r:TCP_STRONG_ISS\p1;
-#
-#
-#4.1 Create CIS Audit Class
-[CIS - Solaris 11 Configuration - 4.1 Create CIS Audit Class] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/security/audit_class -> !r:0x\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d:cis:\.+;
-#
-#
-#4.2 Enable Auditing of Incoming Network Connections
-[CIS - Solaris 11 Configuration - 4.2 Enable Auditing of Incoming Network Connections] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/security/audit_event -> !r:^\d+:AUE_ACCEPT:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_CONNECT:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SOCKACCEPT:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SOCKCONNECT:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_inetd_connect:\.+cis\.*;
-#
-#
-#4.3 Enable Auditing of File Metadata Modification Events
-[CIS - Solaris 11 Configuration - 4.3 Enable Auditing of File Metadata Modification Events] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/security/audit_event -> !r:^\d+:AUE_CHMOD:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_CHOWN:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_FCHOWN:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_FCHMOD:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_LCHOWN:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_ACLSET:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_FACLSET:\.+cis\.*;
-#
-#
-#4.4 Enable Auditing of Process and Privilege Events
-[CIS - Solaris 11 Configuration - 4.4 Enable Auditing of Process and Privilege Events] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/security/audit_event -> !r:^\d+:AUE_CHROOT:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SETREUID:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SETREGID:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_FCHROOT:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_PFEXEC:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SETUID:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_NICE:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SETGID:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_PRIOCNTLSYS:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SETEGID:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SETEUID:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SETPRIV:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SETSID:\.+cis\.*;
-f:/etc/security/audit_event -> !r:^\d+:AUE_SETPGID:\.+cis\.*;
-#
-#
-#4.5 Configure Solaris Auditing
-[CIS - Solaris 11 Configuration - 4.5 Configure Solaris Auditing] [any] [https://workbench.cisecurity.org/benchmarks/410]
-d:/var/spool/cron/crontabs -> !r:/usr/sbin/audit -n;
-#
-#
-#5.1 Default Service File Creation Mask
-[CIS - Solaris 11 Configuration - 5.1 Default Service File Creation Mask] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/profile -> !r:^umask\s*\d\d\d;
-#
-#
-#6.2 Disable "nobody" Access for RPC Encryption Key Storage Service
-[CIS - Solaris 11 Configuration - 6.2 Disable "nobody" Access for RPC Encryption Key Storage Service] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f!:/etc/default/keyserv;
-f:/etc/default/keyserv -> !r:^ENABLE\.NOBODY\.KEYS\pNO;
-f:/etc/default/keyserv -> !r:^# && r:ENABLE\.NOBODY\.KEYS\pYES;
-#
-#
-#6.3 Disable X11 Forwarding for SSH
-[CIS - Solaris 11 Configuration - 6.3 Disable X11 Forwarding for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/ssh/sshd_config -> !r:^X11Forwarding\s*no;
-f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s*yes;
-#
-#
-#6.4 Limit Consecutive Login Attempts for SSH
-[CIS - Solaris 11 Configuration - 6.4 Limit Consecutive Login Attempts for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/ssh/sshd_config -> !r:^MaxAuthTries\s*3;
-f:/etc/ssh/sshd_config -> !r:^# && r:MaxAuthTries\s*3\d+;
-#
-#
-#6.5 Disable Rhost-based Authentication for SSH
-[CIS - Solaris 11 Configuration - 6.5 Disable Rhost-based Authentication for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/ssh/sshd_config -> !r:^IgnoreRhosts\s*yes;
-f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s*no;
-#
-#
-#6.6 Disable root login for SSH
-[CIS - Solaris 11 Configuration - 6.6 Disable root login for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s*no;
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s*yes;
-#
-#
-#6.7 Blocking Authentication Using Empty/Null Passwords for SSH
-[CIS - Solaris 11 Configuration - 6.7 Blocking Authentication Using Empty/Null Passwords for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/ssh/sshd_config -> !r:^PermitEmptyPasswords\s*no;
-f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s*yes;
-#
-#
-#6.8 Disable Host-based Authentication for Login-based Services
-[CIS - Solaris 11 Configuration - 6.8 Disable Host-based Authentication for Login-based Services] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/pam.conf -> !r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1;
-f:/etc/pam.conf -> !r:^rsh\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1;
-#
-#
-#6.9 Restrict FTP Use
-[CIS - Solaris 11 Configuration - 6.9 Restrict FTP Use] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/ftpd/ftpusers -> !r:^root;
-f:/etc/ftpd/ftpusers -> !r:^daemon;
-f:/etc/ftpd/ftpusers -> !r:^bin;
-f:/etc/ftpd/ftpusers -> !r:^sys;
-f:/etc/ftpd/ftpusers -> !r:^adm;
-f:/etc/ftpd/ftpusers -> !r:^uucp;
-f:/etc/ftpd/ftpusers -> !r:^nuucp;
-f:/etc/ftpd/ftpusers -> !r:^smmsp;
-f:/etc/ftpd/ftpusers -> !r:^listen;
-f:/etc/ftpd/ftpusers -> !r:^gdm;
-f:/etc/ftpd/ftpusers -> !r:^lp;
-f:/etc/ftpd/ftpusers -> !r:^webservd;
-f:/etc/ftpd/ftpusers -> !r:^postgres;
-f:/etc/ftpd/ftpusers -> !r:^svctag;
-f:/etc/ftpd/ftpusers -> !r:^openldap;
-f:/etc/ftpd/ftpusers -> !r:^unknown;
-f:/etc/ftpd/ftpusers -> !r:^aiuser;
-f:/etc/ftpd/ftpusers -> !r:^nobody;
-f:/etc/ftpd/ftpusers -> !r:^nobody4;
-f:/etc/ftpd/ftpusers -> !r:^noaccess;
-#
-#
-#6.10 Set Delay between Failed Login Attempts to 4
-[CIS - Solaris 11 Configuration - 6.10 Set Delay between Failed Login Attempts to 4] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/default/login -> !r:^SLEEPTIME\p4;
-f:/etc/default/login -> !r:^# && r:SLEEPTIME\p4\d;
-#
-#
-#6.11 Remove Autologin Capabilities from the GNOME desktop
-[CIS - Solaris 11 Configuration - 6.11 Remove Autologin Capabilities from the GNOME desktop] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/pam.conf -> !r:^# && r:gdm-autologin;
-#
-#
-#6.12 Set Default Screen Lock for GNOME Users
-[CIS - Solaris 11 Configuration - 6.12 Set Default Screen Lock for GNOME Users] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*timeout:\s*\t*0:10:00;
-f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*locktimeout:\s*\t*0:00:00;
-f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*lock:\s*\t*true;
-#
-#
-#6.13 Restrict at/cron to Authorized Users
-[CIS - Solaris 11 Configuration - 6.13 Restrict at/cron to Authorized Users] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/cron.d/cron.deny;
-f:/etc/cron.d/at.deny;
-f:!/etc/cron.d/cron.allow;
-f:/etc/cron.d/cron.allow -> !r:^root$;
-f:!/etc/cron.d/at.allow;
-f:/etc/cron.d/at.allow -> !r:^# && r:\w;
-#
-#
-#6.14 Restrict root Login to System Console
-[CIS - Solaris 11 Configuration - 6.14 Restrict root Login to System Console] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/default/login -> !r:^CONSOLE\p/dev/console;
-#
-#
-#6.15 Set Retry Limit for Account Lockout
-[CIS - Solaris 11 Configuration - 6.14 Restrict root Login to System Console] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/default/login -> !r:^RETRIES\p3;
-f:/etc/default/login -> !r:^# && r:RETRIES\p3\d;
-f:/etc/security/policy.conf -> !r:^LOCK_AFTER_RETRIES\pyes;
-f:/etc/security/policy.conf -> !r:^# && r:LOCK_AFTER_RETRIES\pno;
-#
-#
-#6.17 Secure the GRUB Menu (Intel)
-[CIS - Solaris 11 Configuration - 6.17 Secure the GRUB Menu (Intel)] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/rpool/boot/grub/menu.lst -> !r:^password\s*--md5;
-#
-#
-#7.1 Set Password Expiration Parameters on Active Accounts
-[CIS - Solaris 11 Configuration - 7.1 Set Password Expiration Parameters on Active Accounts] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/default/passwd -> !r:^maxweeks\p13;
-f:/etc/default/passwd -> !r:^# &&r:maxweeks\p13\d;
-f:/etc/default/passwd -> !r:^minweeks\p1;
-f:/etc/default/passwd -> !r:^# &&r:minweeks\p1\d;
-f:/etc/default/passwd -> !r:^warnweeks\p4;
-f:/etc/default/passwd -> !r:^# &&r:warnweeks\p4\d;
-#
-#
-#7.2 Set Strong Password Creation Policies
-[CIS - Solaris 11 Configuration - 7.2 Set Strong Password Creation Policies] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/default/passwd -> !r:^passlength\p8;
-f:/etc/default/passwd -> !r:^# && r:passlength\p8\d;
-f:/etc/default/passwd -> !r:^namecheck\pyes;
-f:/etc/default/passwd -> !r:^# && r:namecheck\pno;
-f:/etc/default/passwd -> !r:^history\p10;
-f:/etc/default/passwd -> !r:^# && r:history\p10\d;
-f:/etc/default/passwd -> !r:^mindiff\p3;
-f:/etc/default/passwd -> !r:^# && r:mindiff\p3\d;
-f:/etc/default/passwd -> !r:^minalpha\p2;
-f:/etc/default/passwd -> !r:^# && r:minalpha\p2\d;
-f:/etc/default/passwd -> !r:^minupper\p1;
-f:/etc/default/passwd -> !r:^# && r:minupper\p1\d;
-f:/etc/default/passwd -> !r:^minlower\p1;
-f:/etc/default/passwd -> !r:^# && r:minlower\p1\d;
-f:/etc/default/passwd -> !r:^minnonalpha\p1;
-f:/etc/default/passwd -> !r:^# && r:minnonalpha\p1\d;
-f:/etc/default/passwd -> !r:^maxrepeats\p0;
-f:/etc/default/passwd -> !r:^# && r:maxrepeats\p0\d;
-f:/etc/default/passwd -> !r:^whitespace\pyes;
-f:/etc/default/passwd -> !r:^# && r:whitespace\pno;
-f:/etc/default/passwd -> !r:^dictiondbdir\p/var/passwd;
-f:/etc/default/passwd -> !r:^dictionlist\p/usr/share/lib/dict/words;
-#
-#
-#7.3 Set Default umask for users
-[CIS - Solaris 11 Configuration - 7.3 Set Default umask for users] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/default/login -> !r:^umask\p027|^umask\p077;
-f:/etc/default/login -> !r:^# && r:umask\p026;
-f:/etc/default/login -> !r:^# && r:umask\p022;
-#
-#
-#7.4 Set Default File Creation Mask for FTP Users
-[CIS - Solaris 11 Configuration - 7.4 Set Default File Creation Mask for FTP Users] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/proftpd.conf -> !r:^umask\s*027;
-f:/etc/proftpd.conf -> !r:^# && r:umask\s*026;
-f:/etc/proftpd.conf -> !r:^# && r:umask\s*022;
-#
-#
-#7.5 Set "mesg n" as Default for All Users
-[CIS - Solaris 11 Configuration - 7.5 Set "mesg n" as Default for All Users] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/.login -> !r:^mesg\s*n;
-f:/etc/profile -> !r:^mesg\s*n;
-#
-#
-#8.1 Create Warnings for Standard Login Services
-[CIS - Solaris 11 Configuration - 8.1 Create Warnings for Standard Login Services] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/issue -> r:SunOS;
-f:/etc/issue -> r:Oracle;
-f:/etc/issue -> r:solaris;
-f:/etc/issue -> !r:Authorized users only. All activity may be monitored and reported;
-f:/etc/motd -> r:SunOS;
-f:/etc/motd -> r:Oracle;
-f:/etc/motd -> r:solaris;
-f:/etc/motd -> !r:Authorized users only. All activity may be monitored and reported;
-#
-#
-#8.2 Enable a Warning Banner for the SSH Service
-[CIS - Solaris 11 Configuration - 8.2 Enable a Warning Banner for the SSH Service] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/ssh/sshd_config -> !r:^Banner\s*/etc/issue;
-#
-#
-#8.3 Enable a Warning Banner for the GNOME Service
-[CIS - Solaris 11 Configuration - 8.3 Enable a Warning Banner for the GNOME Service] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/gdm/Init/Default -> !r:^/usr/bin/zenity\s\.;
-#
-#
-#8.4 Enable a Warning Banner for the FTP service
-[CIS - Solaris 11 Configuration - 8.4 Enable a Warning Banner for the FTP service] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/proftpd.conf -> !r:^DisplayConnect\s+/etc/issue;
-#
-#
-#8.5 Check that the Banner Setting for telnet is Null
-[CIS - Solaris 11 Configuration - 8.5 Check that the Banner Setting for telnet is Null] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/default/telnetd -> !r:^# && r:BANNER=\.;
-f:/etc/default/telnetd -> !r:BANNER=$;
-#
-#
-#9.3 Verify System Account Default Passwords
-[CIS - Solaris 11 Configuration - 9.3 Verify System Account Default Passwords] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/shadow -> r:daemon && !r::NL:|:NP:;
-f:/etc/shadow -> r:lp && !r::NL:|:NP:;
-f:/etc/shadow -> r:adm && !r::NL:|:NP:;
-f:/etc/shadow -> r:bin && !r::NL:|:NP:;
-f:/etc/shadow -> r:gdm && !r::\p*LK\p*:;
-f:/etc/shadow -> r:noaccess && !r::\p*LK\p*:;
-f:/etc/shadow -> r:nobody && !r::\p*LK\p*:;
-f:/etc/shadow -> r:nobody4 && !r::\p*LK\p*:;
-f:/etc/shadow -> r:openldap && !r::\p*LK\p*:;
-f:/etc/shadow -> r:unknown && !r::\p*LK\p*:;
-f:/etc/shadow -> r:webservd && !r::\p*LK\p*:;
-f:/etc/shadow -> r:mysql && !r::NL:|:NP:;
-f:/etc/shadow -> r:nuuc && !r::NL:|:NP:;
-f:/etc/shadow -> r:postgres && !r::NL:|:NP:;
-f:/etc/shadow -> r:smmsp && !r::NL:|:NP:;
-f:/etc/shadow -> r:sys && !r::NL:|:NP:;
-f:/etc/shadow -> r:uucp && !r::NL:|:NP:;
-f:/etc/shadow -> r:aiuser && !r::\p*LK\p*:;
-f:/etc/shadow -> r:dhcpserv && !r::\p*LK\p*:;
-f:/etc/shadow -> r:dladm && !r::\p*LK\p*:;
-f:/etc/shadow -> r:ftp && !r::\p*LK\p*:;
-f:/etc/shadow -> r:netadm && !r::\p*LK\p*:;
-f:/etc/shadow -> r:netcfg && !r::\p*LK\p*:;
-f:/etc/shadow -> r:pkg5srv && !r::\p*LK\p*:;
-f:/etc/shadow -> r:svctag && !r::\p*LK\p*:;
-f:/etc/shadow -> r:xvm && !r::\p*LK\p*:;
-f:/etc/shadow -> r:upnp && !r::NL:|:NP:;
-f:/etc/shadow -> r:zfssnap && !r::NL:|:NP:;
-#
-#
-#9.4 Ensure Password Fields are Not Empty
-[CIS - Solaris 11 Configuration - 9.4 Ensure Password Fields are Not Empty] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/shadow -> r:\.+::\.+\w+\.*$;
-#
-#
-#9.5 Verify No UID 0 Accounts Exist Other than root
-[CIS - Solaris 11 Configuration - 9.5 Verify No UID 0 Accounts Exist Other than root] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/passwd -> !r:^root && r::\.:0:\.*;
-#
-#
-#9.6 Ensure root PATH Integrity
-[CIS - Solaris 11 Configuration - Ensure root PATH Integrity] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/profile -> r:.;
-f:/etc/environment -> r:.;
-f:/.profile -> r:.;
-f:/.bash_profile -> r:.;
-f:/.bashrc -> r:.;
-f:/etc/profile -> r:::;
-f:/etc/environment -> r:::;
-f:/.profile -> r:::;
-f:/.bash_profile -> r:::;
-f:/.bashrc -> r:::;
-f:/etc/profile -> r::$;
-f:/etc/environment -> r::$;
-f:/.profile -> r::$;
-f:/.bash_profile -> r::$;
-f:/.bashrc -> r::$;
-#
-#
-#9.10 Check for Presence of User .rhosts Files
-[CIS - Solaris 11 Configuration - 9.10 Check for Presence of User .rhosts Files] [any] [https://workbench.cisecurity.org/benchmarks/410]
-d:$home_dirs -> ^.rhosts$;
-#
-#
-#9.12 Check That Users Are Assigned Home Directories
-[CIS - Solaris 11 Configuration - 9.12 Check That Users Are Assigned Home Directories] [any] [https://workbench.cisecurity.org/benchmarks/410]
-f:/etc/passwd -> \w+:\.*:\d*:\d*:\.*:\S+:\.*;
-#
-#
-#9.20 Check for Presence of User .netrc Files
-[CIS - Solaris 11 Configuration - 9.20 Check for Presence of User .netrc Files] [any] [https://workbench.cisecurity.org/benchmarks/410]
-d:$home_dirs -> ^.netrc$;
-#
-#
-#9.21 Check for Presence of User .forward Files
-[CIS - Solaris 11 Configuration - 9.21 Check for Presence of User .forward Files] [any] [https://workbench.cisecurity.org/benchmarks/410]
-d:$home_dirs -> ^.forward$;
-#
-#
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Windows 10
-# Based on Center for Internet Security Benchmark v1.4.0 for Microsoft Windows 10 Release 1709 (https://workbench.cisecurity.org/benchmarks/766)
-#
-#
-#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
-[CIS - Microsoft Windows 10 - 2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser;
-#
-#
-#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0;
-#
-#
-#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1;
-#
-#
-#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'[CIS - Microsoft Windows 10 - 2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2;
-#
-#
-#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'
-[CIS - Microsoft Windows 10 - 2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 2;
-#
-#
-#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'[CIS - Microsoft Windows 10 - 2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0;
-#
-#
-#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0;
-#
-#
-#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0;
-#
-#
-#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> !0;
-#
-#
-#2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> !1;
-#
-#
-#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> !1;
-#
-#
-#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> !0;
-#
-#
-#2.3.7.4 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'[CIS - Microsoft Windows 10 - 2.3.7.4 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs;
-#
-#
-#2.3.7.8 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
-[CIS - Microsoft Windows 10 - 2.3.7.8 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+;
-#
-#
-#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
-[CIS - Microsoft Windows 10 - 2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption;
-#
-#
-#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature;
-#
-#
-#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1;
-#
-#
-#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0;
-#
-#
-#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
-[CIS - Microsoft Windows 10 - 2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect;
-#
-#
-#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature;
-#
-#
-#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature;
-#
-#
-#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
-#
-#
-#2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher
-[CIS - Microsoft Windows 10 - 2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> !SMBServerNameHardeningLevel;
-#
-#
-#2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 0;
-#
-#
-#2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> !1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> !RestrictAnonymous;
-#
-#
-#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> !DisableDomainCreds;
-#
-#
-#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2;
-#
-#
-#2.3.10.6 Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'
-[CIS - Microsoft Windows 10 - 2.3.10.6 Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes;
-#
-#
-#2.3.10.7 Ensure 'Network access: Remotely accessible registry paths'
-[CIS - Microsoft Windows 10 - 2.3.10.7 Ensure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> !Machine;
-#
-#
-#2.3.10.8 Ensure 'Network access: Remotely accessible registry paths and sub-paths'
-[CIS - Microsoft Windows 10 - 2.3.10.8 Ensure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> !Machine;
-#
-#
-#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1;
-#
-#
-#2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'
-[CIS - Microsoft Windows 10 - 2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> !r:O:BAG:BAD:\(A;;RC;;;BA\);
-#
-#
-#2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
-[CIS - Microsoft Windows 10 - 2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*;
-#
-#
-#2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
-[CIS - Microsoft Windows 10 - 2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1;
-#
-#
-#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId;
-#
-#
-#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback;
-#
-#
-#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0;
-#
-#
-#2.3.11.4 Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
-[CIS - Microsoft Windows 10 - 2.3.11.4 Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> !SupportedEncryptionTypes;
-#
-#
-#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0;
-#
-#
-#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
-#
-#
-#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
-[CIS - Microsoft Windows 10 - 2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel;
-#
-#
-#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
-[CIS - Microsoft Windows 10 - 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1;
-#
-#
-#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
-[CIS - Microsoft Windows 10 - 2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec;
-#
-#
-#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
-[CIS - Microsoft Windows 10 - 2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec;
-#
-#
-#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1;
-#
-#
-#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1;
-#
-#
-#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken;
-#
-#
-#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1;
-#
-#
-#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
-[CIS - Microsoft Windows 10 - 2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin;
-#
-#
-#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
-[CIS - Microsoft Windows 10 - 2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser;
-#
-#
-#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0;
-r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection;
-#
-#
-#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0;
-#
-#
-#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0;
-#
-#
-#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0;
-#
-#
-#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0;
-#
-#
-#5.3 Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'
-[CIS - Microsoft Windows 10 - 5.3 Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser -> Start -> !4;
-#
-#
-#5.6 Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.6 Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> !Start;
-#
-#
-#5.7 Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.7 Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> !Start;
-#
-#
-#5.8 Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'
-[CIS - Microsoft Windows 10 - 5.8 Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start -> !4;
-#
-#
-#5.9 Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.9 Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> !Start;
-#
-#
-#5.10 Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.10 Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> !Start;
-#
-#
-#5.12 Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'
-[CIS - Microsoft Windows 10 - 5.12 Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start -> !4;
-#
-#
-#5.13 Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'
-[CIS - Microsoft Windows 10 - 5.13 Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start -> !4;
-#
-#
-#5.24 Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.24 Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> !Start;
-#
-#
-#5.26 Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.26 Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> !Start;
-#
-#
-#5.28 Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'
-[CIS - Microsoft Windows 10 - 5.28 Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start -> !4;
-#
-#
-#5.30 Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.30 Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> !Start;
-#
-#
-#5.31 Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.31 Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> !Start;
-#
-#
-#5.32 Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'
-[CIS - Microsoft Windows 10 - 5.32 Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start -> !4;
-#
-#
-#5.35 Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'
-[CIS - Microsoft Windows 10 - 5.35 Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> !4;
-#
-#
-#5.36 Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.36 Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> !Start;
-#
-#
-#5.41 Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'
-[CIS - Microsoft Windows 10 - 5.41 Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start -> !4;
-#
-#
-#5.42 Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.42 Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> !Start;
-#
-#
-#5.43 Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.43 Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> !Start;
-#
-#
-#5.44 Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.44 Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> !Start;#
-#
-#5.45 Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.45 Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> !Start;
-#
-#
-#4.46 Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 4.46 Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> !Start;
-#
-#
-#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
-[CIS - Microsoft Windows 10 - 9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0;
-#
-#
-#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows 10 - 9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows 10 - 9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows 10 - 9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications;
-#
-#
-#9.1.5 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows 10 - 9.1.5 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.1.6 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'
-[CIS - Microsoft Windows 10 - 9.1.6 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows 10 - 9.1.7 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows 10 - 9.1.8 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
-[CIS - Microsoft Windows 10 - 9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0;
-#
-#
-#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows 10 - 9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows 10 - 9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows 10 - 9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0;
-#
-#
-#9.2.5 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows 10 - 9.2.5 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.2.6 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'
-[CIS - Microsoft Windows 10 - 9.2.6 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.2.7 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows 10 - 9.2.7 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.2.8 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows 10 - 9.2.8 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
-[CIS - Microsoft Windows 10 - 9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0;
-#
-#
-#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows 10 - 9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows 10 - 9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows 10 - 9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0;
-#
-#
-#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
-[CIS - Microsoft Windows 10 - 9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
-[CIS - Microsoft Windows 10 - 9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.3.7 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows 10 - 9.3.7 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'
-[CIS - Microsoft Windows 10 - 9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows 10 - 9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows 10 - 9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera;
-#
-#
-#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow;
-#
-#
-#18.1.2.2 Ensure 'Allow input personalization' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.1.2.2 Ensure 'Allow input personalization' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> !AllowInputPersonalization;
-#
-#
-#18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed
-[CIS - Microsoft Windows 10 - 18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> !DllName;
-#
-#
-#18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PwdExpirationProtectionEnabled;
-#
-#
-#18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !AdmPwdEnabled;
-#
-#
-#18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
-[CIS - Microsoft Windows 10 - 18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> !4;
-#
-#
-#18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
-[CIS - Microsoft Windows 10 - 18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:a;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:b;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:c;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:e;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PasswordLength;
-#
-#
-#18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
-[CIS - Microsoft Windows 10 - 18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1F;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+;
-#
-#
-#18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> !0;
-#
-#
-#18.3.2 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'
-[CIS - Microsoft Windows 10 - 18.3.2 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> !Start;
-#
-#
-#18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> !SMB1;
-#
-#
-#18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> !DisableExceptionChainValidation;
-#
-#
-#18.3.5 Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.3.5 Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus -> 0;
-#
-#
-#18.3.6 Ensure 'WDigest Authentication' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.3.6 Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0;
-#
-#
-#18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0;
-#
-#
-#18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
-[CIS - Microsoft Windows 10 - Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting;
-#
-#
-#18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
-[CIS - Microsoft Windows 10 - 18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting;
-#
-#
-#18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect;
-#
-#
-#18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1;
-#
-#
-#18.4.9 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.4.9 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0;
-#
-#
-#18.4.10 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'
-[CIS - Microsoft Windows 10 - 18.4.10 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+;
-#
-#
-#18.4.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
-[CIS - Microsoft Windows 10 - 18.4.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel;
-#
-#
-#18.5.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')
-[CIS - Microsoft Windows 10 - 18.5.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> !2;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> !NodeType;
-#
-#
-#18.5.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.5.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> !EnableMulticast;
-#
-#
-#18.5.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.5.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> !AllowInsecureGuestAuth;
-#
-#
-#18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA;
-#
-#
-#18.5.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.5.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_ShowSharedAccessUI;
-#
-#
-#18.5.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.5.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation;
-#
-#
-#18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'
-[CIS - Microsoft Windows 10 - 18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON -> !r:RequireMutualAuthentication=1, RequireIntegrity=1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL -> !r:RequireMutualAuthentication=1, RequireIntegrity=1;
-#
-#
-#18.5.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.5.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1;
-#
-#
-#18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> !fBlockNonDomain;
-#
-#
-#18.5.23.2.1 Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.5.23.2.1 Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> !AutoConnectAllowedOEM;
-#
-#
-#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0;
-#
-#
-#18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> !AllowProtectedCreds;
-#
-#
-#18.8.14.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
-[CIS - Microsoft Windows 10 - 18.8.14.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3;
-#
-#
-#18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
-[CIS - Microsoft Windows 10 - 18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy;
-#
-#
-#18.8.21.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
-[CIS - Microsoft Windows 10 - 18.8.21.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges;
-#
-#
-#18.8.21.4 Ensure 'Continue experiences on this device' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.21.4 Ensure 'Continue experiences on this device' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableCdp;
-#
-#
-#18.8.21.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.21.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0;
-#
-#
-#18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
-#
-#
-#18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
-#
-#
-#18.8.22.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
-#
-#
-#18.8.27.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.27.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !BlockUserFromShowingAccountDetailsOnSignin;
-#
-#
-#18.8.27.2 Ensure 'Do not display network selection UI' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.27.2 Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI;
-#
-#
-#18.8.27.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.27.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers;
-#
-#
-#18.8.27.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.27.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0;
-#
-#
-#18.8.27.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.27.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications;
-#
-#
-#18.8.27.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.27.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !BlockDomainPicturePassword;
-#
-#
-#18.8.27.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.27.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0;
-#
-#
-#18.8.33.6.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.33.6.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !DCSettingIndex;
-#
-#
-#18.8.33.6.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.33.6.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !ACSettingIndex;
-#
-#
-#18.8.33.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.33.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1;
-#
-#
-#18.8.33.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.33.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1;
-#
-#
-#18.8.35.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.35.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0;
-#
-#
-#18.8.35.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.35.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp;
-#
-#
-#18.8.36.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.36.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !EnableAuthEpResolution;
-#
-#
-#18.8.36.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
-[CIS - Microsoft Windows 10 - 18.8.36.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> !1;
-#
-#
-#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional;
-#
-#
-#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume;
-#
-#
-#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
-[CIS - Microsoft Windows 10 - 18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun;
-#
-#
-#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
-[CIS - Microsoft Windows 10 - 18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun;
-#
-#
-#18.9.10.1.1 Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.10.1.1 Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> !EnhancedAntiSpoofing;
-#
-#
-#18.9.13.1 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.13.1 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> !DisableWindowsConsumerFeatures;
-#
-#
-#18.9.14.1 Ensure 'Require pin for pairing' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.14.1 Ensure 'Require pin for pairing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> !RequirePinForPairing;
-#
-#
-#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal;
-#
-#
-#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0;
-#
-#
-#18.9.16.1 Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)' or 'Enabled: 1 - Basic'
-[CIS - Microsoft Windows 10 - 18.9.16.1 Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)' or 'Enabled: 1 - Basic'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 3;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !AllowTelemetry;
-#
-#
-#18.9.16.3 Ensure 'Disable pre-release features or settings' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.16.3 Ensure 'Disable pre-release features or settings' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !EnableConfigFlighting;
-#
-#
-#18.9.16.4 Ensure 'Do not show feedback notifications' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.16.4 Ensure 'Do not show feedback notifications' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !DoNotShowFeedbackNotifications;
-#
-#
-#18.9.16.5 Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.16.5 Ensure 'Toggle user control over Insider builds' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !AllowBuildPreview;
-#
-#
-#18.9.17.1 Ensure 'Download Mode' is NOT set to 'Enabled: Internet'
-[CIS - Microsoft Windows 10 - 18.9.17.1 Ensure 'Download Mode' is NOT set to 'Enabled: Internet'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> 3;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> !DODownloadMode;
-#
-#
-#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 1;
-#
-#
-#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows 10 - 18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize;
-#
-#
-#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0;
-#
-#
-#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
-[CIS - Microsoft Windows 10 - 18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize;
-#
-#
-#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'[CIS - Microsoft Windows 10 - 18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0;
-#
-#
-#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows 10 - 18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize;
-#
-#
-#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;
-#
-#
-#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows 10 - 18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize;
-#
-#
-#18.9.30.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.30.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0;
-#
-#
-#18.9.30.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.30.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0;
-#
-#
-#18.9.30.4 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.30.4 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0;
-#
-#
-#18.9.35.1 Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.35.1 Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> !DisableHomeGroup;
-#
-#
-#18.9.44.1 Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.44.1 Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> !DisableUserAuth;
-#
-#
-#18.9.45.4 Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher
-[CIS - Microsoft Windows 10 - 18.9.45.4 Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> 2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !Cookies;
-#
-#
-#18.9.45.5 Ensure 'Configure Password Manager' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.45.5 Ensure 'Configure Password Manager' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> !no;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !FormSuggest Passwords;
-#
-#
-#18.9.45.8 Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.45.8 Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> !1;
-#
-#
-#18.9.52.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.52.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC;
-#
-#
-#18.9.58.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.58.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving;
-#
-#
-#18.9.58.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.58.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm;
-#
-#
-#18.9.58.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.58.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword;
-#
-#
-#18.9.58.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.58.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic;
-#
-#
-#18.9.58.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
-[CIS - Microsoft Windows 10 - 18.9.58.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3;
-#
-#
-#18.9.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1;
-#
-#
-#18.9.58.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.58.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1;
-#
-#
-#18.9.59.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.59.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload;
-#
-#
-#18.9.60.3 Ensure 'Allow Cortana' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.60.3 Ensure 'Allow Cortana' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortana;
-#
-#
-#18.9.60.4 Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.60.4 Ensure 'Allow Cortana above lock screen' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortanaAboveLock;
-#
-#
-#18.9.60.5 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.60.5 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0;
-#
-#
-#18.9.60.6 Ensure 'Allow search and Cortana to use location' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.60.6 Ensure 'Allow search and Cortana to use location' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowSearchToUseLocation;
-#
-#
-#18.9.68.2 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.68.2 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4;
-#
-#
-#18.9.68.3 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.68.3 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade;
-#
-#
-#18.9.76.3.1 Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.76.3.1 Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> !0;
-#
-#
-#18.9.76.7.1 Ensure 'Turn on behavior monitoring' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.76.7.1 Ensure 'Turn on behavior monitoring' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> !1;
-#
-#
-#18.9.76.10.1 Ensure 'Scan removable drives' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.76.10.1 Ensure 'Scan removable drives' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> !DisableRemovableDriveScanning;
-#
-#
-#18.9.76.10.2 Ensure 'Turn on e-mail scanning' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.76.10.2 Ensure 'Turn on e-mail scanning' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> !DisableEmailScanning;
-#
-#
-#18.9.76.13.1.1 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.76.13.1.1 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> !ExploitGuard_ASR_Rules;
-#
-#
-#18.9.76.13.1.2 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'
-[CIS - Microsoft Windows 10 - 18.9.76.13.1.2 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D4F940AB-401B-4EFC-AADC-AD5F3C50688A;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !3B576869-A4EC-4529-8536-B80A7769E899;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D3E037E1-3EB8-44C8-A917-57927947596D;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !5BEB7EFE-FD9A-4556-801D-275E5FFC04CC;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> !1;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B;
-#
-#
-#18.9.76.13.3.1 Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'
-[CIS - Microsoft Windows 10 - 18.9.76.13.3.1 Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> !EnableNetworkProtection;
-#
-#
-#18.9.76.14 Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.76.14 Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 1;
-#
-#
-#18.9.79.1.1 Ensure 'Prevent users from modifying settings' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.79.1.1 Ensure 'Prevent users from modifying settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> !DisallowExploitProtectionOverride;
-#
-#
-#18.9.80.1.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
-[CIS - Microsoft Windows 10 - 18.9.80.1.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> !Block;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !ShellSmartScreenLevel;
-#
-#
-#18.9.80.2.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.80.2.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> !1;
-#
-#
-#18.9.80.2.2 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.80.2.2 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverrideAppRepUnknown;
-#
-#
-#18.9.80.2.3 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.80.2.3 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverride;
-#
-#
-#18.9.82.1 Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.82.1 Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> !AllowGameDVR;
-#
-#
-#18.9.84.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'
-[CIS - Microsoft Windows 10 - 18.9.84.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowWindowsInkWorkspace;
-#
-#
-#18.9.85.1 Ensure 'Allow user control over installs' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.85.1 Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0;
-#
-#
-#18.9.85.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.85.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0;
-#
-#
-#18.9.86.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.86.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn;
-#
-#
-#18.9.95.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.95.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging;
-#
-#
-#18.9.95.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.95.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0;
-#
-#
-#18.9.97.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.97.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0;
-#
-#
-#18.9.97.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.97.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0;
-#
-#
-#18.9.97.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.97.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest;
-#
-#
-#18.9.97.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.97.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0;
-#
-#
-#18.9.97.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.97.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0;
-#
-#
-#18.9.97.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.97.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs;
-#
-#
-#18.9.101.1.1 Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'
-[CIS - Microsoft Windows 10 - 18.9.101.1.1 Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !ManagePreviewBuilds;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !ManagePreviewBuildsPolicyValue;
-#
-#
-#18.9.101.1.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'
-[CIS - Microsoft Windows 10 - 18.9.101.1.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferFeatureUpdates;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:10\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:11\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:12\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:13\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:14\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:15\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:16\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:17\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> !r:\d\d\d+;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferFeatureUpdatesPeriodInDays;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel -> !32;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !BranchReadinessLevel;
-#
-#
-#18.9.101.1.13 Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'
-[CIS - Microsoft Windows 10 - 18.9.101.1.13 Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferQualityUpdates;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferQualityUpdatesPeriodInDays;
-#
-#
-#18.9.101.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.101.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate;
-#
-#
-#18.9.101.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
-[CIS - Microsoft Windows 10 - 18.9.101.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay;
-#
-#
-#18.9.101.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.101.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0;
-#
-#
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Windows 10
-# Based on Center for Internet Security Benchmark v1.4.0 for Microsoft Windows 10 Release 1709 (https://workbench.cisecurity.org/benchmarks/766)
-#
-#
-#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> !AddPrinterDrivers;
-#
-#
-#2.3.7.7 Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'
-[CIS - Microsoft Windows 10 - 2.3.7.7 Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> !4;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !CachedLogonsCount;
-#
-#
-#2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher
-[CIS - Microsoft Windows 10 - 2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> !ForceKeyProtection;
-#
-#
-#5.1 Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.1 Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> !Start;
-#
-#
-#5.2 Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.2 Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> !Start;
-#
-#
-#5.4 Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.4 Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> !Start;
-#
-#
-#5.5 Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.5 Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> !Start;
-#
-#
-#5.11 Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.11 Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> !Start;
-#
-#
-#5.14 Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.14 Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> !Start;
-#
-#
-#5.15 Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.15 Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> !Start;
-#
-#
-#5.16 Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.16 Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> !Start;
-#
-#
-#5.17 Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.17 Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> !Start;
-#
-#
-#5.18 Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.18 Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> !Start;
-#
-#
-#5.19 Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.19 Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> !Start;
-#
-#
-#5.20 Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.20 Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> !Start;
-#
-#
-#5.21 Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.21 Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> !Start;
-#
-#
-#5.22 Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.22 Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> !Start;
-#
-#
-#5.23 Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.23 Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> !Start;
-#
-#
-#5.25 Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.25 Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> !Start;
-#
-#
-#5.27 Ensure 'Server (LanmanServer)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.27 Ensure 'Server (LanmanServer)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> !Start;
-#
-#
-#5.29 Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'
-[CIS - Microsoft Windows 10 - 5.29 Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> !4;
-#
-#
-#5.33 Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.33 Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> !Start;
-#
-#
-#5.34 Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.34 Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> !Start;
-#
-#
-#5.37 Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.37 Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> !Start;
-#
-#
-#5.38 Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.38 Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> !Start;
-#
-#
-#5.39 Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.39 Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> !Start;
-#
-#
-#5.40 Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 5.40 Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start -> !4;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> !Start;
-#
-#
-#18.1.3 Ensure 'Allow Online Tips' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.1.3 Ensure 'Allow Online Tips' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !AllowOnlineTips;
-#
-#
-#18.4.4 Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.4.4 Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> !1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> !DisableSavePassword;
-#
-#
-#18.4.6 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'
-[CIS - Microsoft Windows 10 - 18.4.6 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime;
-#
-#
-#18.4.8 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.4.8 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery;
-#
-#
-#18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
-[CIS - Microsoft Windows 10 - 18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions;
-#
-#
-#18.4.12 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
-[CIS - Microsoft Windows 10 - 18.4.12 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions;
-#
-#
-#18.5.5.1 Ensure 'Enable Font Providers' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.5.5.1 Ensure 'Enable Font Providers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableFontProviders;
-#
-#
-#18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0;
-#
-#
-#18.5.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.5.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0;
-#
-#
-#18.5.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.5.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled;
-#
-#
-#18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
-[CIS - Microsoft Windows 10 - 18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents;
-#
-#
-#18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar;
-#
-#
-#18.5.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.5.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi;
-#
-#
-#18.8.22.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
-#
-#
-#18.8.22.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
-#
-#
-#18.8.22.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
-#
-#
-#18.8.22.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.22.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
-#
-#
-#18.8.22.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
-r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
-#
-#
-#18.8.22.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
-#
-#
-#18.8.22.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
-#
-#
-#18.8.22.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
-#
-#
-#18.8.22.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
-#
-#
-#18.8.22.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
-#
-#
-#18.8.22.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.22.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport;
-#
-#
-#18.8.25.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'
-[CIS - Microsoft Windows 10 - 18.8.25.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> !1;
-#
-#
-#18.8.26.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.26.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn;
-#
-#
-#18.8.44.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.44.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer;
-#
-#
-#18.8.44.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.44.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled;
-#
-#
-#18.8.46.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.46.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy;
-#
-#
-#18.8.49.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.8.49.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled;
-#
-#
-#18.8.49.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.8.49.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> !0;
-#
-#
-#18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> !0;
-#
-#
-#18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !BlockHostedAppAccessWinRT;
-#
-#
-#18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> !AllowCamera;
-#
-#
-#18.9.16.2 Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'
-[CIS - Microsoft Windows 10 - 18.9.16.2 Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !DisableEnterpriseAuthProxy;
-#
-#
-#18.9.39.2 Ensure 'Turn off location' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.39.2 Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation;
-#
-#
-#18.9.43.1 Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.43.1 Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> !AllowMessageSync;
-#
-#
-#18.9.45.1 Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.45.1 Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> !ShowOneBox;
-#
-#
-#18.9.45.2 Ensure 'Allow Adobe Flash' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.45.2 Ensure 'Allow Adobe Flash' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> !FlashPlayerEnabled;
-#
-#
-#18.9.45.3 Ensure 'Allow InPrivate Browsing' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.45.3 Ensure 'Allow InPrivate Browsing' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !AllowInPrivate;
-#
-#
-#18.9.45.6 Ensure 'Configure Pop-up Blocker' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.45.6 Ensure 'Configure Pop-up Blocker' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> !r:yes;
-#
-#
-#18.9.45.7 Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.45.7 Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> !ShowSearchSuggestionsGlobal;
-#
-#
-#18.9.45.9 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.45.9 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !PreventAccessToAboutFlagsInMicrosoftEdge;
-#
-#
-#18.9.45.10 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.45.10 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !HideLocalHostIP;
-#
-#
-#18.9.57.1 Ensure 'Turn off Push To Install service' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.57.1 Ensure 'Turn off Push To Install service' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> !DisablePushToInstall;
-#
-#
-#18.9.58.3.2.1 Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.58.3.2.1 Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> !1;
-#
-#
-#18.9.58.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.58.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm;
-#
-#
-#18.9.58.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.58.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT;
-#
-#
-#18.9.58.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.58.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir;
-#
-#
-#18.9.58.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'
-[CIS - Microsoft Windows 10 - 18.9.58.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime;
-#
-#
-#18.9.58.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
-[CIS - Microsoft Windows 10 - 18.9.58.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime;
-#
-#
-#18.9.60.2 Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'
-[CIS - Microsoft Windows 10 - 18.9.60.2 Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCloudSearch;
-#
-#
-#18.9.65.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.65.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket;
-#
-#
-#18.9.68.1 Ensure 'Disable all apps from Windows Store' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.68.1 Ensure 'Disable all apps from Windows Store' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableStoreApps;
-#
-#
-#18.9.68.4 Ensure 'Turn off the Store application' is set to 'Enabled'
-[CIS - Microsoft Windows 10 - 18.9.68.4 Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore;
-#
-#
-#18.9.76.3.2 Ensure 'Join Microsoft MAPS' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.76.3.2 Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0;
-#
-#
-#18.9.76.9.1 Ensure 'Configure Watson events' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.76.9.1 Ensure 'Configure Watson events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> !DisableGenericRePorts;
-#
-#
-#18.9.84.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.84.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowSuggestedAppsInWindowsInkWorkspace;
-#
-#
-#18.9.85.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.85.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0;
-#
-#
-#18.9.97.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.97.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0;
-#
-#
-#18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'
-[CIS - Microsoft Windows 10 - 18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess;
-#
-#
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Windows Server 2012 R2 Domain Controller L1
-# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288)
-#
-#
-#
-#1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'
-[CIS - Microsoft Windows Server 2012 R2 - Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3E;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3F;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:4\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:5\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:6\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:7\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:8\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:9\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:A\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:B\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:C\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:D\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:E\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:F\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:\w\w\w+;
-#
-#
-#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.2: Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser;
-#
-#
-#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.4: Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0;
-#
-#
-#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.1: Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1;
-#
-#
-#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.2: Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2;
-#
-#
-#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.1: Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 2;
-#
-#
-#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.2: Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1;
-#
-#
-#2.3.5.1 Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.5.1: Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl -> !0;
-
-#
-#
-#2.3.5.2 Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.5.2: Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> !2;
-#
-#
-#2.3.5.3 Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.5.3: Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 1;
-#
-#
-#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.1: Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0;
-#
-#
-#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.2: Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0;
-#
-#
-#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.3: Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0;
-#
-#
-#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.4: Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 1;
-#
-#
-#2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.6: Ensure 'Domain member: Require strong session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 0;
-#
-#
-#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.1: Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DontDisplayLastUserName;
-#
-#
-#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.2: Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableCAD;
-#
-#
-#2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.3: Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs;
-#
-#
-#2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.7: Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+;
-#
-#
-#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption;
-#
-#
-#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.1: Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature;
-#
-#
-#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.2: Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1;
-#
-#
-#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.3: Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0;
-#
-#
-#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.1: Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect;
-#
-#
-#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.2: Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature;
-#
-#
-#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.3: Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature;
-#
-#
-#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.4: Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
-#
-#
-#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.5: Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2;
-#
-#
-#2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.6: Configure 'Network access: Named Pipes that can be accessed anonymously'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> !r:lsarpc|netlogon|samr;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes;
-#
-#
-#2.3.10.7 Configure 'Network access: Remotely accessible registry paths'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.7: Configure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion;
-#
-#
-#2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.8: Configure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS;
-#
-#
-#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.9: Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1;
-#
-#
-#2.3.10.10 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.10: Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*;
-#
-#
-#2.3.10.11 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.11: Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1;
-#
-#
-#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.1: Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId;
-#
-#
-#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.2: Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback;
-#
-#
-#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.3: Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0;
-#
-#
-#2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.4: Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644;
-#
-#
-#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.5: Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0;
-#
-#
-#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.6: Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
-#
-#
-#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.7: Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel;
-#
-#
-#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1;
-#
-#
-#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.9: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption''] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec;
-#
-#
-#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.10: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec;
-#
-#
-#2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.13.1: Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1;
-#
-#
-#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.1: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1;
-#
-#
-#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.2: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1;
-#
-#
-#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.1: Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken;
-#
-#
-#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.2: Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1;
-#
-#
-#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.3: Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin;
-#
-#
-#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.4: Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser;
-#
-#
-#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.5: Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0;
-r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection;
-#
-#
-#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.6: Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0;
-#
-#
-#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.7: Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0;
-#
-#
-#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.8: Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0;
-#
-#
-#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.9: Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0;
-#
-#
-#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.1: Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0;
-#
-#
-#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.2: Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.3: Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.4: Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications;
-#
-#
-#9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.5: Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.6: Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.7: Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.8: Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.9: Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.1: Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0;
-#
-#
-#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.2: Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.3: Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.4: Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0;
-#
-#
-#9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.5: Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.6: Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.8: Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.9: Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.2.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.1: Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0;
-#
-#
-#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.2: Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.3: Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.4: Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0;
-#
-#
-#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.5: Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.6: Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.8: Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.9: Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.10: Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.1: Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera;
-#
-#
-#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.2: Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow;
-#
-#
-#18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.1: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0;
-#
-#
-#18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.2: Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting;
-#
-#
-#18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.3: Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting;
-#
-#
-#18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.4: Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect;
-#
-#
-#18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.6: Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1;
-#
-#
-#18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.8: Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0;
-#
-#
-#18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.9: Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+;
-#
-#
-#18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.12: Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel;
-#
-#
-#18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.2: Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA;
-#
-#
-#18.4.11.3 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.3: Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation;
-#
-#
-#18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.21.1: Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1;
-#
-#
-#18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.6.2: Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0;
-#
-#
-#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.3.1: Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0;
-#
-#
-#18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.12.1: Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3;
-#
-#
-#18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.2: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy;
-#
-#
-#18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.3: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges;
-#
-#
-#18.8.19.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.4: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0;
-#
-#
-#18.8.25.1 Ensure 'Do not display network selection UI' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.1: Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI;
-#
-#
-#18.8.25.2 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.2: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers;
-#
-#
-#18.8.25.3 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.3: Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0;
-#
-#
-#18.8.25.4 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.4: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications;
-#
-#
-#18.8.25.5 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.5: Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0;
-#
-#
-#18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.1: Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0;
-#
-#
-#18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.2: Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp;
-#
-#
-#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.6.1: Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional;
-#
-#
-#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.1: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume;
-#
-#
-#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.2: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun;
-#
-#
-#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.3: Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun;
-#
-#
-#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.1: Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal;
-#
-#
-#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.2: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0;
-#
-#
-#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.1: Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> !0;
-#
-#
-#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.2: Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize;
-#
-#
-#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.1: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0;
-#
-#
-#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.2: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize;
-#
-#
-#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.1: Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0;
-#
-#
-#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.2: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize;
-#
-#
-#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.1: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;
-#
-#
-#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.2: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize;
-#
-#
-#18.9.30.2 Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.2: Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen;
-#
-#
-#18.9.30.3 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.3: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0;
-#
-#
-#18.9.30.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.4: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0;
-#
-#
-#18.9.30.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.5: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0;
-#
-#
-#18.9.47.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.1: Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC;
-#
-#
-#18.9.47.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.2: Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> !DisableFileSync;
-#
-#
-#18.9.52.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.2.2: Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving;
-#
-#
-#18.9.52.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.2: Ensure 'Do not allow drive redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm;
-#
-#
-#18.9.52.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.1: Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword;
-#
-#
-#18.9.52.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.2: Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic;
-#
-#
-#18.9.52.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.3: Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3;
-#
-#
-#18.9.52.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.1: Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1;
-#
-#
-#18.9.52.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.2: Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1;
-#
-#
-#18.9.53.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.53.1: Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload;
-#
-#
-#18.9.54.2 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.2: Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0;
-#
-#
-#18.9.61.1 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.1: Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4;
-#
-#
-#18.9.61.2 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.2: Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade;
-#
-#
-#18.9.70.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.2.1: Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> !1;
-#
-#
-#18.9.70.3 Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.3: Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !AutoApproveOSDumps;
-#
-#
-#18.9.74.1 Ensure 'Allow user control over installs' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.1: Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0;
-#
-#
-#18.9.74.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.2: Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0;
-#
-#
-#18.9.75.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.75.1: Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn;
-#
-#
-#18.9.84.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.1: Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging;
-#
-#
-#18.9.84.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.2: Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0;
-#
-#
-#18.9.86.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0;
-#
-#
-#18.9.86.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.2: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0;
-#
-#
-#18.9.86.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.3: Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest;
-#
-#
-#18.9.86.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0;
-#
-#
-#18.9.86.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.3: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0;
-#
-#
-#18.9.86.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.4: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs;
-#
-#
-#18.9.90.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.2: Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate;
-#
-#
-#18.9.90.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.3: Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay;
-#
-#
-#18.9.90.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.4: Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0;
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Windows Server 2012 R2 Domain Controller L2
-# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288)
-#
-#
-#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.4: Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds;
-#
-#
-#18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.5: Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime;
-#
-#
-#18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.7: Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery;
-#
-#
-#18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.10: Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions;
-#
-#
-#18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.11: Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions;
-#
-#
-#18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.1: Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0;
-#
-#
-#18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.2: Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0;
-#
-#
-#18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.10.2: Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled;
-#
-#
-#18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.19.2.1: Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents;
-#
-#
-#18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.1: Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar;
-#
-#
-#18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.2: Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi;
-#
-#
-#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
-#
-#
-#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
-#
-#
-#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
-#
-#
-#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
-#
-#
-#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
-#
-#
-#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
-#
-#
-#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
-#
-#
-#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
-r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
-#
-#
-#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
-#
-#
-#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
-#
-#
-#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
-#
-#
-#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
-#
-#
-#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
-#
-#
-#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport;
-#
-#
-#18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.24.1: Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn;
-#
-#
-#18.8.29.5.1 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.1: Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1;
-#
-#
-#18.8.29.5.2 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.2: Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1;
-#
-#
-#18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.5.1: Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer;
-#
-#
-#18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.11.1: Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled;
-#
-#
-#18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.41.1: Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy;
-#
-#
-#18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.44.1.1: Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled;
-#
-#
-#18.9.37.1 Ensure 'Turn off location' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.37.1: Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation;
-#
-#
-#18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.2.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser;
-#
-#
-#18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm;
-#
-#
-#18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.3: Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT;
-#
-#
-#18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.4: Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir;
-#
-#
-#18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.1: Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime;
-#
-#
-#18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.2: Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime;
-#
-#
-#18.9.54.3 Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.3: Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> !3;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !ConnectedSearchPrivacy;
-#
-#
-#18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.59.1: Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket;
-#
-#
-#18.9.61.3 Ensure 'Turn off the Store application' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.3: Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore;
-#
-#
-#18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.69.3.1: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0;
-#
-#
-#18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.3: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0;
-#
-#
-#18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.2: Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0;
-#
-#
-#18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.87.1: Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess;
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Windows Server 2012 R2 Domain Controller L2
-# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288)
-#
-#
-#1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'
-[CIS - Microsoft Windows Server 2012 R2 - Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3E;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3F;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:4\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:5\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:6\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:7\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:8\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:9\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:A\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:B\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:C\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:D\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:E\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:F\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:\w\w\w+;
-#
-#
-#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.2: Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser;
-#
-#
-#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.4: Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0;
-#
-#
-#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.1: Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1;
-#
-#
-#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.2: Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2;
-#
-#
-#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.1: Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 2;
-#
-#
-#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.2: Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1;
-#
-#
-#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.1: Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0;
-#
-#
-#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.2: Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0;
-#
-#
-#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.3: Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0;
-#
-#
-#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.4: Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 1;
-#
-#
-#2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.6: Ensure 'Domain member: Require strong session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 0;
-#
-#
-#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.1: Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DontDisplayLastUserName;
-#
-#
-#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.2: Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableCAD;
-#
-#
-#2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.3: Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs;
-#
-#
-#2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.7: Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+;
-#
-#
-#2.3.7.8 Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.8: Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !ForceUnlockLogon;
-#
-#
-#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption;
-#
-#
-#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.1: Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature;
-#
-#
-#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.2: Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1;
-#
-#
-#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.3: Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0;
-#
-#
-#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.1: Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect;
-#
-#
-#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.2: Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature;
-#
-#
-#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.3: Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature;
-#
-#
-#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.4: Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
-#
-#
-#2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.5: Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> !SMBServerNameHardeningLevel;
-#
-#
-#2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.2: Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 0;
-#
-#
-#2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.3: Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> !1;
-#
-#
-#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.5: Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2;
-#
-#
-#2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.6: Configure 'Network access: Named Pipes that can be accessed anonymously'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes;
-#
-#
-#2.3.10.7 Configure 'Network access: Remotely accessible registry paths'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.7: Configure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion;
-#
-#
-#2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.8: Configure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS;
-#
-#
-#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.9: Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1;
-#
-#
-#2.3.10.10 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.10: Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*;
-#
-#
-#2.3.10.11 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.11: Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1;
-#
-#
-#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.1: Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId;
-#
-#
-#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.2: Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback;
-#
-#
-#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.3: Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0;
-#
-#
-#2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.4: Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644;
-#
-#
-#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.5: Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0;
-#
-#
-#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.6: Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
-#
-#
-#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.7: Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel;
-#
-#
-#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1;
-#
-#
-#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.9: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption''] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec;
-#
-#
-#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.10: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec;
-#
-#
-#2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.13.1: Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1;
-#
-#
-#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.1: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1;
-#
-#
-#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.2: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1;
-#
-#
-#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.1: Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken;
-#
-#
-#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.2: Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1;
-#
-#
-#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.3: Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin;
-#
-#
-#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.4: Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser;
-#
-#
-#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.5: Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0;
-r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection;
-#
-#
-#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.6: Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0;
-#
-#
-#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.7: Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0;
-#
-#
-#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.8: Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0;
-#
-#
-#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.9: Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0;
-#
-#
-#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.1: Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0;
-#
-#
-#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.2: Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.3: Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.4: Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications;
-#
-#
-#9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.5: Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.6: Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.7: Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.8: Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.9: Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.1.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.1: Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0;
-#
-#
-#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.2: Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.3: Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.4: Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0;
-#
-#
-#9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.5: Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.6: Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.8: Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.9: Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.2.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.2.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.1: Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0;
-#
-#
-#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.2: Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.3: Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.4: Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0;
-#
-#
-#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.5: Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.6: Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.8: Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.9: Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2012 R2 - 9.3.10: Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.1: Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera;
-#
-#
-#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.2: Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow;
-#
-#
-#18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed
-[CIS - Microsoft Windows Server 2012 R2 - 18.2.1: Ensure LAPS AdmPwd GPO Extension / CSE is installed] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> !DllName;
-#
-#
-#18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.2.2: Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PwdExpirationProtectionEnabled;
-#
-#
-#18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.2.3: Ensure 'Enable Local Admin Password Management' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !AdmPwdEnabled;
-#
-#
-#18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
-[CIS - Microsoft Windows Server 2012 R2 - 18.2.4: Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> !4;
-#
-#
-#18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
-[CIS - Microsoft Windows Server 2012 R2 - 18.2.5: Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:a;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:b;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:c;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:e;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PasswordLength;
-#
-#
-#18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
-[CIS - Microsoft Windows Server 2012 R2 - 18.2.6: Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1F;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+;
-#
-#
-#18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.1: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0;
-#
-#
-#18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.2: Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting;
-#
-#
-#18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.3: Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting;
-#
-#
-#18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.4: Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect;
-#
-#
-#18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.6: Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1;
-#
-#
-#18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.8: Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0;
-#
-#
-#18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.9: Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+;
-#
-#
-#18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.12: Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel;
-#
-#
-#18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.2: Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA;
-#
-#
-#18.4.11.3 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.3: Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation;
-#
-#
-#18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.21.1: Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1;
-#
-#
-#18.6.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.6.1: Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> !0;
-#
-#
-#18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.6.2: Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0;
-#
-#
-#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.3.1: Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0;
-#
-#
-#18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.12.1: Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3;
-#
-#
-#18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.2: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy;
-#
-#
-#18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.3: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges;
-#
-#
-#18.8.19.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.4: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0;
-#
-#
-#18.8.25.1 Ensure 'Do not display network selection UI' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.1: Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI;
-#
-#
-#18.8.25.2 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.2: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers;
-#
-#
-#18.8.25.3 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.3: Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0;
-#
-#
-#18.8.25.4 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.4: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications;
-#
-#
-#18.8.25.5 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.5: Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0;
-#
-#
-#18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.1: Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0;
-#
-#
-#18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.2: Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp;
-#
-#
-#18.8.32.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.32.1: Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !EnableAuthEpResolution;
-#
-#
-#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.6.1: Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional;
-#
-#
-#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.1: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume;
-#
-#
-#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.2: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun;
-#
-#
-#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.3: Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun;
-#
-#
-#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.1: Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal;
-#
-#
-#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.2: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0;
-#
-#
-#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.1: Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> !0;
-#
-#
-#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.2: Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize;
-#
-#
-#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.1: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0;
-#
-#
-#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.2: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize;
-#
-#
-#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.1: Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0;
-#
-#
-#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.2: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize;
-#
-#
-#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.1: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;
-#
-#
-#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.2: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize;
-#
-#
-#18.9.30.2 Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.2: Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen;
-#
-#
-#18.9.30.3 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.3: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0;
-#
-#
-#18.9.30.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.4: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0;
-#
-#
-#18.9.30.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.5: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0;
-#
-#
-#18.9.47.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.1: Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC;
-#
-#
-#18.9.47.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.2: Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> !DisableFileSync;
-#
-#
-#18.9.52.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.2.2: Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving;
-#
-#
-#18.9.52.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.2: Ensure 'Do not allow drive redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm;
-#
-#
-#18.9.52.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.1: Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword;
-#
-#
-#18.9.52.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.2: Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic;
-#
-#
-#18.9.52.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.3: Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3;
-#
-#
-#18.9.52.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.1: Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1;
-#
-#
-#18.9.52.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.2: Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1;
-#
-#
-#18.9.53.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.53.1: Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload;
-#
-#
-#18.9.54.2 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.2: Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0;
-#
-#
-#18.9.61.1 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.1: Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4;
-#
-#
-#18.9.61.2 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.2: Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade;
-#
-#
-#18.9.70.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.2.1: Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> !1;
-#
-#
-#18.9.70.3 Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.3: Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !AutoApproveOSDumps;
-#
-#
-#18.9.74.1 Ensure 'Allow user control over installs' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.1: Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0;
-#
-#
-#18.9.74.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.2: Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0;
-#
-#
-#18.9.75.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.75.1: Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn;
-#
-#
-#18.9.84.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.1: Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging;
-#
-#
-#18.9.84.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.2: Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0;
-#
-#
-#18.9.86.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0;
-#
-#
-#18.9.86.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.2: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0;
-#
-#
-#18.9.86.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.3: Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest;
-#
-#
-#18.9.86.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0;
-#
-#
-#18.9.86.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.3: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0;
-#
-#
-#18.9.86.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.4: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs;
-#
-#
-#18.9.90.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.2: Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate;
-#
-#
-#18.9.90.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.3: Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay;
-#
-#
-#18.9.90.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.4: Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0;
-#
-#
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Windows Server 2012 R2 Domain Controller L2
-# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288)
-#
-#
-#2.3.7.6 Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'
-[CIS - Microsoft Windows Server 2012 R2 - Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 5;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> a;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> b;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> c;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> e;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> f;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> \w\w+;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !CachedLogonsCount;
-#
-#
-#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.4: Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds;
-#
-#
-#18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.5: Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime;
-#
-#
-#18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.7: Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery;
-#
-#
-#18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.10: Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions;
-#
-#
-#18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
-[CIS - Microsoft Windows Server 2012 R2 - 18.3.11: Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions;
-#
-#
-#18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.1: Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0;
-#
-#
-#18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.2: Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0;
-#
-#
-#18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.10.2: Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled;
-#
-#
-#18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.19.2.1: Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents;
-#
-#
-#18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.1: Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar;
-#
-#
-#18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.2: Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi;
-#
-#
-#18.4.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.4.21.2: Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> !fBlockNonDomain;
-#
-#
-#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
-#
-#
-#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
-#
-#
-#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
-#
-#
-#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
-#
-#
-#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
-#
-#
-#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
-#
-#
-#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
-#
-#
-#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
-r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
-#
-#
-#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
-#
-#
-#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
-#
-#
-#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
-#
-#
-#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
-#
-#
-#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
-#
-#
-#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport;
-#
-#
-#18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.24.1: Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn;
-#
-#
-#18.8.29.5.1 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.1: Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> !DCSettingIndex;
-#
-#
-#18.8.29.5.2 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.2: Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> !ACSettingIndex;
-#
-#
-#18.8.32.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.32.2: Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !RestrictRemoteClients;
-#
-#
-#18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.5.1: Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer;
-#
-#
-#18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.11.1: Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled;
-#
-#
-#18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.41.1: Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy;
-#
-#
-#18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.44.1.1: Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled;
-#
-#
-#18.8.44.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.8.44.1.2: Ensure 'Enable Windows NTP Server' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> !0;
-#
-#
-#18.9.37.1 Ensure 'Turn off location' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.37.1: Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation;
-#
-#
-#18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.2.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser;
-#
-#
-#18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm;
-#
-#
-#18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.3: Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT;
-#
-#
-#18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.4: Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir;
-#
-#
-#18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.1: Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime;
-#
-#
-#18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.2: Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime;
-#
-#
-#18.9.54.3 Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.3: Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> !3;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !ConnectedSearchPrivacy;
-#
-#
-#18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.59.1: Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket;
-#
-#
-#18.9.61.3 Ensure 'Turn off the Store application' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.3: Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore;
-#
-#
-#18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.69.3.1: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0;
-#
-#
-#18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.3: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0;
-#
-#
-#18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.2: Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0;
-#
-#
-#18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2012 R2 - 18.9.87.1: Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess;
-#
-
-
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Windows Server 2016 Domain Controller L1
-# Based on Center for Internet Security Benchmark v1.0.0 for Microsoft Windows Server 2016 (https://workbench.cisecurity.org/benchmarks/515)
-#
-#
-#
-#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
-[CIS - Microsoft Windows Server 2016 - 2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser;
-#
-#
-#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0;
-#
-#
-#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1;
-#
-#
-#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2;
-#
-#
-#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'
-[CIS - Microsoft Windows Server 2016 - 2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 2;
-#
-#
-#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1;
-#
-#
-#2.3.5.1 Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.5.1 Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl -> !0;
-#
-#
-#2.3.5.2 Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing'
-[CIS - Microsoft Windows Server 2016 - 2.3.5.2 Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> !2;
-#
-#
-#2.3.5.3 Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.5.3 Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 1;
-#
-#
-#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0;
-#
-#
-#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0;
-#
-#
-#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0;
-#
-#
-#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> !0;
-#
-#
-#2.3.6.6 Ensure 'Domain member: Require strong session key' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.6.6 Ensure 'Domain member: Require strong session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> !1;
-#
-#
-#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> !1;
-#
-#
-#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> !0;
-#
-#
-#2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
-[CIS - Microsoft Windows Server 2016 - 2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs;
-#
-#
-#2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
-[CIS - Microsoft Windows Server 2016 - 2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+;
-#
-#
-#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
-[CIS - Microsoft Windows Server 2016 - 2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption;
-#
-#
-#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature;
-#
-#
-#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1;
-#
-#
-#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0;
-#
-#
-#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
-[CIS - Microsoft Windows Server 2016 - 2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect;
-#
-#
-#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature;
-#
-#
-#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature;
-#
-#
-#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
-#
-#
-#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2;
-#
-#
-#2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> !r:lsarpc|netlogon|samr;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes;
-#
-#
-#2.3.10.7 Configure 'Network access: Remotely accessible registry paths'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.7 Configure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion;
-#
-#
-#2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS;
-#
-#
-#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1;
-#
-#
-#2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*;
-#
-#
-#2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1;
-#
-#
-#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId;
-#
-#
-#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback;
-#
-#
-#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0;
-#
-#
-#2.3.11.4 Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.4 Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644;
-#
-#
-#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0;
-#
-#
-#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
-#
-#
-#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.7: Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel;
-#
-#
-#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
-[CIS - Microsoft Windows Server 2016 - 2.3.11.8: Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1;
-#
-#
-#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.9: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec;
-#
-#
-#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.10: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec;
-#
-#
-#2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.13.1: Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1;
-#
-#
-#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.15.1: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1;
-#
-#
-#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.15.2: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1;
-#
-#
-#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.1: Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken;
-#
-#
-#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.2: Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1;
-#
-#
-#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.3: Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin;
-#
-#
-#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.4: Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser;
-#
-#
-#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.5: Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0;
-r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection;
-#
-#
-#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.6: Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0;
-#
-#
-#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.7: Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0;
-#
-#
-#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.8: Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0;
-#
-#
-#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.9: Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0;
-#
-#
-#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2016 - 9.1.1: Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0;
-#
-#
-#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block'
-[CIS - Microsoft Windows Server 2016 - 9.1.2: Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow'
-[CIS - Microsoft Windows Server 2016 - 9.1.3: Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows Server 2016 - 9.1.4: Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications;
-#
-#
-#9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.1.5: Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.1.6: Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows Server 2016 - 9.1.7: Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'
-[CIS - Microsoft Windows Server 2016 - 9.1.8: Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.1.9: Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.1.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2016 - 9.2.1: Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0;
-#
-#
-#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block'
-[CIS - Microsoft Windows Server 2016 - 9.2.2: Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2016 - 9.2.3: Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows Server 2016 - 9.2.4: Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0;
-#
-#
-#9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2016 - 9.2.5: Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2016 - 9.2.6: Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'
-[CIS - Microsoft Windows Server 2016 - 9.2.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'
-[CIS - Microsoft Windows Server 2016 - 9.2.8: Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.2.9: Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.2.10 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.2.10: Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
-[CIS - Microsoft Windows Server 2016 - 9.3.1: Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0;
-#
-#
-#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows Server 2016 - 9.3.2: Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2016 - 9.3.3: Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.3.4: Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0;
-#
-#
-#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
-[CIS - Microsoft Windows Server 2016 - 9.3.5: Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
-[CIS - Microsoft Windows Server 2016 - 9.3.6: Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.3.7 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'
-[CIS - Microsoft Windows Server 2016 - 9.3.7: Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'
-[CIS - Microsoft Windows Server 2016 - 9.3.8: Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.3.9: Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.3.10: Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.1.1.1: Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera;
-#
-#
-#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.1.1.2: Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow;
-#
-#
-#18.1.2.1 Ensure 'Allow Input Personalization' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.1.2.1: Ensure 'Allow Input Personalization' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> !AllowInputPersonalization;
-#
-#
-#18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.1: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0;
-#
-#
-#18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.2: Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting;
-#
-#
-#18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.3: Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting;
-#
-#
-#18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.4: Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect;
-#
-#
-#18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.6: Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1;
-#
-#
-#18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.8: Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0;
-#
-#
-#18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'
-[CIS - Microsoft Windows Server 2016 - 18.3.9: Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+;
-#
-#
-#18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
-[CIS - Microsoft Windows Server 2016 - 18.3.12: Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel;
-#
-#
-#18.4.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.8.1: Ensure 'Enable insecure guest logons' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> !AllowInsecureGuestAuth;
-#
-#
-#18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.11.2: Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA;
-#
-#
-#18.4.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.11.3: Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_ShowSharedAccessUI;
-#
-#
-#18.4.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.11.4: Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation;
-#
-#
-#18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.21.1: Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1;
-#
-#
-#18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.6.2: Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0;
-#
-#
-#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.3.1: Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0;
-#
-#
-#18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
-[CIS - Microsoft Windows Server 2016 - 18.8.12.1: Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3;
-#
-#
-#18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
-[CIS - Microsoft Windows Server 2016 - 18.8.19.2: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy;
-#
-#
-#18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
-[CIS - Microsoft Windows Server 2016 - 18.8.19.3: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges;
-#
-#
-#18.8.19.4 Ensure 'Continue experiences on this device' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.19.4: Ensure 'Continue experiences on this device' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableCdp;
-#
-#
-#18.8.19.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.19.5: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0;
-#
-#
-#18.8.25.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.1: Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> !1;
-#
-#
-#18.8.25.2 Ensure 'Do not display network selection UI' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.2: Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI;
-#
-#
-#18.8.25.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.3: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers;
-#
-#
-#18.8.25.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.4: Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0;
-#
-#
-#18.8.25.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.5: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications;
-#
-#
-#18.8.25.6 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.6: Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0;
-#
-#
-#18.8.26.1 Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events'
-[CIS - Microsoft Windows Server 2016 - 18.8.26.1: Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions -> MitigationOptions_FontBocking -> !1000000000000;
-#
-#
-#18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.31.1: Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0;
-#
-#
-#18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.31.2: Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp;
-#
-#
-#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.6.1: Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional;
-#
-#
-#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.8.1: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume;
-#
-#
-#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
-[CIS - Microsoft Windows Server 2016 - 18.9.8.2: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun;
-#
-#
-#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
-[CIS - Microsoft Windows Server 2016 - 18.9.8.3: Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun;
-#
-#
-#18.9.10.1.1 Ensure 'Use enhanced anti-spoofing when available' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.10.1.1: Ensure 'Use enhanced anti-spoofing when available' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> !1;
-#
-#
-#18.9.13.1 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.13.1: Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> !DisableWindowsConsumerFeatures;
-#
-#
-#18.9.14.1 Ensure 'Require pin for pairing' is set to 'Enabled' (Scored)
-[CIS - Microsoft Windows Server 2016 - 18.9.14.1: Ensure 'Require pin for pairing' is set to 'Enabled' (Scored)] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> !RequirePinForPairing;
-#
-#
-#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.15.1: Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal;
-#
-#
-#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.15.2: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0;
-#
-#
-#18.9.16.1 Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]'
-[CIS - Microsoft Windows Server 2016 - 18.9.16.1: Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !AllowTelemetry;
-#
-#
-#18.9.16.2 Ensure 'Disable pre-release features or settings' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.16.2: Ensure 'Disable pre-release features or settings' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !EnableConfigFlighting;
-#
-#
-#18.9.16.3 Ensure 'Do not show feedback notifications' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.16.3: Ensure 'Do not show feedback notifications' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !DoNotShowFeedbackNotifications;
-#
-#
-#18.9.16.4 Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.16.4: Ensure 'Toggle user control over Insider builds' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !AllowBuildPreview;
-#
-#
-#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.1.1: Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 1;
-#
-#
-#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.1.2: Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize;
-#
-#
-#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.2.1: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0;
-#
-#
-#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.2.2: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize;
-#
-#
-#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.3.1: Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0;
-#
-#
-#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.3.2: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize;
-#
-#
-#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.4.1: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;
-#
-#
-#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.4.2: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize;
-#
-#
-#18.9.30.2 Ensure 'Configure Windows SmartScreen' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.30.2: Ensure 'Configure Windows SmartScreen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen;
-#
-#
-#18.9.30.3 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.30.3: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0;
-#
-#
-#18.9.30.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.30.4: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0;
-#
-#
-#18.9.30.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.30.5: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0;
-#
-#
-#18.9.41.3 Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher
-[CIS - Microsoft Windows Server 2016 - 18.9.41.3: Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> 2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !Cookies;
-#
-#
-#18.9.41.4 Ensure 'Configure Password Manager' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.4: Ensure 'Configure Password Manager' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> !no;
-#
-#
-#18.9.41.6 Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.6: Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> !ShowSearchSuggestionsGlobal;
-#
-#
-#18.9.41.7 Ensure 'Configure SmartScreen Filter' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.7: Ensure 'Configure SmartScreen Filter' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> !1;
-#
-#
-#18.9.47.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.47.1: Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC;
-#
-#
-#18.9.52.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.2.2: Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving;
-#
-#
-#18.9.52.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.2: Ensure 'Do not allow drive redirection' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm;
-#
-#
-#18.9.52.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.1: Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword;
-#
-#
-#18.9.52.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.2: Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic;
-#
-#
-#18.9.52.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.3: Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3;
-#
-#
-#18.9.52.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.11.1: Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1;
-#
-#
-#18.9.52.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.11.2: Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1;
-#
-#
-#18.9.53.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.53.1: Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload;
-#
-#
-#18.9.54.2 Ensure 'Allow Cortana' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.54.2: Ensure 'Allow Cortana' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortana;
-#
-#
-#18.9.54.3 Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.54.3: Ensure 'Allow Cortana above lock screen' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortanaAboveLock;
-#
-#
-#18.9.54.4 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.54.4: Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0;
-#
-#
-#18.9.54.5 Ensure 'Allow search and Cortana to use location' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.54.5: Ensure 'Allow search and Cortana to use location' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowSearchToUseLocation;
-#
-#
-#18.9.61.2 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.61.2: Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4;
-#
-#
-#18.9.61.3 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.61.3: Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade;
-#
-#
-#18.9.73.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'
-[CIS - Microsoft Windows Server 2016 - 18.9.73.2: Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowWindowsInkWorkspace;
-#
-#
-#18.9.74.1 Ensure 'Allow user control over installs' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.74.1: Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0;
-#
-#
-#18.9.74.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.74.2: Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0;
-#
-#
-#18.9.75.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.75.1: Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn;
-#
-#
-#18.9.84.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.84.1: Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging;
-#
-#
-#18.9.84.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.84.2: Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0;
-#
-#
-#18.9.86.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.1.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0;
-#
-#
-#18.9.86.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.1.2: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0;
-#
-#
-#18.9.86.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.1.3: Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest;
-#
-#
-#18.9.86.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.2.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0;
-#
-#
-#18.9.86.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.2.3: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0;
-#
-#
-#18.9.86.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.2.4: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs;
-#
-#
-#18.9.90.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.90.2: Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate;
-#
-#
-#18.9.90.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
-[CIS - Microsoft Windows Server 2016 - 18.9.90.3: Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay;
-#
-#
-#18.9.90.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.90.4: Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0;
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Windows Server 2016 Domain Controller L2
-# Based on Center for Internet Security Benchmark v1.0.0 for Microsoft Windows Server 2016 (https://workbench.cisecurity.org/benchmarks/515)
-#
-#
-#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds;
-#
-#
-#18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'
-[CIS - Microsoft Windows Server 2016 - 18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime;
-#
-#
-#18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery;
-#
-#
-#18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
-[CIS - Microsoft Windows Server 2016 - 18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions;
-#
-#
-#18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
-[CIS - Microsoft Windows Server 2016 - 18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions;
-#
-#
-#18.4.5.1 Ensure 'Enable Font Providers' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.5.1 Ensure 'Enable Font Providers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableFontProviders;
-#
-#
-#18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0;
-#
-#
-#18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0;
-#
-#
-#18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled;
-#
-#
-#18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
-[CIS - Microsoft Windows Server 2016 - 18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents;
-#
-#
-#18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar;
-#
-#
-#18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi;
-#
-#
-#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
-#
-#
-#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
-#
-#
-#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
-#
-#
-#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
-#
-#
-#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
-#
-#
-#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
-#
-#
-#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
-#
-#
-#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
-r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
-#
-#
-#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
-#
-#
-#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
-#
-#
-#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
-#
-#
-#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
-#
-#
-#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
-#
-#
-#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport;
-#
-#
-#18.8.23.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'
-[CIS - Microsoft Windows Server 2016 - 18.8.23.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> !1;
-#
-#
-#18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn;
-#
-#
-#18.8.29.5.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.29.5.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !DCSettingIndex;
-#
-#
-#18.8.29.5.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.29.5.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !ACSettingIndex;
-#
-#
-#18.8.29.5.3 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.29.5.3 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1;
-#
-#
-#18.8.29.5.4 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.29.5.4 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1;
-#
-#
-#18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer;
-#
-#
-#18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled;
-#
-#
-#18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy;
-#
-#
-#18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled;
-#
-#
-#18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> !0;
-#
-#
-#18.9.5.1 Ensure 'Let Windows apps *' is set to 'Enabled: Force Deny'
-[CIS - Microsoft Windows Server 2016 - 18.9.5.1 Ensure 'Let Windows apps *' is set to 'Enabled: Force Deny'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessAccountInfo -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessAccountInfo;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCallHistory -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCallHistory;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessContacts -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessContacts;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessEmail -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessEmail;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessLocation -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessLocation;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMessaging -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMessaging;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMotion -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMotion;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCalendar -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCalendar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCamera;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMicrophone -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMicrophone;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessTrustedDevices -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessTrustedDevices;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessRadios -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessRadios;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsSyncWithDevices -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsSyncWithDevices;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessPhone -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessPhone;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessNotifications -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessNotifications;
-#
-#
-#18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !BlockHostedAppAccessWinRT;
-#
-#
-#18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> !AllowCamera;
-#
-#
-#18.9.37.2 Ensure 'Turn off location' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.37.2 Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation;
-#
-#
-#18.9.41.1 Ensure 'Allow Extensions' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.1 Ensure 'Allow Extensions' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions -> ExtensionsEnabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions -> !ExtensionsEnabled;
-#
-#
-#18.9.41.2 Ensure 'Allow InPrivate Browsing' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.2 Ensure 'Allow InPrivate Browsing' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !AllowInPrivate;
-#
-#
-#18.9.41.5 Ensure 'Configure Pop-up Blocker' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.5 Ensure 'Configure Pop-up Blocker' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> !r:yes;
-#
-#
-#18.9.41.8 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.8 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !PreventAccessToAboutFlagsInMicrosoftEdge;
-#
-#
-#18.9.41.9 Ensure 'Prevent bypassing SmartScreen prompts for files' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.9 Ensure 'Prevent bypassing SmartScreen prompts for files' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverrideAppRepUnknown;
-#
-#
-#18.9.41.10 Ensure 'Prevent bypassing SmartScreen prompts for sites' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.10 Ensure 'Prevent bypassing SmartScreen prompts for sites' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverride;
-#
-#
-#18.9.41.11 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.11 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !HideLocalHostIP;
-#
-#
-#18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser;
-#
-#
-#18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm;
-#
-#
-#18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT;
-#
-#
-#18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir;
-#
-#
-#18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime;
-#
-#
-#18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime;
-#
-#
-#18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket;
-#
-#
-#18.9.61.1 Ensure 'Disable all apps from Windows Store' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.61.1 Ensure 'Disable all apps from Windows Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableStoreApps;
-#
-#
-#18.9.61.4 Ensure 'Turn off the Store application' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.61.4 Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore;
-#
-#
-#18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0;
-#
-#
-#18.9.69.8 Ensure 'Configure Watson events' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.69.8 Ensure 'Configure Watson events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> !DisableGenericRePorts;
-#
-#
-#18.9.73.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.73.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowSuggestedAppsInWindowsInkWorkspace;
-#
-#
-#18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0;
-#
-#
-#18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0;
-#
-#
-#18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess;
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Windows Server 2016 Member Server L1
-# Based on Center for Internet Security Benchmark v1.0.0 for Microsoft Windows Server 2016 (https://workbench.cisecurity.org/benchmarks/515)
-#
-#
-#
-#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
-[CIS - Microsoft Windows Server 2016 - 2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser;
-#
-#
-#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0;
-#
-#
-#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1;
-#
-#
-#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2;
-#
-#
-#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'
-[CIS - Microsoft Windows Server 2016 - 2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> !0;
-#
-#
-#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1;
-#
-#
-#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0;
-#
-#
-#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0;
-#
-#
-#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0;
-#
-#
-#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 1;
-#
-#
-#2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 0;
-#
-#
-#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DontDisplayLastUserName;
-#
-#
-#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableCAD;
-#
-#
-#2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
-[CIS - Microsoft Windows Server 2016 - 2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs;
-#
-#
-#2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
-[CIS - Microsoft Windows Server 2016 - 2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+;
-#
-#
-#2.3.7.8 Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.7.8 Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !ForceUnlockLogon;
-#
-#
-#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
-[CIS - Microsoft Windows Server 2016 - 2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption;
-#
-#
-#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature;
-#
-#
-#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1;
-#
-#
-#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0;
-#
-#
-#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
-[CIS - Microsoft Windows Server 2016 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect;
-#
-#
-#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature;
-#
-#
-#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature;
-#
-#
-#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
-#
-#
-#2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher
-[CIS - Microsoft Windows Server 2016 - 2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> !SMBServerNameHardeningLevel;
-#
-#
-#2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 0;
-#
-#
-#2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> !1;
-#
-#
-#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2;
-#
-#
-#2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes;
-#
-#
-#2.3.10.7 Configure 'Network access: Remotely accessible registry paths'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.7 Configure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion;
-#
-#
-#2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS;
-#
-#
-#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1;
-#
-#
-#2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> !r:O:BAG:BAD:\(A;;RC;;;BA\);
-#
-#
-#2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*;
-#
-#
-#2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1;
-#
-#
-#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId;
-#
-#
-#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback;
-#
-#
-#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0;
-#
-#
-#2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644;
-#
-#
-#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0;
-#
-#
-#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
-#
-#
-#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel;
-#
-#
-#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
-[CIS - Microsoft Windows Server 2016 - 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1;
-#
-#
-#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec;
-#
-#
-#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
-[CIS - Microsoft Windows Server 2016 - 2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec;
-#
-#
-#2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1;
-#
-#
-#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1;
-#
-#
-#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1;
-#
-#
-#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken;
-#
-#
-#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1;
-#
-#
-#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin;
-#
-#
-#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1;
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser;
-#
-#
-#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0;
-r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection;
-#
-#
-#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0;
-#
-#
-#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0;
-#
-#
-#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0;
-#
-#
-#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0;
-#
-#
-#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2016 - 9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0;
-#
-#
-#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows Server 2016 - 9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2016 - 9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows Server 2016 - 9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications;
-#
-#
-#9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2016 - 9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2016 - 9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows Server 2016 - 9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'
-[CIS - Microsoft Windows Server 2016 - 9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2016 - 9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0;
-#
-#
-#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows Server 2016 - 9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2016 - 9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
-[CIS - Microsoft Windows Server 2016 - 9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0;
-#
-#
-#9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2016 - 9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'
-[CIS - Microsoft Windows Server 2016 - 9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows Server 2016 - 9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'
-[CIS - Microsoft Windows Server 2016 - 9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.2.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.2.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'
-[CIS - Microsoft Windows Server 2016 - 9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0;
-#
-#
-#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
-[CIS - Microsoft Windows Server 2016 - 9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0;
-#
-#
-#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
-[CIS - Microsoft Windows Server 2016 - 9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1;
-#
-#
-#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0;
-#
-#
-#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
-[CIS - Microsoft Windows Server 2016 - 9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0;
-#
-#
-#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
-[CIS - Microsoft Windows Server 2016 - 9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
-#
-#
-#9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
-[CIS - Microsoft Windows Server 2016 - 9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
-#
-#
-#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'
-[CIS - Microsoft Windows Server 2016 - 9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
-#
-#
-#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0;
-#
-#
-#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
-[CIS - Microsoft Windows Server 2016 - 9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
-#
-#
-#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera;
-#
-#
-#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow;
-#
-#
-#18.1.2.1 Ensure 'Allow Input Personalization' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.1.2.1 Ensure 'Allow Input Personalization' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> !AllowInputPersonalization;
-#
-#
-#18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed
-[CIS - Microsoft Windows Server 2016 - 18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> !DllName;
-#
-#
-#18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PwdExpirationProtectionEnabled;
-#
-#
-#18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !AdmPwdEnabled;
-#
-#
-#18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
-[CIS - Microsoft Windows Server 2016 - 18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> !4;
-#
-#
-#18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
-[CIS - Microsoft Windows Server 2016 - 18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:a;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:b;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:c;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:d;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:e;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PasswordLength;
-#
-#
-#18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
-[CIS - Microsoft Windows Server 2016 - 18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1F;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+;
-#
-#
-#18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0;
-#
-#
-#18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting;
-#
-#
-#18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting;
-#
-#
-#18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect;
-#
-#
-#18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1;
-#
-#
-#18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0;
-#
-#
-#18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'
-[CIS - Microsoft Windows Server 2016 - 18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+;
-#
-#
-#18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
-[CIS - Microsoft Windows Server 2016 - 18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel;
-#
-#
-#18.4.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')
-[CIS - Microsoft Windows Server 2016 - 18.4.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> !2;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> !NodeType;
-#
-#
-#18.4.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> !EnableMulticast;
-#
-#
-#18.4.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> !AllowInsecureGuestAuth;
-#
-#
-#18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA;
-#
-#
-#18.4.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_ShowSharedAccessUI;
-#
-#
-#18.4.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation;
-#
-#
-#18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1;
-#
-#
-#18.6.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.6.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> !0;
-#
-#
-#18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0;
-#
-#
-#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0;
-#
-#
-#18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
-[CIS - Microsoft Windows Server 2016 - 18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3;
-#
-#
-#18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
-[CIS - Microsoft Windows Server 2016 - 18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy;
-#
-#
-#18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
-[CIS - Microsoft Windows Server 2016 - 18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges;
-#
-#
-#18.8.19.4 Ensure 'Continue experiences on this device' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.19.4 Ensure 'Continue experiences on this device' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableCdp;
-#
-#
-#18.8.19.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.19.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0;
-#
-#
-#18.8.25.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !BlockUserFromShowingAccountDetailsOnSignin;
-#
-#
-#18.8.25.2 Ensure 'Do not display network selection UI' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.2 Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI;
-#
-#
-#18.8.25.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers;
-#
-#
-#18.8.25.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0;
-#
-#
-#18.8.25.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications;
-#
-#
-#18.8.25.6 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.25.6 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0;
-#
-#
-#18.8.26.1 Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events'
-[CIS - Microsoft Windows Server 2016 - 18.8.26.1 Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions -> MitigationOptions_FontBocking -> !1000000000000;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions -> !MitigationOptions_FontBocking;
-#
-#
-#18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0;
-#
-#
-#18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp;
-#
-#
-#18.8.32.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.32.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !EnableAuthEpResolution;
-#
-#
-#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional;
-#
-#
-#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume;
-#
-#
-#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
-[CIS - Microsoft Windows Server 2016 - 18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun;
-#
-#
-#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
-[CIS - Microsoft Windows Server 2016 - 18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun;
-#
-#
-#18.9.10.1.1 Ensure 'Use enhanced anti-spoofing when available' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.10.1.1 Ensure 'Use enhanced anti-spoofing when available' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> !EnhancedAntiSpoofing;
-#
-#
-#18.9.13.1 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.13.1 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> !DisableWindowsConsumerFeatures;
-#
-#
-#18.9.14.1 Ensure 'Require pin for pairing' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.14.1 Ensure 'Require pin for pairing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> !RequirePinForPairing;
-#
-#
-#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal;
-#
-#
-#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0;
-#
-#
-#18.9.16.2 Ensure 'Disable pre-release features or settings' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.16.2 Ensure 'Disable pre-release features or settings' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !EnableConfigFlighting;
-#
-#
-#18.9.16.3 Ensure 'Do not show feedback notifications' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.16.3: Ensure 'Do not show feedback notifications' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !DoNotShowFeedbackNotifications;
-#
-#
-#18.9.16.4 Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.16.4: Ensure 'Toggle user control over Insider builds' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !AllowBuildPreview;
-#
-#
-#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.1.1: Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 1;
-#
-#
-#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.1.2: Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize;
-#
-#
-#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.2.1: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0;
-#
-#
-#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.2.2: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize;
-#
-#
-#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.3.1: Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0;
-#
-#
-#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.3.2: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize;
-#
-#
-#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.4.1: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;
-#
-#
-#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
-[CIS - Microsoft Windows Server 2016 - 18.9.26.4.2: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize;
-#
-#
-#18.9.30.2 Ensure 'Configure Windows SmartScreen' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.30.2: Ensure 'Configure Windows SmartScreen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen;
-#
-#
-#18.9.30.3 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.30.3: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0;
-#
-#
-#18.9.30.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.30.4: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0;
-#
-#
-#18.9.30.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.30.5: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0;
-#
-#
-#18.9.41.3 Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher
-[CIS - Microsoft Windows Server 2016 - 18.9.41.3: Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> 2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !Cookies;
-#
-#
-#18.9.41.4 Ensure 'Configure Password Manager' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.4: Ensure 'Configure Password Manager' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> !no;
-#
-#
-#18.9.41.6 Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.6: Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> !ShowSearchSuggestionsGlobal;
-#
-#
-#18.9.41.7 Ensure 'Configure SmartScreen Filter' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.7: Ensure 'Configure SmartScreen Filter' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> !1;
-#
-#
-#18.9.47.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.47.1: Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC;
-#
-#
-#18.9.52.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.2.2: Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving;
-#
-#
-#18.9.52.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.2: Ensure 'Do not allow drive redirection' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm;
-#
-#
-#18.9.52.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.1: Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword;
-#
-#
-#18.9.52.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.2: Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic;
-#
-#
-#18.9.52.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.3: Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3;
-#
-#
-#18.9.52.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.11.1: Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1;
-#
-#
-#18.9.52.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.11.2: Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1;
-#
-#
-#18.9.53.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.53.1: Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload;
-#
-#
-#18.9.54.2 Ensure 'Allow Cortana' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.54.2: Ensure 'Allow Cortana' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortana;
-#
-#
-#18.9.54.3 Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.54.3: Ensure 'Allow Cortana above lock screen' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortanaAboveLock;
-#
-#
-#18.9.54.4 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.54.4: Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0;
-#
-#
-#18.9.54.5 Ensure 'Allow search and Cortana to use location' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.54.5: Ensure 'Allow search and Cortana to use location' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowSearchToUseLocation;
-#
-#
-#18.9.61.2 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.61.2: Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4;
-#
-#
-#18.9.61.3 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.61.3: Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade;
-#
-#
-#18.9.73.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'
-[CIS - Microsoft Windows Server 2016 - 18.9.73.2: Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowWindowsInkWorkspace;
-#
-#
-#18.9.74.1 Ensure 'Allow user control over installs' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.74.1: Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0;
-#
-#
-#18.9.74.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.74.2: Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0;
-#
-#
-#18.9.75.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.75.1: Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn;
-#
-#
-#18.9.84.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.84.1: Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging;
-#
-#
-#18.9.84.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.84.2: Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0;
-#
-#
-#18.9.86.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.1.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0;
-#
-#
-#18.9.86.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.1.2: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0;
-#
-#
-#18.9.86.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.1.3: Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest;
-#
-#
-#18.9.86.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.2.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0;
-#
-#
-#18.9.86.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.2.3: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0;
-#
-#
-#18.9.86.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.2.4: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs;
-#
-#
-#18.9.90.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.90.2: Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate;
-#
-#
-#18.9.90.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
-[CIS - Microsoft Windows Server 2016 - 18.9.90.3: Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay;
-#
-#
-#18.9.90.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.90.4: Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0;
-#
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# CIS Checks for Windows Server 2016 Member Server L2
-# Based on Center for Internet Security Benchmark v1.0.0 for Microsoft Windows Server 2016 (https://workbench.cisecurity.org/benchmarks/515)
-#
-#
-#
-#2.3.7.6 Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'
-[CIS - Microsoft Windows Server 2016 - 2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> !4;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !CachedLogonsCount;
-#
-#
-#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds;
-#
-#
-#18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'
-[CIS - Microsoft Windows Server 2016 - 18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime;
-#
-#
-#18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery;
-#
-#
-#18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
-[CIS - Microsoft Windows Server 2016 - 18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions;
-#
-#
-#18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
-[CIS - Microsoft Windows Server 2016 - 18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions;
-#
-#
-#18.4.5.1 Ensure 'Enable Font Providers' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.5.1 Ensure 'Enable Font Providers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableFontProviders;
-#
-#
-#18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0;
-#
-#
-#18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0;
-#
-#
-#18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled;
-#
-#
-#18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
-[CIS - Microsoft Windows Server 2016 - 18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents;
-#
-#
-#18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar;
-#
-#
-#18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi;
-#
-#
-#18.4.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.4.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> !fBlockNonDomain;
-#
-#
-#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
-#
-#
-#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
-#
-#
-#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
-#
-#
-#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
-#
-#
-#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
-#
-#
-#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
-#
-#
-#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
-#
-#
-#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
-r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
-#
-#
-#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
-#
-#
-#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
-#
-#
-#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
-#
-#
-#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
-#
-#
-#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
-#
-#
-#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport;
-#
-#
-#18.8.23.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'
-[CIS - Microsoft Windows Server 2016 - 18.8.23.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> !1;
-#
-#
-#18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn;
-#
-#
-#18.8.29.5.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.29.5.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !DCSettingIndex;
-#
-#
-#18.8.29.5.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.29.5.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !ACSettingIndex;
-#
-#
-#18.8.29.5.3 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.29.5.3 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1;
-#
-#
-#18.8.29.5.4 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.29.5.4 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1;
-#
-#
-#18.8.32.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
-[CIS - Microsoft Windows Server 2016 - 18.8.32.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !RestrictRemoteClients;
-#
-#
-#18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer;
-#
-#
-#18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled;
-#
-#
-#18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy;
-#
-#
-#18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled;
-#
-#
-#18.8.44.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.8.44.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> !0;
-#
-#
-#18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> !0;
-#
-#
-#18.9.5.1 Ensure 'Let Windows apps *' is set to 'Enabled: Force Deny'
-[CIS - Microsoft Windows Server 2016 - 18.9.5.1 Ensure 'Let Windows apps *' is set to 'Enabled: Force Deny'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessAccountInfo -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessAccountInfo;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCallHistory -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCallHistory;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessContacts -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessContacts;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessEmail -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessEmail;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessLocation -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessLocation;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMessaging -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMessaging;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMotion -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMotion;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCalendar -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCalendar;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCamera;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMicrophone -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMicrophone;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessTrustedDevices -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessTrustedDevices;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessRadios -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessRadios;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsSyncWithDevices -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsSyncWithDevices;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessPhone -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessPhone;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessNotifications -> !2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessNotifications;
-#
-#
-#18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !BlockHostedAppAccessWinRT;
-#
-#
-#18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> !AllowCamera;
-#
-#
-#18.9.37.2 Ensure 'Turn off location' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.37.2 Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation;
-#
-#
-#18.9.41.1 Ensure 'Allow Extensions' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.1 Ensure 'Allow Extensions' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions -> ExtensionsEnabled -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions -> !ExtensionsEnabled;
-#
-#
-#18.9.41.2 Ensure 'Allow InPrivate Browsing' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.2 Ensure 'Allow InPrivate Browsing' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !AllowInPrivate;
-#
-#
-#18.9.41.5 Ensure 'Configure Pop-up Blocker' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.5 Ensure 'Configure Pop-up Blocker' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> !r:yes;
-#
-#
-#18.9.41.8 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.8 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !PreventAccessToAboutFlagsInMicrosoftEdge;
-#
-#
-#18.9.41.9 Ensure 'Prevent bypassing SmartScreen prompts for files' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.9 Ensure 'Prevent bypassing SmartScreen prompts for files' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverrideAppRepUnknown;
-#
-#
-#18.9.41.10 Ensure 'Prevent bypassing SmartScreen prompts for sites' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.10 Ensure 'Prevent bypassing SmartScreen prompts for sites' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverride;
-#
-#
-#18.9.41.11 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.41.11 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !HideLocalHostIP;
-#
-#
-#18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser;
-#
-#
-#18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm;
-#
-#
-#18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT;
-#
-#
-#18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir;
-#
-#
-#18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime;
-#
-#
-#18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
-[CIS - Microsoft Windows Server 2016 - 18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime;
-#
-#
-#18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket;
-#
-#
-#18.9.61.1 Ensure 'Disable all apps from Windows Store' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.61.1 Ensure 'Disable all apps from Windows Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableStoreApps;
-#
-#
-#18.9.61.4 Ensure 'Turn off the Store application' is set to 'Enabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.61.4 Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore;
-#
-#
-#18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0;
-#
-#
-#18.9.69.8.1 Ensure 'Configure Watson events' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.69.8 Ensure 'Configure Watson events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> !1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> !DisableGenericRePorts;
-#
-#
-#18.9.73.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.73.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowSuggestedAppsInWindowsInkWorkspace;
-#
-#
-#18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0;
-#
-#
-#18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0;
-#
-#
-#18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'
-[CIS - Microsoft Windows Server 2016 - 18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess;
-#
+++ /dev/null
-# rootkit_files.txt, (C) 2018 OSSEC Project
-# Imported from the rootcheck project.
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# Blank lines and lines starting with '#' are ignored.
-#
-# Each line must be in the following format:
-# file_name ! Name ::Link to it
-#
-# Files that start with an '*' will be searched in the whole system.
-
-# Bash door
-tmp/mcliZokhb ! Bash door ::/rootkits/bashdoor.php
-tmp/mclzaKmfa ! Bash door ::/rootkits/bashdoor.php
-
-# adore Worm
-dev/.shit/red.tgz ! Adore Worm ::/rootkits/adorew.php
-usr/lib/libt ! Adore Worm ::/rootkits/adorew.php
-usr/bin/adore ! Adore Worm ::/rootkits/adorew.php
-*/klogd.o ! Adore Worm ::/rootkits/adorew.php
-*/red.tar ! Adore Worm ::/rootkits/adorew.php
-
-# T.R.K rootkit
-usr/bin/soucemask ! TRK rootkit ::/rootkits/trk.php
-usr/bin/sourcemask ! TRK rootkit ::/rootkits/trk.php
-
-# 55.808.A Worm
-tmp/.../a ! 55808.A Worm ::
-tmp/.../r ! 55808.A Worm ::
-
-# Volc Rootkit
-usr/lib/volc ! Volc Rootkit ::
-usr/bin/volc ! Volc Rootkit ::
-
-# Illogic
-lib/security/.config ! Illogic Rootkit ::rootkits/illogic.php
-usr/bin/sia ! Illogic Rootkit ::rootkits/illogic.php
-etc/ld.so.hash ! Illogic Rootkit ::rootkits/illogic.php
-*/uconf.inv ! Illogic Rootkit ::rootkits/illogic.php
-
-# T0rnkit
-usr/src/.puta ! t0rn Rootkit ::rootkits/torn.php
-usr/info/.t0rn ! t0rn Rootkit ::rootkits/torn.php
-lib/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php
-etc/ttyhash ! t0rn Rootkit ::rootkits/torn.php
-sbin/xlogin ! t0rn Rootkit ::rootkits/torn.php
-*/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php
-*/.t0rn ! t0rn Rootkit ::rootkits/torn.php
-*/.puta ! t0rn Rootkit ::rootkits/torn.php
-
-# RK17
-bin/rtty ! RK17 ::
-bin/squit ! RK17 ::
-sbin/pback ! RK17 ::
-proc/kset ! RK17 ::
-usr/src/linux/modules/autod.o ! RK17 ::
-usr/src/linux/modules/soundx.o ! RK17 ::
-
-# Ramen Worm
-usr/lib/ldlibps.so ! Ramen Worm ::rootkits/ramen.php
-usr/lib/ldlibns.so ! Ramen Worm ::rootkits/ramen.php
-usr/lib/ldliblogin.so ! Ramen Worm ::rootkits/ramen.php
-usr/src/.poop ! Ramen Worm ::rootkits/ramen.php
-tmp/ramen.tgz ! Ramen Worm ::rootkits/ramen.php
-etc/xinetd.d/asp ! Ramen Worm ::rootkits/ramen.php
-
-# Sadmind/IIS Worm
-dev/cuc ! Sadmind/IIS Worm ::
-
-# Monkit
-lib/defs ! Monkit ::
-usr/lib/libpikapp.a ! Monkit found ::
-
-# RSHA
-usr/bin/kr4p ! RSHA ::
-usr/bin/n3tstat ! RSHA ::
-usr/bin/chsh2 ! RSHA ::
-usr/bin/slice2 ! RSHA ::
-etc/rc.d/rsha ! RSHA ::
-
-# ShitC worm
-bin/home ! ShitC ::
-sbin/home ! ShitC ::
-usr/sbin/in.slogind ! ShitC ::
-
-# Omega Worm
-dev/chr ! Omega Worm ::
-
-# rh-sharpe
-bin/.ps ! Rh-Sharpe ::
-usr/bin/cleaner ! Rh-Sharpe ::
-usr/bin/slice ! Rh-Sharpe ::
-usr/bin/vadim ! Rh-Sharpe ::
-usr/bin/.ps ! Rh-Sharpe ::
-bin/.lpstree ! Rh-Sharpe ::
-usr/bin/.lpstree ! Rh-Sharpe ::
-usr/bin/lnetstat ! Rh-Sharpe ::
-bin/lnetstat ! Rh-Sharpe ::
-usr/bin/ldu ! Rh-Sharpe ::
-bin/ldu ! Rh-Sharpe ::
-usr/bin/lkillall ! Rh-Sharpe ::
-bin/lkillall ! Rh-Sharpe ::
-usr/include/rpcsvc/du ! Rh-Sharpe ::
-
-# Maniac RK
-usr/bin/mailrc ! Maniac RK ::
-
-# Showtee / Romanian
-usr/lib/.egcs ! Showtee ::
-usr/lib/.wormie ! Showtee ::
-usr/lib/.kinetic ! Showtee ::
-usr/lib/liblog.o ! Showtee ::
-usr/include/addr.h ! Showtee / Romanian rootkit ::
-usr/include/cron.h ! Showtee ::
-usr/include/file.h ! Showtee / Romanian rootkit ::
-usr/include/syslogs.h ! Showtee / Romanian rootkit ::
-usr/include/proc.h ! Showtee / Romanian rootkit ::
-usr/include/chk.h ! Showtee ::
-usr/sbin/initdl ! Romanian rootkit ::
-usr/sbin/xntps ! Romanian rootkit ::
-
-# Optickit
-usr/bin/xchk ! Optickit ::
-usr/bin/xsf ! Optickit ::
-
-# LDP worm
-dev/.kork ! LDP Worm ::
-bin/.login ! LDP Worm ::
-bin/.ps ! LDP Worm ::
-
-# Telekit
-dev/hda06 ! TeLeKit trojan ::
-usr/info/libc1.so ! TeleKit trojan ::
-
-# Tribe bot
-dev/wd4 ! Tribe bot ::
-
-# LRK
-dev/ida/.inet ! LRK rootkit ::rootkits/lrk.php
-*/bindshell ! LRK rootkit ::rootkits/lrk.php
-
-# Adore Rootkit
-etc/bin/ava ! Adore Rootkit ::
-etc/sbin/ava ! Adore Rootkit ::
-
-# Slapper
-tmp/.bugtraq ! Slapper installed ::
-tmp/.bugtraq.c ! Slapper installed ::
-tmp/.cinik ! Slapper installed ::
-tmp/.b ! Slapper installed ::
-tmp/httpd ! Slapper installed ::
-tmp./update ! Slapper installed ::
-tmp/.unlock ! Slapper installed ::
-tmp/.font-unix/.cinik ! Slapper installed ::
-tmp/.cinik ! Slapper installed ::
-
-# Scalper
-tmp/.uua ! Scalper installed ::
-tmp/.a ! Scalper installed ::
-
-# Knark
-proc/knark ! Knark Installed ::rootkits/knark.php
-dev/.pizda ! Knark Installed ::rootkits/knark.php
-dev/.pula ! Knark Installed ::rootkits/knark.php
-dev/.pula ! Knark Installed ::rootkits/knark.php
-*/taskhack ! Knark Installed ::rootkits/knark.php
-*/rootme ! Knark Installed ::rootkits/knark.php
-*/nethide ! Knark Installed ::rootkits/knark.php
-*/hidef ! Knark Installed ::rootkits/knark.php
-*/ered ! Knark Installed ::rootkits/knark.php
-
-# Lion worm
-dev/.lib ! Lion Worm ::rootkits/lion.php
-dev/.lib/1iOn.sh ! Lion Worm ::rootkits/lion.php
-bin/mjy ! Lion Worm ::rootkits/lion.php
-bin/in.telnetd ! Lion Worm ::rootkits/lion.php
-usr/info/torn ! Lion Worm ::rootkits/lion.php
-*/1iOn\.sh ! Lion Worm ::rootkits/lion.php
-
-# Bobkit
-usr/include/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
-usr/lib/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
-usr/sbin/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
-usr/bin/ntpsx ! Bobkit Rootkit ::rootkits/bobkit.php
-tmp/.bkp ! Bobkit Rootkit ::rootkits/bobkit.php
-usr/lib/.bkit- ! Bobkit Rootkit ::rootkits/bobkit.php
-*/bkit- ! Bobkit Rootkit ::rootkits/bobkit.php
-
-# Hidrootkit
-var/lib/games/.k ! Hidr00tkit ::
-
-# Ark
-dev/ptyxx ! Ark rootkit ::
-
-# Mithra Rootkit
-usr/lib/locale/uboot ! Mithra`s rootkit ::
-
-# Optickit
-usr/bin/xsf ! OpticKit ::
-usr/bin/xchk ! OpticKit ::
-
-# LOC rookit
-tmp/xp ! LOC rookit ::
-tmp/kidd0.c ! LOC rookit ::
-tmp/kidd0 ! LOC rookit ::
-
-# TC2 worm
-usr/info/.tc2k ! TC2 Worm ::
-usr/bin/util ! TC2 Worm ::
-usr/sbin/initcheck ! TC2 Worm ::
-usr/sbin/ldb ! TC2 Worm ::
-
-# Anonoiyng rootkit
-usr/sbin/mech ! Anonoiyng rootkit ::
-usr/sbin/kswapd ! Anonoiyng rootkit ::
-
-# SuckIt
-lib/.x ! SuckIt rootkit ::
-*/hide.log ! Suckit rootkit ::
-lib/sk ! SuckIT rootkit ::
-
-# Beastkit
-usr/local/bin/bin ! Beastkit rootkit ::rootkits/beastkit.php
-usr/man/.man10 ! Beastkit rootkit ::rootkits/beastkit.php
-usr/sbin/arobia ! Beastkit rootkit ::rootkits/beastkit.php
-usr/lib/elm/arobia ! Beastkit rootkit ::rootkits/beastkit.php
-usr/local/bin/.../bktd ! Beastkit rootkit ::rootkits/beastkit.php
-
-# Tuxkit
-dev/tux ! Tuxkit rootkit ::rootkits/Tuxkit.php
-usr/bin/xsf ! Tuxkit rootkit ::rootkits/Tuxkit.php
-usr/bin/xchk ! Tuxkit rootkit ::rootkits/Tuxkit.php
-*/.file ! Tuxkit rootkit ::rootkits/Tuxkit.php
-*/.addr ! Tuxkit rootkit ::rootkits/Tuxkit.php
-
-# Old rootkits
-usr/include/rpc/ ../kit ! Old rootkits ::rootkits/Old.php
-usr/include/rpc/ ../kit2 ! Old rootkits ::rootkits/Old.php
-usr/doc/.sl ! Old rootkits ::rootkits/Old.php
-usr/doc/.sp ! Old rootkits ::rootkits/Old.php
-usr/doc/.statnet ! Old rootkits ::rootkits/Old.php
-usr/doc/.logdsys ! Old rootkits ::rootkits/Old.php
-usr/doc/.dpct ! Old rootkits ::rootkits/Old.php
-usr/doc/.gifnocfi ! Old rootkits ::rootkits/Old.php
-usr/doc/.dnif ! Old rootkits ::rootkits/Old.php
-usr/doc/.nigol ! Old rootkits ::rootkits/Old.php
-
-# Kenga3 rootkit
-usr/include/. . ! Kenga3 rootkit
-
-# ESRK rootkit
-usr/lib/tcl5.3 ! ESRK rootkit
-
-# Fu rootkit
-sbin/xc ! Fu rootkit
-usr/include/ivtype.h ! Fu rootkit
-bin/.lib ! Fu rootkit
-
-# ShKit rootkit
-lib/security/.config ! ShKit rootkit
-etc/ld.so.hash ! ShKit rootkit
-
-# AjaKit rootkit
-lib/.ligh.gh ! AjaKit rootkit
-lib/.libgh.gh ! AjaKit rootkit
-lib/.libgh-gh ! AjaKit rootkit
-dev/tux ! AjaKit rootkit
-dev/tux/.proc ! AjaKit rootkit
-dev/tux/.file ! AjaKit rootkit
-
-# zaRwT rootkit
-bin/imin ! zaRwT rootkit
-bin/imout ! zaRwT rootkit
-
-# Madalin rootkit
-usr/include/icekey.h ! Madalin rootkit
-usr/include/iceconf.h ! Madalin rootkit
-usr/include/iceseed.h ! Madalin rootkit
-
-# shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup
-lib/libsh.so ! shv5 rootkit
-usr/lib/libsh ! shv5 rootkit
-
-# BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf)
-etc/.bmbl ! BMBL rootkit
-etc/.bmbl/sk ! BMBL rootkit
-
-# rootedoor rootkit
-*/rootedoor ! Rootedoor rootkit
-
-# 0vason rootkit
-*/ovas0n ! ovas0n rootkit ::/rootkits/ovason.php
-*/ovason ! ovas0n rootkit ::/rootkits/ovason.php
-
-# Rpimp reverse telnet
-*/rpimp ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php
-
-# Cback Linux worm
-tmp/cback ! cback worm ::/rootkits/cback.php
-tmp/derfiq ! cback worm ::/rootkits/cback.php
-
-# aPa Kit (from rkhunter)
-usr/share/.aPa ! Apa Kit
-
-# enye-sec Rootkit
-etc/.enyelkmHIDE^IT.ko ! enye-sec Rootkit ::/rootkits/enye-sec.php
-
-# Override Rootkit
-dev/grid-hide-pid- ! Override rootkit ::/rootkits/override.php
-dev/grid-unhide-pid- ! Override rootkit ::/rootkits/override.php
-dev/grid-show-pids ! Override rootkit ::/rootkits/override.php
-dev/grid-hide-port- ! Override rootkit ::/rootkits/override.php
-dev/grid-unhide-port- ! Override rootkit ::/rootkits/override.php
-
-# PHALANX rootkit
-usr/share/.home* ! PHALANX rootkit ::
-usr/share/.home*/tty ! PHALANX rootkit ::
-etc/host.ph1 ! PHALANX rootkit ::
-bin/host.ph1 ! PHALANX rootkit ::
-
-# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
-# and from chkrootkit
-usr/share/.zk ! ZK rootkit ::
-usr/share/.zk/zk ! ZK rootkit ::
-etc/1ssue.net ! ZK rootkit ::
-usr/X11R6/.zk ! ZK rootkit ::
-usr/X11R6/.zk/xfs ! ZK rootkit ::
-usr/X11R6/.zk/echo ! ZK rootkit ::
-etc/sysconfig/console/load.zk ! ZK rootkit ::
-
-# Public sniffers
-*/.linux-sniff ! Sniffer log ::
-*/sniff-l0g ! Sniffer log ::
-*/core_$ ! Sniffer log ::
-*/tcp.log ! Sniffer log ::
-*/chipsul ! Sniffer log ::
-*/beshina ! Sniffer log ::
-*/.owned$ | Sniffer log ::
-
-# Solaris worm -
-# http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
-var/adm/.profile ! Solaris Worm ::
-var/spool/lp/.profile ! Solaris Worm ::
-var/adm/sa/.adm ! Solaris Worm ::
-var/spool/lp/admins/.lp ! Solaris Worm ::
-
-# Suspicious files
-etc/rc.d/init.d/rc.modules ! Suspicious file ::rootkits/Suspicious.php
-lib/ldd.so ! Suspicious file ::rootkits/Suspicious.php
-usr/man/muie ! Suspicious file ::rootkits/Suspicious.php
-usr/X11R6/include/pain ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/sourcemask ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/ras2xm ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/ddc ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/jdc ! Suspicious file ::rootkits/Suspicious.php
-usr/sbin/in.telnet ! Suspicious file ::rootkits/Suspicious.php
-sbin/vobiscum ! Suspicious file ::rootkits/Suspicious.php
-usr/sbin/jcd ! Suspicious file ::rootkits/Suspicious.php
-usr/sbin/atd2 ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/ishit ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/.etc ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/xstat ! Suspicious file ::rootkits/Suspicious.php
-var/run/.tmp ! Suspicious file ::rootkits/Suspicious.php
-usr/man/man1/lib/.lib ! Suspicious file ::rootkits/Suspicious.php
-usr/man/man2/.man8 ! Suspicious file ::rootkits/Suspicious.php
-var/run/.pid ! Suspicious file ::rootkits/Suspicious.php
-lib/.so ! Suspicious file ::rootkits/Suspicious.php
-lib/.fx ! Suspicious file ::rootkits/Suspicious.php
-lib/lblip.tk ! Suspicious file ::rootkits/Suspicious.php
-usr/lib/.fx ! Suspicious file ::rootkits/Suspicious.php
-var/local/.lpd ! Suspicious file ::rootkits/Suspicious.php
-dev/rd/cdb ! Suspicious file ::rootkits/Suspicious.php
-dev/.rd/ ! Suspicious file ::rootkits/Suspicious.php
-usr/lib/pt07 ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/atm ! Suspicious file ::rootkits/Suspicious.php
-tmp/.cheese ! Suspicious file ::rootkits/Suspicious.php
-dev/.arctic ! Suspicious file ::rootkits/Suspicious.php
-dev/.xman ! Suspicious file ::rootkits/Suspicious.php
-dev/.golf ! Suspicious file ::rootkits/Suspicious.php
-dev/srd0 ! Suspicious file ::rootkits/Suspicious.php
-dev/ptyzx ! Suspicious file ::rootkits/Suspicious.php
-dev/ptyzg ! Suspicious file ::rootkits/Suspicious.php
-dev/xdf1 ! Suspicious file ::rootkits/Suspicious.php
-dev/ttyop ! Suspicious file ::rootkits/Suspicious.php
-dev/ttyof ! Suspicious file ::rootkits/Suspicious.php
-dev/hd7 ! Suspicious file ::rootkits/Suspicious.php
-dev/hdx1 ! Suspicious file ::rootkits/Suspicious.php
-dev/hdx2 ! Suspicious file ::rootkits/Suspicious.php
-dev/xdf2 ! Suspicious file ::rootkits/Suspicious.php
-dev/ptyp ! Suspicious file ::rootkits/Suspicious.php
-dev/ptyr ! Suspicious file ::rootkits/Suspicious.php
-sbin/pback ! Suspicious file ::rootkits/Suspicious.php
-usr/man/man3/psid ! Suspicious file ::rootkits/Suspicious.php
-proc/kset ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/gib ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/snick ! Suspicious file ::rootkits/Suspicious.php
-usr/bin/kfl ! Suspicious file ::rootkits/Suspicious.php
-tmp/.dump ! Suspicious file ::rootkits/Suspicious.php
-var/.x ! Suspicious file ::rootkits/Suspicious.php
-var/.x/psotnic ! Suspicious file ::rootkits/Suspicious.php
-*/.log ! Suspicious file ::rootkits/Suspicious.php
-*/ecmf ! Suspicious file ::rootkits/Suspicious.php
-*/mirkforce ! Suspicious file ::rootkits/Suspicious.php
-*/mfclean ! Suspicious file ::rootkits/Suspicious.php
+++ /dev/null
-# rootkit_trojans.txt, (C) 2018 OSSEC Project
-# Imported from the rootcheck project.
-# Some entries taken from the chkrootkit project.
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# Blank lines and lines starting with '#' are ignored.
-#
-# Each line must be in the following format:
-# file_name !string_to_search!Description
-
-# Common binaries and public trojan entries
-ls !bash|^/bin/sh|dev/[^clu]|\.tmp/lsfile|duarawkz|/prof|/security|file\.h!
-env !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
-echo !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-chown !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-chmod !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-chgrp !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-cat !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-bash !proc\.h|/dev/[0-9]|/dev/[hijkz]!
-sh !proc\.h|/dev/[0-9]|/dev/[hijkz]!
-uname !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
-date !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
-du !w0rm|/prof|file\.h!
-df !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
-login !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
-passwd !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
-mingetty !bash|Dimensioni|pacchetto!
-chfn !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
-chsh !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
-mail !bash|file\.h|proc\.h|/dev/[^nu]!
-su !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
-sudo !satori|vejeta|conf\.inv!
-crond !/dev/[^nt]|bash!
-gpm !bash|mingetty!
-ifconfig !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
-diff !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-md5sum !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
-hdparm !bash|/dev/ida!
-ldd !/dev/[^n]|proc\.h|libshow.so|libproc.a!
-
-# Trojan entries for troubleshooting binaries
-grep !bash|givemer!
-egrep !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
-find !bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h!
-lsof !/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp!
-netstat !bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h!
-top !/dev/[^npi3st%]|proc\.h|/prof/!
-ps !/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh!
-tcpdump !bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh!
-pidof !bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh!
-fuser !bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh!
-w !uname -a|proc\.h|bash!
-
-# Trojan entries for common daemons
-sendmail !bash|fuck!
-named !bash|blah|/dev/[0-9]|^/bin/sh!
-inetd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh!
-apachectl !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-sshd !check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/!
-syslogd !bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h!
-xinetd !bash|file\.h|proc\.h!
-in.telnetd !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
-in.fingerd !bash|^/bin/sh|cterm100|/dev/!
-identd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-init !bash|/dev/h
-tcpd !bash|proc\.h|p1r0c4|hack|/dev/[^n]!
-rlogin !p1r0c4|r00t|bash|/dev/[^nt]!
-
-# Kill trojan
-killall !/dev/[^t%]|proc\.h|bash|tmp!
-kill !/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!
-
-# Rootkit entries
-/etc/rc.d/rc.sysinit !enyelkmHIDE! enye-sec Rootkit
-
-# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
-/etc/sysconfig/console/load.zk !/bin/sh! ZK rootkit
-/etc/sysconfig/console/load.zk !usr/bin/run! ZK rootkit
-
-# Modified /etc/hosts entries
-# Idea taken from:
-# http://blog.tenablesecurity.com/2006/12/detecting_compr.html
-# http://www.sophos.com/security/analyses/trojbagledll.html
-# http://www.f-secure.com/v-descs/fantibag_b.shtml
-/etc/hosts !^[^#]*avp.ch!Anti-virus site on the hosts file
-/etc/hosts !^[^#]*avp.ru!Anti-virus site on the hosts file
-/etc/hosts !^[^#]*awaps.net! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*ca.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*mcafee.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*microsoft.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*f-secure.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*sophos.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*symantec.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*my-etrust.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*nai.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*networkassociates.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*viruslist.ru! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*kaspersky! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*symantecliveupdate.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*grisoft.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*clamav.net! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*bitdefender.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*antivirus.com! Anti-virus site on the hosts file
-/etc/hosts !^[^#]*sans.org! Security site on the hosts file
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry , use "->" to look for a specific entry and another
-# "->" to look for the value.
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-#
-# Checks for Password Security on Linux Systems
-#
-#1 Set Default Algorithm for Password Encryption to SHA256 or SHA 512
-[Password Hardening - 1: Set Default Algorithm for Password Encryption to SHA256 or SHA 512] [any] [https://security.stackexchange.com/questions/77349/how-can-i-find-out-the-password-hashing-schemes-used-by-the-specific-unix-accoun, https://docs.oracle.com/cd/E26505_01/html/E27224/secsystask-42.html]
-f:/etc/security/policy.conf -> !r:^# && r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__;
-f:/etc/security/policy.conf -> !r:^CRYPT_DEFAULT=\d;
-f:/etc/login.defs -> !r:^# && r:^ENCRYPT_METHOD\s+MD5|^ENCRYPT_METHOD\s+DES;
-f:/etc/login.defs -> !r:^ENCRYPT_METHOD\s+SHA512|^ENCRYPT_METHOD\s+SHA256;
-f:/etc/pam.d/common-password -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
-f:/etc/pam.d/common-password -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
-f:/etc/pam.d/password-auth -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
-f:/etc/pam.d/password-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
-f:/etc/pam.d/system-auth -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
-f:/etc/pam.d/system-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
-f:/etc/pam.d/system-auth-ac -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
-f:/etc/pam.d/system-auth-ac -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
-#
-#
-#2 Passwords in /etc/shadow not hashed with SHA-256 or SHA-512
-[Password Hardening - 2: Not all Passwords in /etc/shadow are hashed with SHA-256 or SHA-512] [any] [https://linux-audit.com/password-security-with-linux-etc-shadow-file/, https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html]
-f:/etc/shadow -> !r:^# && !r:^\w+:NP:\d+:\d*:\d*:\d*:\d*:\d*:\d*$ && r:^\w+:\w\.*:\d+:\d*:\d*:\d*:\d*:\d*:\d*$;
-f:/etc/shadow -> !r:^# && r:\w+:\$1\$\.+;
-f:/etc/shadow -> !r:^# && r:\w+:\$2\$\.+;
-f:/etc/shadow -> !r:^# && r:\w+:\$2a\$\.+;
-f:/etc/shadow -> !r:^# && r:\w+:\$2x\$\.+;
-f:/etc/shadow -> !r:^# && r:\w+:\$2y\$\.+;
-f:/etc/shadow -> !r:^# && r:\w+:\$md5\$\.+;
-f:/etc/shadow -> !r:^# && r:\w+:\$__unix__\$\.+;
-#
-#
-#3 Set Password Creation Requirement Parameters
-[Password Hardening - 3: Set Password Creation Requirement Parameters] [any] [https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/, https://workbench.cisecurity.org]
-f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
-f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
-f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
-f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
-f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
-f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
-f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
-f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
-f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass|^@include\s+common-password;
-f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+|^@include\s+common-password;
-f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:minlen=\d\d+;
-f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:minlen=\d\d+;
-f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:minlen=\d\d+;
-f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:minlen=\d\d+;
-f:/etc/security/pwquality.conf -> !r:^minlen=\d\d+;
-f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
-f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
-f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
-f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
-f:/etc/security/pwquality.conf -> !r:^dcredit=\p*\d+;
-f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
-f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
-f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
-f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
-f:/etc/security/pwquality.conf -> !r:^lcredit=\p*\d+;
-f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
-f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
-f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
-f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
-f:/etc/security/pwquality.conf -> !r:^ocredit=\p*\d+;
-f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
-f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
-f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
-f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
-f:/etc/security/pwquality.conf -> !r:^ucredit=\p*\d+;
-#
-#
-#4 Set default password expiration / aging parameters
-[Password Hardening - 4: Set password expiration / aging parameters] [any] [https://www.thegeekdiary.com/understanding-etclogin-defs-file, https://workbench.cisecurity.org/sections/26024/recommendations/63001]
-f:/etc/default/passwd -> !r:^MAXWEEKS=\d\d$;
-f:/etc/default/passwd -> !r:^MINWEEKS=\d;
-f:/etc/default/passwd -> !r:^WARNWEEKS=\d;
-f:/etc/login.defs -> !r:^PASS_MAX_DAYS\s*\t*\d\d$;
-f:/etc/login.defs -> !r:^PASS_MIN_DAYS\s*\t*\d;
-f:/etc/login.defs -> !r:^PASS_WARN_AGE\s*\t*\d;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - p (process running)
-# - d (any file inside the directory)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini,/usr/local/etc/php.ini;
-$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;
-
-# PHP checks
-[PHP - Register globals are enabled] [any] []
-f:$php.ini -> r:^register_globals = On;
-
-# PHP checks
-[PHP - Expose PHP is enabled] [any] []
-f:$php.ini -> r:^expose_php = On;
-
-# PHP checks
-[PHP - Allow URL fopen is enabled] [any] []
-f:$php.ini -> r:^allow_url_fopen = On;
-
-# PHP checks
-[PHP - Displaying of errors is enabled] [any] []
-f:$php.ini -> r:^display_errors = On;
-
-# PHP checks - consider open_basedir && disable_functions
-
-
-## Looking for common web exploits (might indicate that you are owned).
-## Using http://dcid.me/blog/logsamples/webattacks_links as a reference.
-#[Web exploits - Possible compromise] [any] []
-#d:$web_dirs -> .txt$ -> r:^<?php|^#!;
-
-## Looking for common web exploits files (might indicate that you are owned).
-## There are not specific, like the above.
-## Using http://dcid.me/blog/logsamples/webattacks_links as a reference.
-[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
-d:$web_dirs -> ^.yop$;
-
-[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
-d:$web_dirs -> ^id$;
-
-[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
-d:$web_dirs -> ^.ssh$;
-
-[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
-d:$web_dirs -> ^...$;
-
-[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
-d:$web_dirs -> ^.shell$;
-
-## Looking for outdated Web applications
-## Taken from http://sucuri.net/latest-versions
-[Web vulnerability - Outdated WordPress installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
-d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:$wp_version = '4.4.2';
-
-[Web vulnerability - Outdated Joomla installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
-d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:'3.4.8';
-
-[Web vulnerability - Outdated osCommerce (v2.2) installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
-d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;
-
-## Looking for known backdoors
-[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
-d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo;
-
-[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
-d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST;
-
-[Web vulnerability - .htaccess file compromised {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
-d:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google;
-
-[Web vulnerability - .htaccess file compromised - auto append {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
-d:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file;
+++ /dev/null
-# SSH Rootcheck
-#
-# v1.0 2016/01/20
-# Created by Wazuh, Inc. <ossec@wazuh.com>.
-# jesus@wazuh.com
-# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
-#
-
-
-$sshd_file=/etc/ssh/sshd_config;
-
-
-# Listen PORT != 22
-# The option Port specifies on which port number ssh daemon listens for incoming connections.
-# Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port.
-[SSH Hardening - 1: Port 22 {PCI_DSS: 2.2.4}] [any] [1]
-f:$sshd_file -> !r:^# && r:Port\.+22;
-
-
-# Protocol 2
-# The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use.
-# Version 1 of the SSH protocol has weaknesses.
-[SSH Hardening - 2: Protocol 1 {PCI_DSS: 2.2.4}] [any] [2]
-f:$sshd_file -> !r:^# && r:Protocol\.+1;
-
-
-# PermitRootLogin no
-# The option PermitRootLogin specifies whether root can log in using ssh.
-# If you want log in as root, you should use the option "Match" and restrict it to a few IP addresses.
-[SSH Hardening - 3: Root can log in] [any] [3]
-f:$sshd_file -> !r:^# && r:PermitRootLogin\.+yes;
-f:$sshd_file -> r:^#\s*PermitRootLogin;
-
-
-# PubkeyAuthentication yes
-# Access only by public key
-# Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password.
-[SSH Hardening - 4: No Public Key autentication {PCI_DSS: 2.2.4}] [any] [4]
-f:$sshd_file -> !r:^# && r:PubkeyAuthentication\.+no;
-f:$sshd_file -> r:^#\s*PubkeyAuthentication;
-
-
-# PasswordAuthentication no
-# The option PasswordAuthentication specifies whether we should use password-based authentication.
-# Use public key authentication instead of passwords
-[SSH Hardening - 5: Password Authentication {PCI_DSS: 2.2.4}] [any] [5]
-f:$sshd_file -> !r:^# && r:PasswordAuthentication\.+yes;
-f:$sshd_file -> r:^#\s*PasswordAuthentication;
-
-
-# PermitEmptyPasswords no
-# The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password
-# Accounts with null passwords are a bad practice.
-[SSH Hardening - 6: Empty passwords allowed {PCI_DSS: 2.2.4}] [any] [6]
-f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\.+yes;
-f:$sshd_file -> r:^#\s*PermitEmptyPasswords;
-
-
-# IgnoreRhosts yes
-# The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication.
-# For security reasons it is recommended to no use rhosts or shosts files for authentication.
-[SSH Hardening - 7: Rhost or shost used for authentication {PCI_DSS: 2.2.4}] [any] [7]
-f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no;
-f:$sshd_file -> r:^#\s*IgnoreRhosts;
-
-
-# LoginGraceTime 30
-# The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in.
-# 30 seconds is the recommended time for avoiding open connections without authenticate
-[SSH Hardening - 8: Wrong Grace Time {PCI_DSS: 2.2.4}] [any] [8]
-f:$sshd_file -> !r:^# && r:LoginGraceTime && !r:30\s*$;
-f:$sshd_file -> r:^#\s*LoginGraceTime;
-
-
-# MaxAuthTries 3
-# The MaxAuthTries parameter specifices the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
-# This should be set to 3.
-[SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}] [any] [9]
-f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$;
-f:$sshd_file -> r:^#\s*MaxAuthTries;
-f:$sshd_file -> !r:MaxAuthTries;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-[Chat/IM/VoIP - Skype {PCI_DSS: 10.6.1}] [any] []
-f:\Program Files\Skype\Phone;
-f:\Documents and Settings\All Users\Documents\My Skype Pictures;
-f:\Documents and Settings\Skype;
-f:\Documents and Settings\All Users\Start Menu\Programs\Skype;
-r:HKLM\SOFTWARE\Skype;
-r:HKEY_LOCAL_MACHINE\Software\Policies\Skype;
-p:r:Skype.exe;
-
-[Chat/IM - Yahoo {PCI_DSS: 10.6.1}] [any] []
-f:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Messenger;
-r:HKLM\SOFTWARE\Yahoo;
-
-[Chat/IM - ICQ {PCI_DSS: 10.6.1}] [any] []
-r:HKEY_CURRENT_USER\Software\Mirabilis\ICQ;
-
-[Chat/IM - AOL {PCI_DSS: 10.6.1}] [any] [http://www.aol.com]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger;
-r:HKEY_CLASSES_ROOT\aim\shell\open\command;
-r:HKEY_CLASSES_ROOT\AIM.Protocol;
-r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-aim;
-f:\Program Files\AIM95;
-p:r:aim.exe;
-
-[Chat/IM - MSN {PCI_DSS: 10.6.1}] [any] [http://www.msn.com]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger;
-r:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger;
-f:\Program Files\MSN Messenger;
-f:\Program Files\Messenger;
-p:r:msnmsgr.exe;
-
-[Chat/IM - ICQ {PCI_DSS: 10.6.1}] [any] [http://www.icq.com]
-r:HKLM\SOFTWARE\Mirabilis\ICQ;
-
-[P2P - UTorrent {PCI_DSS: 10.6.1}] [any] []
-p:r:utorrent.exe;
-
-[P2P - LimeWire {PCI_DSS: 11.4}] [any] []
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Limewire;
-r:HKLM\software\microsoft\windows\currentversion\run -> limeshop;
-f:\Program Files\limewire;
-f:\Program Files\limeshop;
-
-[P2P/Adware - Kazaa {PCI_DSS: 11.4}] [any] []
-f:\Program Files\kazaa;
-f:\Documents and Settings\All Users\Start Menu\Programs\kazaa;
-f:\Documents and Settings\All Users\DESKTOP\Kazaa Media Desktop.lnk;
-f:\Documents and Settings\All Users\DESKTOP\Kazaa Promotions.lnk;
-f:%WINDIR%\System32\Cd_clint.dll;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\KAZAA;
-r:HKEY_CURRENT_USER\SOFTWARE\KAZAA;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\KAZAA;
-
-# http://vil.nai.com/vil/content/v_135023.htm
-[Adware - RxToolBar {PCI_DSS: 11.4}] [any] [http://vil.nai.com/vil/content/v_135023.htm]
-r:HKEY_CURRENT_USER\Software\Infotechnics;
-r:HKEY_CURRENT_USER\Software\Infotechnics\RX Toolbar;
-r:HKEY_CURRENT_USER\Software\RX Toolbar;
-r:HKEY_CLASSES_ROOT\BarInfoUrl.TBInfo;
-r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RX Toolbar;
-f:\Program Files\RXToolBar;
-
-# http://btfaq.com/serve/cache/18.html
-[P2P - BitTorrent {PCI_DSS: 10.6.1}] [any] [http://btfaq.com/serve/cache/18.html]
-f:\Program Files\BitTorrent;
-r:HKEY_CLASSES_ROOT\.torrent;
-r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-bittorrent;
-r:HKEY_CLASSES_ROOT\bittorrent;
-r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent;
-
-# http://www.gotomypc.com
-[Remote Access - GoToMyPC {PCI_DSS: 10.6.1}] [any] []
-f:\Program Files\Citrix\GoToMyPC;
-f:\Program Files\Citrix\GoToMyPC\g2svc.exe;
-f:\Program Files\Citrix\GoToMyPC\g2comm.exe;
-f:\Program Files\expertcity\GoToMyPC;
-r:HKLM\software\microsoft\windows\currentversion\run -> gotomypc;
-r:HKEY_LOCAL_MACHINE\software\citrix\gotomypc;
-r:HKEY_LOCAL_MACHINE\system\currentcontrolset\services\gotomypc;
-p:r:g2svc.exe;
-p:r:g2pre.exe;
-
-[Spyware - Twain Tec Spyware {PCI_DSS: 11.4}] [any] []
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\twaintech;
-f:%WINDIR%\twaintec.dll;
-
-# http://www.symantec.com/security_response/writeup.jsp?docid=2004-062611-4548-99&tabid=2
-[Spyware - SpyBuddy {PCI_DSS: 11.4}] [any] []
-f:\Program Files\ExploreAnywhere\SpyBuddy\sb32mon.exe;
-f:\Program Files\ExploreAnywhere\SpyBuddy;
-f:\Program Files\ExploreAnywhere;
-f:%WINDIR%\System32\sysicept.dll;
-r:HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software\SpyBuddy;
-
-[Spyware - InternetOptimizer {PCI_DSS: 11.4}] [any] []
-r:HKLM\SOFTWARE\Avenue Media;
-r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho.1;
-r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho;
+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# http://technet2.microsoft.com/windowsserver/en/library/486896ba-dfa1-4850-9875-13764f749bba1033.mspx?mfr=true
-[Disabled Registry tools set {PCI_DSS: 10.6.1}] [any] []
-r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
-r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
-
-# http://support.microsoft.com/kb/825750
-[DCOM disabled {PCI_DSS: 10.6.1}] [any] []
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N;
-
-# http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
-[LM authentication allowed (weak passwords) {PCI_DSS: 10.6.1, 11.4}] [any] []
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1;
-
-# http://research.eeye.com/html/alerts/AL20060813.html
-# Disabled by some Malwares (sometimes by McAfee and Symantec
-# security center too).
-[Firewall/Anti Virus notification disabled {PCI_DSS: 10.6.1}] [any] []
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0;
-
-# Checking for the microsoft firewall.
-[Microsoft Firewall disabled {PCI_DSS: 10.6.1, 1.4}] [all] []
-r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0;
-r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0;
-
-#http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
-[Null sessions allowed {PCI_DSS: 11.4}] [any] []
-r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0;
-
-[Error reporting disabled {PCI_DSS: 10.6.1}] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0;
-
-# http://support.microsoft.com/default.aspx?scid=315231
-[Automatic Logon enabled {PCI_DSS: 10.6.1}] [any] [http://support.microsoft.com/default.aspx?scid=315231]
-r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> DefaultPassword;
-r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1;
-
-[Winpcap packet filter driver found {PCI_DSS: 10.6.1}] [any] []
-f:%WINDIR%\System32\drivers\npf.sys;
+++ /dev/null
-# OSSEC Windows Malware list - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Malware name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# # Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# http://www.iss.net/threats/ginwui.html
-[Ginwui Backdoor {PCI_DSS: 11.4}] [any] [http://www.iss.net/threats/ginwui.html]
-f:%WINDIR%\System32\zsyhide.dll;
-f:%WINDIR%\System32\zsydll.dll;
-r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll;
-r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> AppInit_DLLs -> r:zsyhide.dll;
-
-# http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99&tabid=2
-[Wargbot Backdoor {PCI_DSS: 11.4}] [any] []
-f:%WINDIR%\System32\wgareg.exe;
-r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg;
-
-# http://www.f-prot.com/virusinfo/descriptions/sober_j.html
-[Sober Worm {PCI_DSS: 11.4}] [any] []
-f:%WINDIR%\System32\nonzipsr.noz;
-f:%WINDIR%\System32\clonzips.ssc;
-f:%WINDIR%\System32\clsobern.isc;
-f:%WINDIR%\System32\sb2run.dii;
-f:%WINDIR%\System32\winsend32.dal;
-f:%WINDIR%\System32\winroot64.dal;
-f:%WINDIR%\System32\zippedsr.piz;
-f:%WINDIR%\System32\winexerun.dal;
-f:%WINDIR%\System32\winmprot.dal;
-f:%WINDIR%\System32\dgssxy.yoi;
-f:%WINDIR%\System32\cvqaikxt.apk;
-f:%WINDIR%\System32\sysmms32.lla;
-f:%WINDIR%\System32\Odin-Anon.Ger;
-
-# http://www.symantec.com/security_response/writeup.jsp?docid=2005-042611-0148-99&tabid=2
-[Hotword Trojan {PCI_DSS: 11.4}] [any] []
-f:%WINDIR%\System32\_;
-f:%WINDIR%\System32\explore.exe;
-f:%WINDIR%\System32\ svchost.exe;
-f:%WINDIR%\System32\mmsystem.dlx;
-f:%WINDIR%\System32\WINDLL-ObjectsWin*.DLX;
-f:%WINDIR%\System32\CFXP.DRV;
-f:%WINDIR%\System32\CHJO.DRV;
-f:%WINDIR%\System32\MMSYSTEM.DLX;
-f:%WINDIR%\System32\OLECLI.DL;
-
-[Beagle worm {PCI_DSS: 11.4}] [any] []
-f:%WINDIR%\System32\winxp.exe;
-f:%WINDIR%\System32\winxp.exeopen;
-f:%WINDIR%\System32\winxp.exeopenopen;
-f:%WINDIR%\System32\winxp.exeopenopenopen;
-f:%WINDIR%\System32\winxp.exeopenopenopenopen;
-
-# http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99
-[Gpcoder Trojan {PCI_DSS: 11.4}] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99]
-f:%WINDIR%\System32\ntos.exe;
-f:%WINDIR%\System32\wsnpoem;
-f:%WINDIR%\System32\wsnpoem\audio.dll;
-f:%WINDIR%\System32\wsnpoem\video.dll;
-r:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -> userinit -> r:ntos.exe;
-
-# [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2
-[Looked.BK Worm {PCI_DSS: 11.4}] [any] []
-f:%WINDIR%\uninstall\rundl132.exe;
-f:%WINDIR%\Logo1_.exe;
-f:%Windir%\RichDll.dll;
-r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> load -> r:rundl132.exe;
-
-[Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] []
-p:r:svchost.exe && !%WINDIR%\System32\svchost.exe;
-f:!%WINDIR%\SysWOW64;
-
-[Possible Malware - Inetinfo running outside system32\inetsrv {PCI_DSS: 11.4}] [all] []
-p:r:inetinfo.exe && !%WINDIR%\System32\inetsrv\inetinfo.exe;
-f:!%WINDIR%\SysWOW64;
-
-[Possible Malware - Rbot/Sdbot detected {PCI_DSS: 11.4}] [any] []
-f:%Windir%\System32\rdriv.sys;
-f:%Windir%\lsass.exe;
-
-[Possible Malware File {PCI_DSS: 11.4}] [any] []
-f:%WINDIR%\utorrent.exe;
-f:%WINDIR%\System32\utorrent.exe;
-f:%WINDIR%\System32\Files32.vxd;
-
-# Modified /etc/hosts entries
-# Idea taken from:
-# http://blog.tenablesecurity.com/2006/12/detecting_compr.html
-# http://www.sophos.com/security/analyses/trojbagledll.html
-# http://www.f-secure.com/v-descs/fantibag_b.shtml
-[Anti-virus site on the hosts file] [any] []
-f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avp.ch|avp.ru|nai.com;
-f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:awaps.net|ca.com|mcafee.com;
-f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:microsoft.com|f-secure.com;
-f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:sophos.com|symantec.com;
-f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:my-etrust.com|viruslist.ru;
-f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:networkassociates.com;
-f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com;
-f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:symantecliveupdate.com;
-f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com;
-f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:antivirus.com|sans.org;
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/apache_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Apache rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -
- - Contributed by: Ahmet Ozturk
- - Ben Chavet <ben.chavet@lullabot.com>
- -->
-
-
-<group name="apache,">
- <rule id="30100" level="0">
- <decoded_as>apache-errorlog</decoded_as>
- <description>Apache messages grouped.</description>
- </rule>
-
- <rule id="30101" level="0">
- <if_sid>30100</if_sid>
- <match>^[error] </match>
- <description>Apache error messages grouped.</description>
- </rule>
-
- <rule id="30102" level="0">
- <if_sid>30100</if_sid>
- <match>^[warn] </match>
- <description>Apache warn messages grouped.</description>
- </rule>
-
- <rule id="30103" level="0">
- <if_sid>30100</if_sid>
- <match>^[notice] </match>
- <description>Apache notice messages grouped.</description>
- </rule>
-
- <rule id="30104" level="12">
- <if_sid>30103</if_sid>
- <match>exit signal Segmentation Fault</match>
- <description>Apache segmentation fault.</description>
- <info type="link">http://www.securityfocus.com/infocus/1633</info>
- <group>service_availability,</group>
- </rule>
-
- <rule id="30105" level="5">
- <if_sid>30101</if_sid>
- <match>denied by server configuration</match>
- <description>Attempt to access forbidden file or directory.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="30106" level="5">
- <if_sid>30101</if_sid>
- <match>Directory index forbidden by rule</match>
- <description>Attempt to access forbidden directory index.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="30107" level="6">
- <if_sid>30101</if_sid>
- <match>Client sent malformed Host header</match>
- <description>Code Red attack.</description>
- <info type="link">http://www.cert.org/advisories/CA-2001-19.html</info>
- <info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</info>
- <group>automatic_attack,</group>
- </rule>
-
- <rule id="30108" level="5">
- <if_sid>30102</if_sid>
- <match>authentication failed</match>
- <description>User authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="30109" level="9">
- <if_sid>30101</if_sid>
- <regex>user \S+ not found|user \S+ in realm \.* not found</regex>
- <description>Attempt to login using a non-existent user.</description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="30110" level="5">
- <if_sid>30101</if_sid>
- <match>authentication failure</match>
- <description>User authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="30112" level="0">
- <if_sid>30101</if_sid>
- <match>File does not exist: |</match>
- <match>failed to open stream: No such file or directory|</match>
- <match>Failed opening </match>
- <description>Attempt to access an non-existent file (those are reported on the access.log).</description>
- <group>unknown_resource,</group>
- </rule>
-
- <!-- [Tue Mar 07 12:05:15 2006] [error] [client 200.206.165.91] Invalid URI in request %3Bi%3A3%3Bi%3A0%3B%7D; usercookie[password]=d6ed9e1750d0b2aba6b3311cbec087d8; 45befd35f8a0f47b89ed8831f892b8dc=167c4e46a940cd2570b952eea527b27a; PHPSESSID=616hjdg7kj9bln37efsv7vt7g3
- - [client 65.204.137.200] script '/var/www/html/xmlrpc.php' not found or unable to stat
- -->
- <rule id="30115" level="5">
- <if_sid>30101</if_sid>
- <match>Invalid URI in request</match>
- <description>Invalid URI (bad client request).</description>
- <group>invalid_request,</group>
- </rule>
-
- <rule id="30116" level="10" frequency="8" timeframe="120">
- <if_matched_sid>30115</if_matched_sid>
- <same_source_ip />
- <description>Multiple Invalid URI requests from </description>
- <description>same source.</description>
- <group>invalid_request,</group>
- </rule>
-
- <rule id="30117" level="10">
- <if_sid>30101</if_sid>
- <match>File name too long|request failed: URI too long</match>
- <description>Invalid URI, file name too long.</description>
- <group>invalid_request,</group>
- </rule>
-
- <!-- Mod security rules by <ossec ( at ) sioban.net -->
- <rule id="30118" level="6">
- <if_sid>30101</if_sid>
- <match>mod_security: Access denied|ModSecurity: Access denied</match>
- <description>Access attempt blocked by Mod Security.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="30119" level="12" frequency="6" timeframe="120">
- <if_matched_sid>30118</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts blocked by Mod Security.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="30120" level="12">
- <if_sid>30101</if_sid>
- <match>Resource temporarily unavailable:</match>
- <description>Apache without resources to run.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="30200" level="6" noalert="1">
- <match>^mod_security-message: </match>
- <description>Modsecurity alert.</description>
- </rule>
-
- <rule id="30201" level="6">
- <if_sid>30200</if_sid>
- <match>^mod_security-message: Access denied </match>
- <description>Modsecurity access denied.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="30202" level="10" frequency="8" timeframe="120">
- <if_matched_sid>30201</if_matched_sid>
- <description>Multiple attempts blocked by Mod Security.</description>
- <group>access_denied,</group>
- </rule>
-
- <!-- Apache 2.4 Rules -->
- <rule id="30301" level="0">
- <if_sid>30100</if_sid>
- <regex> [\S*:error] </regex>
- <description>Apache error messages grouped.</description>
- </rule>
-
- <rule id="30302" level="0">
- <if_sid>30100</if_sid>
- <regex> [\S+:warn] </regex>
- <description>Apache warn messages grouped.</description>
- </rule>
-
- <rule id="30303" level="0">
- <if_sid>30100</if_sid>
- <regex> [\S+:notice] </regex>
- <description>Apache notice messages grouped.</description>
- </rule>
-
- <rule id="30304" level="12">
- <if_sid>30303</if_sid>
- <match>exit signal Segmentation Fault</match>
- <description>Apache segmentation fault.</description>
- <info type="link">http://www.securityfocus.com/infocus/1633</info>
- <group>service_availability,</group>
- </rule>
-
- <rule id="30305" level="5">
- <if_sid>30301</if_sid>
- <id>AH01630</id>
- <description>Attempt to access forbidden file or directory.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="30306" level="5">
- <if_sid>30301</if_sid>
- <id>AH01276</id>
- <description>Attempt to access forbidden directory index.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="30307" level="6">
- <if_sid>30301</if_sid>
- <id>AH00550</id>
- <description>Client sent malformed Host header. Possible Code Red attack.</description>
- <info type="link">http://www.cert.org/advisories/CA-2001-19.html</info>
- <info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</info>
- <group>automatic_attack,</group>
- </rule>
-
- <rule id="30308" level="5">
- <if_sid>30301</if_sid>
- <id>AH01617|AH01807|AH01694|AH01695|AH02009|AH02010</id>
- <description>User authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="30309" level="5">
- <if_sid>30301</if_sid>
- <id>AH01618|AH01808|AH01790</id>
- <description>Attempt to login using a non-existent user.</description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="30310" level="10" frequency="10" timeframe="160">
- <if_matched_sid>30309</if_matched_sid>
- <same_source_ip/>
- <description>Multiple authentication failures with invalid user.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="30312" level="0">
- <if_sid>30301</if_sid>
- <match>File does not exist: |</match>
- <match>failed to open stream: No such file or directory|</match>
- <match>Failed opening </match>
- <description>Attempt to access an non-existent file (those are reported on the access.log).</description>
- <group>unknown_resource,</group>
- </rule>
-
- <rule id="30315" level="5">
- <if_sid>30301</if_sid>
- <id>AH00126</id>
- <description>Invalid URI (bad client request).</description>
- <group>invalid_request,</group>
- </rule>
-
- <rule id="30316" level="10" frequency="8" timeframe="120">
- <if_matched_sid>30315</if_matched_sid>
- <same_source_ip />
- <description>Multiple Invalid URI requests from </description>
- <description>same source.</description>
- <group>invalid_request,</group>
- </rule>
-
- <rule id="30317" level="10">
- <if_sid>30301</if_sid>
- <id>AH00565</id>
- <description>Invalid URI, file name too long.</description>
- <group>invalid_request,</group>
- </rule>
-
- <rule id="30318" level="5">
- <if_sid>30301</if_sid>
- <match>PHP Notice:</match>
- <description>PHP Notice in Apache log</description>
- </rule>
-
- <rule id="30319" level="10">
- <if_sid>30301</if_sid>
- <id>AH00036</id>
- <match>File name too long: </match>
- <description>File name too long.</description>
- </rule>
-
- <rule id="30320" level="2">
- <if_sid>30301</if_sid>
- <match>Permission denied: | client denied by server configuration: </match>
- <description>Permission denied.</description>
- </rule>
-
- <rule id="30321" level="2">
- <if_sid>30301</if_sid>
- <id>AH02811</id>
- <match>script not found </match>
- <description>A script cannot be accessed.</description>
- </rule>
-
- <!-- Apache 2.4 ModSecurity Rules -->
- <rule id="30401" level="0">
- <if_sid>30301</if_sid>
- <match>ModSecurity: Warning</match>
- <description>ModSecurity Warning messages grouped</description>
- </rule>
-
- <rule id="30402" level="0">
- <if_sid>30301</if_sid>
- <match>ModSecurity: Access denied</match>
- <description>ModSecurity Access denied messages grouped</description>
- </rule>
-
- <rule id="30403" level="0">
- <if_sid>30301</if_sid>
- <match>ModSecurity: Audit log:</match>
- <description>ModSecurity Audit log messages grouped</description>
- </rule>
-
- <rule id="30411" level="7">
- <if_sid>30402</if_sid>
- <match>with code 403</match>
- <description>ModSecurity rejected a query</description>
- </rule>
-</group> <!-- ERROR_LOG,APACHE -->
-
-<!-- EOF -->
-
+++ /dev/null
- <!-- Copyright 2014 Dan Parriott (ddpbsd@gmail.com)
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
- -->
-
-
-
- <!-- Modify it at your will. -->
-
-<group name="local,syslog,apparmor">
-
- <rule id="52000" level="3">
- <decoded_as>iptables</decoded_as>
- <match> apparmor=</match>
- <description>Apparmor grouping</description>
- </rule>
-
- <rule id="52001" level="0">
- <if_sid>52000</if_sid>
- <status>ALLOWED|STATUS</status>
- <description>Ignore ALLOWED or STATUS</description>
- </rule>
-
- <rule id="52002" level="3">
- <if_sid>52000</if_sid>
- <status>DENIED</status>
- <match> apparmor=</match>
- <description>Apparmor DENIED</description>
- </rule>
-
- <rule id="52003" level="5">
- <if_sid>52002</if_sid>
- <extra_data>exec</extra_data>
- <description>Apparmor DENIED exec operation.</description>
- </rule>
-
- <rule id="52004" level="4">
- <if_sid>52002</if_sid>
- <extra_data>mknod</extra_data>
- <description>Apparmor DENIED mknod operation.</description>
- </rule>
-
-</group> <!-- SYSLOG,LOCAL -->
-
-
- <!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/arpwatch_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Arpwatch rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,arpwatch,">
- <rule id="7200" level="0" noalert="1">
- <decoded_as>arpwatch</decoded_as>
- <description>Grouping of the arpwatch rules.</description>
- </rule>
-
- <rule id="7201" level="4">
- <if_sid>7200</if_sid>
- <options>alert_by_email</options>
- <if_fts />
- <description>Arpwatch new host detected.</description>
- <group>new_host,</group>
- </rule>
-
- <rule id="7202" level="9">
- <if_sid>7200</if_sid>
- <match>flip flop </match>
- <description>Arpwatch "flip flop" message. </description>
- <description>IP address/MAC relation changing too often.</description>
- <group>ip_spoof,</group>
- </rule>
-
- <rule id="7203" level="3">
- <if_sid>7200</if_sid>
- <match>reaper: pid </match>
- <description>Arpwatch exiting.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="7204" level="9">
- <if_sid>7200</if_sid>
- <match>changed ethernet address </match>
- <description>Changed network interface for ip address.</description>
- <group>ip_spoof,</group>
- </rule>
-
- <rule id="7205" level="0">
- <if_sid>7200</if_sid>
- <match>bad interface eth0|exiting|Running as </match>
- <description>Arpwatch startup/exiting messages.</description>
- </rule>
-
- <rule id="7206" level="0">
- <if_sid>7200</if_sid>
- <match>sent bad addr len</match>
- <description>Arpwatch detected bad address len (ignored).</description>
- </rule>
-
- <rule id="7207" level="1">
- <if_sid>7200</if_sid>
- <match>/dev/bpf0: Permission denied</match>
- <description>arpwatch probably run with wrong permissions</description>
- </rule>
-
- <rule id="7208" level="1">
- <if_sid>7200</if_sid>
- <match>reused old ethernet address</match>
- <description>An IP has reverted to an old ethernet address.</description>
- </rule>
-
- <rule id="7209" level="7">
- <if_sid>7200</if_sid>
- <match>ethernet mismatch</match>
- <description>Possible arpspoofing attempt.</description>
- <group>ip_spoof,</group>
- </rule>
-
-
-
-</group> <!-- SYSLOG,arpwatch, -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/asterisk_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Asterisk rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- Asterisk Log messages -->
-<group name="syslog,asterisk,">
- <rule id="6200" level="0">
- <decoded_as>asterisk</decoded_as>
- <description>Asterisk messages grouped.</description>
- </rule>
-
- <rule id="6201" level="0">
- <if_sid>6200</if_sid>
- <match>^NOTICE</match>
- <description>Asterisk notice messages grouped.</description>
- </rule>
-
- <rule id="6202" level="3">
- <if_sid>6200</if_sid>
- <match>^WARN</match>
- <description>Asterisk warning message.</description>
- </rule>
-
- <rule id="6203" level="3">
- <if_sid>6200</if_sid>
- <match>^ERROR</match>
- <description>Asterisk error message.</description>
- </rule>
-
- <rule id="6210" level="5">
- <if_sid>6201</if_sid>
- <match>Wrong password</match>
- <description>Login session failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="6211" level="5">
- <if_sid>6201</if_sid>
- <match>Username/auth name mismatch</match>
- <description>Login session failed (invalid user).</description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="6212" level="5">
- <if_sid>6201</if_sid>
- <match>No matching peer found</match>
- <description>Login session failed (invalid extension).</description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="6250" level="10" frequency="6" timeframe="300">
- <if_matched_sid>6211</if_matched_sid>
- <same_source_ip />
- <description>Multiple failed logins (user enumeration in process).</description>
- </rule>
-
- <rule id="6251" level="10" frequency="6" timeframe="300">
- <if_matched_sid>6210</if_matched_sid>
- <same_source_ip />
- <description>Multiple failed logins.</description>
- </rule>
-
- <rule id="6252" level="10" frequency="6" timeframe="300">
- <if_matched_sid>6212</if_matched_sid>
- <same_source_ip />
- <description>Extension enumeration.</description>
- </rule>
-
- <!--From Javi Benito jabi.benito@gmail.com-->
- <!--http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/-->
- <rule id="6253" level="5">
- <if_sid>6201</if_sid>
- <match>No registration for peer</match>
- <description>Login session failed (invalid iax user).</description>
- <group>invalid_login,</group>
- </rule>
-
- <!--From Javi Benito jabi.benito@gmail.com-->
- <rule id="6254" level="10" frequency="3" timeframe="300">
- <if_matched_sid>6253</if_matched_sid>
- <same_source_ip />
- <description>Extension IAX Enumeration.</description>
- </rule>
-
- <!--From Javi Benito jabi.benito@gmail.com-->
- <rule id="6255" level="5">
- <if_sid>6202</if_sid>
- <match>Don't know how to respond via</match>
- <description>Possible Registration Hijacking.</description>
- <group>invalid_login,</group>
- </rule>
-
- <!--From Javi Benito jabi.benito@gmail.com-->
- <rule id="6256" level="5">
- <if_sid>6201</if_sid>
- <match>failed MD5 authentication</match>
- <description>IAX peer Wrong Password.</description>
- <group>invalid_login,</group>
- </rule>
-
- <!--From Javi Benito jabi.benito@gmail.com-->
- <rule id="6257" level="10" frequency="3" timeframe="300">
- <if_matched_sid>6256</if_matched_sid>
- <same_source_ip />
- <description>Multiple failed logins.</description>
- </rule>
-
- <rule id="6258" level="5">
- <if_sid>6201</if_sid>
- <match>No matching peer found|extension not found in context</match>
- <description>Login session failed (invalid extension).</description>
- <group>invalid_login,</group>
- </rule>
-
-</group> <!-- ASTERISK -->
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/attack_rules.xml, 2011/09/08 dcid Exp $
-
- - Official "attack" correlation rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- System users. They should never log in to the system -->
-<var name="SYS_USERS">^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$</var>
-
-
-<!-- Attack signatures -->
-<group name="syslog,attacks,">
- <rule id="40101" level="12">
- <if_group>authentication_success</if_group>
- <user>$SYS_USERS</user>
- <description>System user successfully logged to the system.</description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="40102" level="14">
- <regex>^rpc.statd[\d+]: gethostbyname error for \W+</regex>
- <description>Buffer overflow attack on rpc.statd</description>
- <group>exploit_attempt,</group>
- </rule>
-
- <rule id="40103" level="14">
- <regex>ftpd[\d+]: \S+ FTP LOGIN FROM \.+ 0bin0sh</regex>
- <description>Buffer overflow on WU-FTPD versions prior to 2.6</description>
- <group>exploit_attempt,</group>
- </rule>
-
- <rule id="40104" level="13">
- <match>?????????????????????</match>
- <description>Possible buffer overflow attempt.</description>
- <group>exploit_attempt,</group>
- </rule>
-
- <rule id="40105" level="12">
- <match>changed by \(\(null\)</match>
- <description>"Null" user changed some information.</description>
- <group>exploit_attempt,</group>
- </rule>
-
- <rule id="40106" level="12">
- <match>@@@@@@@@@@@@@@@@@@@@@@@@@</match>
- <description>Buffer overflow attempt (probably on yppasswd).</description>
- <group>exploit_attempt,</group>
- </rule>
-
- <rule id="40107" level="14">
- <regex>cachefsd: Segmentation Fault - core dumped</regex>
- <description>Heap overflow in the Solaris cachefsd service.</description>
- <info type='cve'>2002-0033</info>
- <group>exploit_attempt,</group>
- </rule>
-
- <rule id="40109" level="12">
- <match>attempt to execute code on stack by</match>
- <description>Stack overflow attempt or program exiting </description>
- <description>with SEGV (Solaris).</description>
- <info type="link">http://snap.nlc.dcccd.edu/reference/sysadmin/julian/ch18/389-392.html</info>
- <group>exploit_attempt,</group>
- </rule>
-
- <rule id="40111" level="10" frequency="10" timeframe="160">
- <if_matched_group>authentication_failed</if_matched_group>
- <description>Multiple authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="40112" level="12" timeframe="240">
- <if_group>authentication_success</if_group>
- <if_matched_group>authentication_failures</if_matched_group>
- <same_source_ip />
- <description>Multiple authentication failures followed </description>
- <description>by a success.</description>
- </rule>
-
- <rule id="40113" level="12" frequency="6" timeframe="360">
- <if_matched_group>virus</if_matched_group>
- <description>Multiple viruses detected - Possible outbreak.</description>
- <group>virus,</group>
- </rule>
-
-</group> <!-- SYSLOG, ATTACKS, -->
-
-
-
-<!-- Privilege escalation messages -->
-<group name="syslog,elevation_of_privilege,">
- <rule id="40501" level="15" timeframe="300" frequency="2">
- <if_group>adduser</if_group>
- <if_matched_group>attacks</if_matched_group>
- <description>Attacks followed by the addition </description>
- <description>of an user.</description>
- </rule>
-</group> <!-- SYSLOG, ELEVATION_OF_PRIVILEGE, -->
-
-
-
-<!-- Scan signatures -->
-<group name="syslog,recon,">
- <rule id="40601" level="10" frequency="10" timeframe="90" ignore="90">
- <if_matched_group>connection_attempt</if_matched_group>
- <description>Network scan from same source ip.</description>
- <same_source_ip />
- <info type="link">http://project.honeynet.org/papers/enemy2/</info>
- </rule>
-</group> <!-- SYSLOG,SCANS -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/cimserver_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Compaq Insight Manager (cimserver) rules for OSSEC.
- -
- - Author: Stephen Kreusch
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-<group name="syslog,cimserver,">
- <rule id="9600" level="0" noalert="1">
- <decoded_as>cimserver</decoded_as>
- <description>cimserver messages grouped.</description>
- </rule>
-
- <rule id="9610" level="5">
- <if_sid>9600</if_sid>
- <match>Authentication failed</match>
- <description>Compaq Insight Manager authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="9611" level="12">
- <if_sid>9600</if_sid>
- <match>Server stopped</match>
- <description>Compaq Insight Manager stopped.</description>
- <group>service_availability,</group>
- </rule>
-</group>
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/cisco-ios_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Cisco IOS rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,cisco_ios,">
- <rule id="4700" level="0">
- <decoded_as>cisco-ios</decoded_as>
- <description>Grouping of Cisco IOS rules.</description>
- </rule>
-
- <rule id="4710" level="9">
- <if_sid>4700</if_sid>
- <id>-0-</id>
- <description>Cisco IOS emergency message.</description>
- </rule>
-
-
- <rule id="4711" level="5">
- <if_sid>4700</if_sid>
- <id>-1-</id>
- <description>Cisco IOS alert message.</description>
- </rule>
-
- <rule id="4712" level="5">
- <if_sid>4700</if_sid>
- <id>-2-</id>
- <description>Cisco IOS critical message.</description>
- </rule>
-
- <rule id="4713" level="4">
- <if_sid>4700</if_sid>
- <id>-3-</id>
- <description>Cisco IOS error message.</description>
- </rule>
-
- <rule id="4714" level="4">
- <if_sid>4700</if_sid>
- <id>-4-</id>
- <description>Cisco IOS warning message.</description>
- </rule>
-
- <rule id="4715" level="0">
- <if_sid>4700</if_sid>
- <id>-5-</id>
- <description>Cisco IOS notification message.</description>
- </rule>
-
- <rule id="4716" level="0">
- <if_sid>4700</if_sid>
- <id>-6-</id>
- <description>Cisco IOS informational message.</description>
- </rule>
-
- <rule id="4717" level="0">
- <if_sid>4700</if_sid>
- <id>-7-</id>
- <description>Cisco IOS debug message.</description>
- </rule>
-
- <rule id="4721" level="3">
- <if_sid>4715</if_sid>
- <id>^%SYS-5-CONFIG</id>
- <description>Cisco IOS router configuration changed.</description>
- <group>config_changed,</group>
- </rule>
-
- <rule id="4722" level="3">
- <if_sid>4715</if_sid>
- <id>^%SEC_LOGIN-5-LOGIN_SUCCESS</id>
- <description>Successful login to the router.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="4724" level="9">
- <if_sid>4714</if_sid>
- <id>^%SEC_LOGIN-4-LOGIN_FAILED</id>
- <description>Failed login to the router.</description>
- <group>authentication_failed,</group>
- </rule>
-
-</group> <!-- SYSLOG,CISCO IOS -->
-
-
-<!-- EOF -->
+++ /dev/null
-
-<group name="clamd,freshclam,">
-
- <rule id="52500" level="0" noalert="1">
- <decoded_as>clamd</decoded_as>
- <description>Grouping of the clamd rules.</description>
- </rule>
-
- <rule id="52501" level="0" noalert="1">
- <decoded_as>freshclam</decoded_as>
- <description>ClamAV database update</description>
- </rule>
-
- <rule id="52502" level="8">
- <if_sid>52500</if_sid>
- <match>FOUND</match>
- <description>Virus detected</description>
- <group>virus</group>
- </rule>
-
- <rule id="52503" level="10">
- <if_sid>52500</if_sid>
- <match>^ERROR: </match>
- <description>Clamd error</description>
- <group>virus</group>
- </rule>
-
- <rule id="52504" level="7">
- <if_sid>52500</if_sid>
- <match>^WARNING: </match>
- <description>Clamd warning</description>
- <group>virus</group>
- </rule>
-
- <rule id="52505" level="3">
- <if_sid>52500</if_sid>
- <match>clamd daemon</match>
- <description>Clamd restarted</description>
- <group>virus</group>
- </rule>
-
- <rule id="52506" level="3">
- <if_sid>52500</if_sid>
- <match>Database modification detected</match>
- <description>Clamd database updated</description>
- <group>virus</group>
- </rule>
-
- <rule id="52507" level="3">
- <if_sid>52501</if_sid>
- <match>ClamAV update process started </match>
- <description>ClamAV database update</description>
- <group>virus</group>
- </rule>
-
- <rule id="52508" level="3">
- <if_sid>52501</if_sid>
- <match>Database updated </match>
- <description>ClamAV database updated</description>
- <group>virus</group>
- </rule>
-
- <rule id="52509" level="0">
- <if_sid>52501</if_sid>
- <match>Incremental update failed|Error while reading database from|Update failed.</match>
- <description>Could not download the incremental virus definition updates.</description>
- </rule>
-
-</group> <!-- clamd, freshclam -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/courier_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Courier rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-<!-- Using logs from: http://www.ossec.net/wiki/index.php/Courier -->
-
-<group name="syslog,courier,">
- <rule id="3900" level="0">
- <decoded_as>courier</decoded_as>
- <description>Grouping for the courier rules.</description>
- </rule>
-
- <rule id="3901" level="3">
- <if_sid>3900</if_sid>
- <match>^Connection, </match>
- <description>New courier (imap/pop3) connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="3902" level="5">
- <if_sid>3900</if_sid>
- <match>^LOGIN FAILED,| FAILED:</match>
- <description>Courier (imap/pop3) authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="3903" level="0">
- <if_sid>3900</if_sid>
- <match>^LOGOUT,|^DISCONNECTED</match>
- <description>Courier logout/timeout.</description>
- </rule>
-
- <rule id="3904" level="3">
- <if_sid>3900</if_sid>
- <match>^LOGIN,</match>
- <description>Courier (imap/pop3) authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="3910" level="10" frequency="10" timeframe="30">
- <if_matched_sid>3902</if_matched_sid>
- <description>Courier brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- <same_source_ip />
- </rule>
-
- <rule id="3911" level="10" frequency="15" timeframe="30">
- <if_matched_sid>3901</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-</group> <!-- SYSLOG,COURIER -->
-
-
-<!-- EOF -->
+++ /dev/null
-<group name="local,dns,dnsmasq,">
-
- <rule id="53551" level="0">
- <decoded_as>dnsmasq</decoded_as>
- <description>dnsmasq grouping rule.</description>
- </rule>
-
-
-
-
-</group>
-
+++ /dev/null
-<!-- Copyright (C) 2009 Michael Starks
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
- - Foundation.
- -->
-
-
-<group name="dovecot,">
-<rule id="9700" level="0">
- <decoded_as>dovecot</decoded_as>
- <description>Dovecot Messages Grouped.</description>
-</rule>
-
-<rule id="9701" level="3">
- <if_sid>9700</if_sid>
- <match>login: Login: </match>
- <description>Dovecot Authentication Success.</description>
- <group>authentication_success,</group>
-</rule>
-
-<rule id="9702" level="5">
- <if_sid>9700</if_sid>
- <match>Password mismatch$</match>
- <description>Dovecot Authentication Failed.</description>
- <group>authentication_failed,</group>
-</rule>
-
-<rule id="9703" level="3">
- <if_sid>9700</if_sid>
- <match>starting up</match>
- <description>Dovecot is Starting Up.</description>
-</rule>
-
-<rule id="9704" level="2">
- <if_sid>9700</if_sid>
- <match>^Fatal: </match>
- <options>alert_by_email</options>
- <description>Dovecot Fatal Failure.</description>
-</rule>
-
-<rule id="9705" level="5">
- <if_sid>9700</if_sid>
- <match>user not found|User not known|unknown user|auth failed</match>
- <description>Dovecot Invalid User Login Attempt.</description>
- <group>invalid_login,authentication_failed,</group>
-</rule>
-
-<rule id="9706" level="3">
- <if_sid>9700</if_sid>
- <match>: Disconnected: </match>
- <description>Dovecot Session Disconnected.</description>
-</rule>
-
-<rule id="9707" level="5">
- <if_sid>9700</if_sid>
- <match>: Aborted login</match>
- <description>Dovecot Aborted Login.</description>
- <group>invalid_login,</group>
-</rule>
-
-
-<!-- Composite rules -->
-<rule id="9750" level="10" frequency="6" timeframe="120">
- <if_matched_sid>9702</if_matched_sid>
- <same_source_ip />
- <description>Dovecot Multiple Authentication Failures.</description>
- <group>authentication_failures,</group>
-</rule>
-
-<rule id="9751" level="10" frequency="6" timeframe="240">
- <if_matched_sid>9705</if_matched_sid>
- <same_source_ip />
- <description>Dovecot brute force attack (multiple auth failures).</description>
- <group>authentication_failures,</group>
-</rule>
-
-<rule id="9770" level="0">
- <decoded_as>dovecot-info</decoded_as>
- <description>dovecot-info grouping.</description>
-</rule>
-
-<rule id="9771" level="5">
- <if_sid>9770</if_sid>
- <match>user not found|User not known|unknown user|auth failed</match>
- <description>Dovecot Invalid User Login Attempt.</description>
- <group>invalid_login,authentication_failed,</group>
-</rule>
-
-
-</group>
+++ /dev/null
- <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
- -->
-
-
-
-<!-- Modify it at your will. -->
-
-<group name="syslog,sshd,dropbear">
-
- <rule id="51000" level="0" noalert="1">
- <decoded_as>dropbear</decoded_as>
- <description>Grouping for dropbear rules.</description>
- </rule>
-
- <rule id="51001" level="1">
- <if_sid>51000</if_sid>
- <match>Failed to get kex value</match>
- <description>Failed to get key exchange value</description>
- </rule>
-
- <rule id="51002" level="1">
- <if_sid>51000</if_sid>
- <match>Premature kexdh_init message received</match>
- <description>Premature kexdh_init message</description>
- </rule>
-
- <rule id="51003" level="5">
- <if_sid>51000</if_sid>
- <match>bad password attempt for</match>
- <description>Bad password attempt.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="51093" level="5">
- <if_sid>51000</if_sid>
- <match>attempt for nonexistent user</match>
- <description>Bad password attempt for non existent user.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="51004" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_group>authentication_failed</if_matched_group>
- <same_source_ip />
- <description>dropbear brute force attempt.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="51005" level="0">
- <if_sid>51000</if_sid>
- <regex>exit after auth \(\S+\): Disconnect received</regex>
- <description>User disconnected.</description>
- </rule>
-
- <rule id="51006" level="2">
- <if_sid>51000</if_sid>
- <match>exit before auth</match>
- <description>Client exited before authentication.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="51007" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>51000</if_matched_sid>
- <same_source_ip />
- <description>dropbear brute force attempt.</description>
- <group>authentication_failures,</group>
- </rule>
-
-
- <rule id="51008" level="1">
- <if_sid>51000</if_sid>
- <match>Incompatible remote version</match>
- <description>Incompatible remote version.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="51009" level="0">
- <if_sid>51000</if_sid>
- <match>password auth succeeded for</match>
- <description>User successfully logged in using a password.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="51010" level="0">
- <if_sid>51000</if_sid>
- <match>Pubkey auth succeeded</match>
- <description>User successfully logged in using a public key.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="51011" level="1">
- <decoded_as>dropbear</decoded_as>
- <if_sid>1002</if_sid>
- <match>Error listening: Address already in use</match>
- <description>Dropbear cannot listen on port.</description>
- </rule>
-
-
-</group> <!-- SYSLOG,LOCAL -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- Authors: Alexandr Garaga
-- This program is a free software; you can redistribute it
-- and/or modify it under the terms of the GNU General Public
-- License (version 2) as published by the FSF - Free Software
-- Foundation.
--
-- License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
--->
-
-<group name="exim,">
- <rule id="13000" level="0">
- <decoded_as>windows-date-format</decoded_as>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d SMTP </regex>
- <description>Exim SMTP Messages Grouped.</description>
- </rule>
-
- <rule id="13001" level="0">
- <decoded_as>windows-date-format</decoded_as>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d dovecot</regex>
- <description>dovecot messages grouped.</description>
- </rule>
-
- <rule id="13006" level="5">
- <if_sid>13001</if_sid>
- <match>authenticator failed</match>
- <description>Exim Auth failed</description>
- <group>invalid_login,authentication_failed,</group>
- </rule>
-
- <rule id="13007" level="10" frequency="6" timeframe="240">
- <if_matched_sid>13006</if_matched_sid>
- <same_source_ip />
- <description>Exim brute force attack (multiple auth failures).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="13008" level="0">
- <if_sid>13000</if_sid>
- <match>connection count =</match>
- <description>Exim connection</description>
- </rule>
-
- <rule id="13009" level="1">
- <if_sid>13000</if_sid>
- <match>lost$</match>
- <description>Exim connection lost</description>
- </rule>
-
- <rule id="13010" level="5">
- <if_sid>13000</if_sid>
- <match>dropped: too many syntax or protocol errors</match>
- <description>Exim syntax or protocol errors</description>
- </rule>
-
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/firewall_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Firewall rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="firewall,">
- <rule id="4100" level="0">
- <category>firewall</category>
- <description>Firewall rules grouped.</description>
- </rule>
-
- <!-- We don't log firewall events, because they go
- - to their own log file.
- -->
- <rule id="4101" level="5">
- <if_sid>4100</if_sid>
- <action>DROP</action>
- <options>no_log</options>
- <description>Firewall drop event.</description>
- <group>firewall_drop,</group>
- </rule>
-
- <rule id="4151" level="10" frequency="16" timeframe="45" ignore="240">
- <if_matched_sid>4101</if_matched_sid>
- <same_source_ip />
- <description>Multiple Firewall drop events from same source.</description>
- <group>multiple_drops,</group>
- </rule>
-</group>
+++ /dev/null
-<group name="local,firewalld,">
- <rule id="40900" level="0">
- <program_name>^firewalld</program_name>
- <description>firewalld grouping</description>
- </rule>
-
- <rule id="40901" level="1">
- <if_sid>40900</if_sid>
- <match> ERROR: </match>
- <description>firewalld error</description>
- </rule>
-
- <rule id="40902" level="3">
- <if_sid>40901</if_sid>
- <match> No chain/target/match by that name.$</match>
- <description>Incorrect chain/target/match.</description>
- </rule>
-
- <rule id="40903" level="2">
- <if_sid>40901</if_sid>
- <match> ZONE_ALREADY_SET$</match>
- <description>firewalld: zone already set.</description>
- </rule>
-</group>
-
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/ftpd_rules.xml, 2011/09/08 dcid Exp $
-
- - Official ftpd rules for OSSEC.
- - Author: Ahmet Ozturk
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,ftpd,">
- <rule id="11100" level="0" noalert="1">
- <decoded_as>ftpd</decoded_as>
- <description>Grouping for the ftpd rules.</description>
- </rule>
-
- <rule id="11101" level="5">
- <if_sid>11100</if_sid>
- <match>FTP LOGIN REFUSED</match>
- <description>FTP connection refused.</description>
- <group>authentication_failed,access_denied,</group>
- </rule>
-
- <rule id="11102" level="0">
- <if_sid>11100</if_sid>
- <match> created </match>
- <description>File created via FTP</description>
- </rule>
-
- <rule id="11103" level="0">
- <if_sid>11100</if_sid>
- <match> deleted </match>
- <description>File deleted via FTP</description>
- </rule>
-
- <rule id="11104" level="0">
- <if_sid>11100</if_sid>
- <match>FTPD: IMPORT file</match>
- <description>User uploaded a file to server.</description>
- </rule>
-
- <rule id="11105" level="0">
- <if_sid>11100</if_sid>
- <match>FTPD: EXPORT file</match>
- <description>User downloaded a file to server.</description>
- </rule>
-
- <rule id="11106" level="3">
- <if_sid>11100</if_sid>
- <match>FTP LOGIN FROM|connection from|connect from</match>
- <group>connection_attempt</group>
- <description>Remote host connected to FTP server.</description>
- </rule>
-
- <rule id="11107" level="5">
- <if_sid>11100</if_sid>
- <match>refused connect from</match>
- <group>access_denied,</group>
- <description>Connection blocked by Tcp Wrappers.</description>
- </rule>
-
- <rule id="11108" level="5">
- <if_sid>11100</if_sid>
- <match>warning: can't verify hostname: |gethostbyaddr: </match>
- <description>Reverse lookup error (bad ISP config).</description>
- <group>client_misconfig,</group>
- </rule>
-
- <rule id="11109" level="10">
- <if_sid>11100</if_sid>
- <match>repeated login failures</match>
- <description>Multiple FTP failed login attempts.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11110" level="3">
- <if_sid>11100</if_sid>
- <match>timed out after</match>
- <description>User disconnected due to time out.</description>
- </rule>
-
- <rule id="11111" level="9">
- <if_sid>11100</if_sid>
- <match>PAM_ERROR_MSG: Account is disabled</match>
- <description>Attempt to login with disabled account.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11112" level="5">
- <if_sid>11100</if_sid>
- <match>^Failed authentication from</match>
- <description>FTP authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11113" level="5">
- <if_sid>11100</if_sid>
- <regex>^login \S+ from \S+ failed</regex>
- <description>FTP authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
-</group> <!-- SYSLOG,FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/hordeimp_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Horde IMP rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,hordeimp,">
- <rule id="9300" level="0">
- <decoded_as>horde_imp</decoded_as>
- <description>Grouping for the Horde imp rules.</description>
- </rule>
-
- <rule id="9301" level="0">
- <if_sid>9300</if_sid>
- <match>^[info]</match>
- <description>Horde IMP informational message.</description>
- </rule>
-
- <rule id="9302" level="3">
- <if_sid>9300</if_sid>
- <match>^[notice]</match>
- <description>Horde IMP notice message.</description>
- </rule>
-
- <rule id="9303" level="5">
- <if_sid>9300</if_sid>
- <match>^[error]</match>
- <description>Horde IMP error message.</description>
- </rule>
-
- <rule id="9304" level="9" ignore="60">
- <if_sid>9300</if_sid>
- <match>^[emergency]</match>
- <description>Horde IMP emergency message.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="9305" level="3">
- <if_sid>9302</if_sid>
- <match>Login success for </match>
- <description>Horde IMP successful login.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="9306" level="5">
- <if_sid>9303</if_sid>
- <match>FAILED LOGIN </match>
- <description>Horde IMP Failed login.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="9351" level="10" frequency="6" timeframe="120">
- <if_matched_sid>9306</if_matched_sid>
- <same_source_ip />
- <description>Horde brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="9352" level="10" frequency="4" timeframe="320">
- <if_matched_sid>9304</if_matched_sid>
- <description>Multiple Horde emergency messages.</description>
- <group>service_availability,</group>
- </rule>
-
-</group> <!-- SYSLOG,HORDE_IMP -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/ids_rules.xml, 2011/09/08 dcid Exp $
-
- - Official IDS rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<var name="IDS_FREQ">8</var>
-
-<group name="ids,">
- <rule id="20100" level="8">
- <category>ids</category>
- <if_fts></if_fts>
- <description>First time this IDS alert is generated.</description>
- <group>fts,</group>
- </rule>
-
- <rule id="20101" level="6">
- <category>ids</category>
- <check_if_ignored>srcip, id</check_if_ignored>
- <description>IDS event.</description>
- </rule>
-
- <!-- This rule ignores some Ids that cause too much
- - false positives. Snort specific.
- -->
- <rule id="20102" level="0">
- <if_sid>20100, 20101</if_sid>
- <decoded_as>snort</decoded_as>
- <!-- 1:1852 -> robots.txt access
- - 1:368 - ICMP ping.
- - 1:384 - ICMP ping.
- - 1:366 - ICMP ping.
- - 1:399 - ICMP host unreachable
- - 1:402 - ICMP port unreachable
- - 1:408 - ICMP reply
- - 1:480 - ICMP ping speedera.
- - 1:1365 - RM commant attempt (too many false positives)
- - 1:2925 - web bug 0x0 gif attempt
- -->
- <id>^1:1852:|^1:368:|^1:384:|^1:366:|^1:402:|^1:408:|^1:1365:|</id>
- <id>^1:480:|^1:399:|^1:2925:</id>
- <description>Ignored snort ids.</description>
- </rule>
-
- <!-- Ignored Dragon ids -->
- <rule id="20103" level="0">
- <if_sid>20100, 20101</if_sid>
- <decoded_as>dragon-nids</decoded_as>
- <!-- EOL -> end of line
- - SOF -> start of file
- - HEARTBEAT -> Heartbeat
- - DYNAMIC-TCP -> ?
- - DYNAMIC-UDP -> ?
- -->
- <id>^EOL$|^SOF$|^HEARTBEAT$|^DYNAMIC-TCP$|^DYNAMIC-UDP$</id>
- <description>Ignored snort ids.</description>
- </rule>
-
- <rule id="20152" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90">
- <if_matched_sid>20101</if_matched_sid>
- <same_id />
- <check_if_ignored>id</check_if_ignored>
- <description>Multiple IDS alerts for same id.</description>
- </rule>
-
- <rule id="20151" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90">
- <if_matched_sid>20101</if_matched_sid>
- <same_source_ip />
- <check_if_ignored>srcip, id</check_if_ignored>
- <description>Multiple IDS events from same source ip.</description>
- </rule>
-
-
- <!-- This rule is to detect bad configured IDSs alerting on
- - the same thing all the time. We will skip those events
- - since they became just noise.
- -->
- <rule id="20161" level="11" frequency="3" timeframe="3800">
- <if_matched_sid>20151</if_matched_sid>
- <same_source_ip />
- <same_id />
- <ignore>srcip, id</ignore>
- <description>Multiple IDS events from same source ip </description>
- <description>(ignoring now this srcip and id).</description>
- </rule>
-
- <rule id="20162" level="11" frequency="3" timeframe="3800">
- <if_matched_sid>20152</if_matched_sid>
- <same_id />
- <ignore>id</ignore>
- <description>Multiple IDS alerts for same id </description>
- <description>(ignoring now this id).</description>
- </rule>
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/imapd_rules.xml, 2011/09/08 dcid Exp $
-
- - Official imapd rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<var name="IMAPD_FREQ">6</var>
-
-<group name="syslog,imapd,">
- <rule id="3600" level="0" noalert="1">
- <decoded_as>imapd</decoded_as>
- <description>Grouping of the imapd rules.</description>
- </rule>
-
- <rule id="3601" level="5">
- <if_sid>3600</if_sid>
- <match>Login failed user=|AUTHENTICATE LOGIN failure</match>
- <description>Imapd user login failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="3602" level="3">
- <if_sid>3600</if_sid>
- <match>Authenticated user=</match>
- <description>Imapd user login.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="3603" level="0">
- <if_sid>3600</if_sid>
- <match>Logout user=</match>
- <description>Imapd user logout.</description>
- </rule>
-
- <rule id="3651" level="10" frequency="$IMAPD_FREQ" timeframe="120">
- <if_matched_sid>3601</if_matched_sid>
- <same_source_ip />
- <description>Multiple failed logins from same source ip.</description>
- <group>authentication_failures,</group>
- </rule>
-
-</group> <!-- SYSLOG,IMAPD -->
+++ /dev/null
-<!--
- -
- - Rules for Kaspersky Endpoint Security 10 for Linux
- - IDs=53801-53825
- -
- - Set UseSysLog to yes in kesl appSettings.xml for eventlogging in syslog
- -
- -->
-
-<group name="kesl,">
- <rule id="53801" level="0" noalert="1">
- <decoded_as>kesl</decoded_as>
- <description>kesl messages grouped</description>
- </rule>
-
- <rule id="53802" level="8">
- <if_sid>53801</if_sid>
- <match>UpdateError</match>
- <description>An error occurred during an Update Task.</description>
- </rule>
-
- <rule id="53803" level="8">
- <if_sid>53801</if_sid>
- <status>AVBasesAreOutOfDate</status>
- <description>AVBasesAreOutOfDate (kesl Task: update)</description>
- </rule>
-
- <rule id="53804" level="8">
- <if_sid>53801</if_sid>
- <status>AVBasesAreTotallyOutOfDate</status>
- <description>AVBasesAreTotallyOutOfDate (kesl Task: update)</description>
- </rule>
-
- <rule id="53805" level="8">
- <if_sid>53801</if_sid>
- <action>TaskStateChanged</action>
- <status>Started|Stopped</status>
- <extra_data>^Rollback</extra_data>
- <description>An Update Rollback Task has been started / stopped</description>
- </rule>
-
- <rule id="53806" level="8">
- <if_sid>53801</if_sid>
- <match>AVBasesRollbackError</match>
- <description>An error occurred during AVBases Update Rollback Task</description>
- </rule>
-
- <rule id="53807" level="8">
- <if_sid>53801</if_sid>
- <action>TaskStateChanged</action>
- <status>Started|Stopped</status>
- <extra_data>^Retranslate</extra_data>
- <description>An update distribution (Retranslate) Task has been started / stopped</description>
- </rule>
-
- <rule id="53808" level="8">
- <if_sid>53801</if_sid>
- <match>RetranslationError</match>
- <description>An error occurred during an update distribution (Retranslate) Task</description>
- </rule>
-
- <rule id="53809" level="3">
- <if_sid>53801</if_sid>
- <action>TaskStateChanged</action>
- <status>Started</status>
- <description>A kesl Task has been started.</description>
- </rule>
-
- <rule id="53810" level="8">
- <if_sid>53801</if_sid>
- <action>TaskStateChanged</action>
- <status>Suspended</status>
- <description>A kesl Task has been suspended.</description>
- </rule>
-
- <rule id="53811" level="8">
- <if_sid>53801</if_sid>
- <action>TaskStateChanged</action>
- <status>Stopped</status>
- <extra_data>^Backup|^License|^OAS</extra_data>
- <description>A kesl Task has been stopped.</description>
- </rule>
-
- <rule id="53812" level="2">
- <if_sid>53801</if_sid>
- <action>TaskStateChanged</action>
- <status>Stopped</status>
- <extra_data>^ODS|^BootScan|^MemoryScan|^Update</extra_data>
- <description>A kesl Task has been stopped.</description>
- </rule>
-
- <rule id="53813" level="8">
- <if_sid>53801</if_sid>
- <status>ThreatDetected</status>
- <description>Kesl detected a Threat (kesl Task: File_Monitoring)</description>
- </rule>
-
- <rule id="53814" level="3">
- <if_sid>53801</if_sid>
- <match>ObjectSavedToBackup</match>
- <description>Threat Object was saved to Backup (kesl Task: File_Monitoring)</description>
- </rule>
-
- <rule id="53815" level="3">
- <if_sid>53801</if_sid>
- <match>ObjectNotDisinfected</match>
- <description>Threat Object could not be disinfected (kesl Task: File_Monitoring)</description>
- </rule>
-
- <rule id="53816" level="3">
- <if_sid>53801</if_sid>
- <match>ObjectDeleted</match>
- <description>Threat Object was deleted (kesl Task: File_Monitoring)</description>
- </rule>
-
- <rule id="53817" level="8">
- <if_sid>53801</if_sid>
- <match>ObjectProcessingError</match>
- <description>An error occurred during kesl scan</description>
- </rule>
-
-</group>
+++ /dev/null
-<!-- Rules for detecting sensitive users in last logged in users list -->
-<!-- Set level 3 or higher at rule 535 in ossec_rules.xml and comment out <options>no_log</options> to get this working -->
-
-
-<group name="access-control,">
-
- <rule id="25000" level="7">
- <if_sid>535</if_sid>
- <match>root|reboot|admin|superuser|administrator|supervisor|toor</match>
- <description>sensitive login detected</description>
- </rule>
-
-</group>
+++ /dev/null
-<!-- OSSEC USB-detection Rule for Linux - https://www.thomas-krenn.com/de/wiki/Ubuntu_Syslog -->
-
-<group name="linux, usb,">
-
- <rule id="53600" level="0">
- <program_name>kernel</program_name>
- <match>usb</match>
- <description>Linux USB detection messages grouped</description>
- </rule>
-
-
- <rule id="53601" level="8">
- <if_sid>53600</if_sid>
- <match>New USB device found</match>
- <description>A new USB device was found by the system</description>
- <group>linux,</group>
- </rule>
-
-
- <rule id="53602" level="8">
- <if_sid>53600</if_sid>
- <match>new low-speed USB device</match>
- <description>New Low-Speed USB Device was connected.</description>
- <group>linux,</group>
- </rule>
-
-
- <rule id="53603" level="8">
- <if_sid>53600</if_sid>
- <match>new high-speed USB device</match>
- <description>New High-Speed USB Device was connected</description>
- <group>linux,</group>
- </rule>
-
-
- <rule id="53604" level="3">
- <if_sid>53600</if_sid>
- <match>USB disconnect</match>
- <description>USB device was disconnected</description>
- <group>linux,</group>
- </rule>
-
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/local_rules.xml, 2011/09/08 dcid Exp $
-
- - Example of local rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- Modify it at your will. -->
-
-<group name="local,syslog,">
-
- <!-- Note that rule id 5711 is defined at the ssh_rules file
- - as a ssh failed login. This is just an example
- - since ip 192.0.2.1 shouldn't be used anywhere.
- - Level 0 means ignore.
- -->
- <rule id="100001" level="0">
- <if_sid>5711</if_sid>
- <srcip>192.0.2.1</srcip>
- <description>Example of rule that will ignore sshd </description>
- <description>failed logins from IP 1.1.1.1.</description>
- </rule>
-
-
- <!-- This example will ignore ssh failed logins for the user name XYZABC.
- -->
- <!--
- <rule id="100020" level="0">
- <if_sid>5711</if_sid>
- <user>XYZABC</user>
- <description>Example of rule that will ignore sshd </description>
- <description>failed logins for user XYZABC.</description>
- </rule>
- -->
-
-
- <!-- Specify here a list of rules to ignore. -->
- <!--
- <rule id="100030" level="0">
- <if_sid>12345, 23456, xyz, abc</if_sid>
- <description>List of rules to be ignored.</description>
- </rule>
- -->
-
-</group> <!-- SYSLOG,LOCAL -->
-
-
-<!-- EOF -->
+++ /dev/null
-#unknown system
-Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty
-Jan 26 21:01:23 test100 PAM-securetty[284]: Couldn't open /etc/securetty
-#Red hat
-Nov 7 21:01:17 enigma PAM-securetty[975]: Couldn't open /etc/securetty
-Apr 19 17:06:03 ecos2 PAM-securetty[1203]: Couldn't open /etc/securetty
+++ /dev/null
-su[2921936]: succeeded: ttyq4 changing from root to ldap
-su[2921936]: failed: ttyq4 changing from root to ldap
-su: failed: ttyq# changing from <user> to root
-su[234]: BAD SU ger to fwmaster on /dev/ttyp0
-Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0
-Sep 12 18:40:02 bogus.com su: BAD su rachel on /dev/ttyp1
-
-Feb 14 17:20:27 niban su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
-May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
-May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test
-
-Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)
-Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)
-#Slack:
-Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root
-Jul 5 12:13:15 lili su[2614]: Authentication failed for root
-Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root
-
+++ /dev/null
-May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006
-May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000
-Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001
-Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002
-Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002
-Aug 5 08:57:10 niban groupadd[30279]: new group: name=osaudit, gid=12002
-Aug 5 09:44:53 niban groupadd[32676]: new group: name=osaudit, gid=12002
-Aug 5 09:47:52 niban groupadd[642]: new group: name=osaudit, gid=12002
-Feb 4 14:21:45 niban adduser[26287]: new group: name=test123, gid=12003
-Apr 5 16:06:49 niban adduser[16143]: new group: name=port, gid=12003
-Apr 5 16:20:28 niban groupadd[16193]: new group: name=port1, gid=12004
-Apr 5 16:20:29 niban groupadd[16194]: new group: name=port2, gid=12005
-
-May 28 10:48:29 niban useradd[32421]: new user: name=logr, uid=12000, gid=12000, home=/home/logr, shell=/bin/bash
-Jun 16 09:53:44 niban useradd[5721]: new user: name=test2, uid=12001, gid=12001, home=/home/test2, shell=/bin/bash
-Aug 5 09:33:06 niban useradd[32213]: new user: name=osaudit, uid=12002, gid=12002, home=/var/osaudit, shell=/sbin/nologin
-Aug 5 09:47:52 niban useradd[643]: new user: name=osaudit, uid=12002, gid=12002, home=/var/osaudit, shell=/sbin/nologin
-Feb 4 14:21:45 niban adduser[26287]: new user: name=test123, uid=12003, gid=12003, home=/home/test123, shell=/bin/bash
-Apr 5 16:06:49 niban adduser[16143]: new user: name=port, uid=12003, gid=12003, home=/home/port, shell=/bin/bash
-Apr 5 16:17:35 niban adduser[16164]: new user: name=port2, uid=12004, gid=0, home=/home/port2, shell=/bin/bash
-Apr 5 16:18:25 niban adduser[16166]: new user: name=port3, uid=12005, gid=1336, home=/home/port3, shell=/bin/bash
-Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash
-
-May 28 10:48:07 niban userdel[32416]: delete user `logr'
-Aug 5 09:43:27 niban userdel[32657]: delete user `osaudit'
-Feb 4 14:27:13 niban userdel[26300]: delete user `test123'
-
-May 28 10:48:13 niban groupdel[32417]: remove group `logr'
-Aug 4 15:13:08 niban groupdel[26461]: remove group `osaudit'
-Aug 4 15:15:31 niban groupdel[26821]: remove group `osaudit'
-Aug 5 09:43:27 niban userdel[32657]: remove group `osaudit'
-Aug 5 09:47:08 niban groupdel[631]: remove group `osaudit'
-Feb 4 14:27:13 niban userdel[26300]: remove group `test123'
-
+++ /dev/null
-#Red Hat box
-Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls
-#OpenBSD
-Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls
-May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls
-
+++ /dev/null
-#Red Hat
-Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls
-Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1
-Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin
-#OpenBSD
-May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure
-#Slackware
-May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers
+++ /dev/null
-# From incidents mailing list
-Oct 26 18:07:45 ccs rpc.statd[189]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
-
-Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
-^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z
-<F7><FF><BF>^[<F7><FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x
-%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
-20\220\220\220\220\220\220
-Jul 9 01:21:11 blue
-<C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\211<F3><B0>^K<CD>
-\200<B0>^A<CD>\200<E8>\177<FF><FF><FF>
-
-May 16 19:38:33 server rpc.statd[353]: gethostbyname error for ^Y...^Y...^[??[
+++ /dev/null
-May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com
-[192.168.3.236], 1.1.1.F.1.1.C.A.?..k^1.1.^^AF^Df..^A.'.1.^^A.=.1.1.^^HC^B1...1
-.^^H.^L...u.1.F^I^^H.=..^N.0..F^D1.F^Gv^HF^L.N^HV^L.^K.1.1.^A.....0bin0sh1..11
+++ /dev/null
-# From log analysis web site
-May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
-May 16 22:46:21 victim-host last message repeated 7 times
-May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
-May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
-May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
-May 16 22:46:59 victim-host last message repeated 1 time
-May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
-May 16 22:47:07 victim-host last message repeated 3 times
-May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup
-May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
+++ /dev/null
-a.out[347] attempt to execute code on stack by uid 555
-Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]: _Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting...
-Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped
-Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to execute code on stack by uid 0
-Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped
-Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to execute code on stack by uid 0
-Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped
+++ /dev/null
-Apr 17 22:20:21 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0
-Apr 17 22:20:21 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0
-Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0
-Jan 6 13:39:19 drew named[128838]: dropping source port zero packet from [216.161.67.226].0
-Jan 6 13:39:23 drew named[128838]: dropping source port zero packet from [63.224.229.252].0
-Jan 6 13:39:25 drew named[128838]: dropping source port zero packet from [63.227.214.187].0
-named[3430]: dropping source port zero packet from [209.191.188.93].0
-named[3534]: dropping source port zero packet from [63.226.179.7].0
-named[20627]: dropping source port zero packet from [206.252.159.146].0
+++ /dev/null
-Apr 20 09:14:45 hostname named[98]: denied AXFR from [1.2.3.4].1329 for
-"xxxxx.com" (not master/slave)
-Mar 1 13:52:03 arcane named[15025]: denied AXFR from [205.166.226.38].1421 for "atfantasy.com" (acl)
+++ /dev/null
-Jan 6 13:40:28 drew named[128838]: denied update from [24.64.63.195].41151 for in-addr.arpa
-Jan 6 13:40:47 drew named[128838]: denied update from [24.64.63.195].41858 for in-addr.arpa
-unapproved update from [132.174.25.169].1848 for 174.132.in-addr.arpa
-Dec 31 00:01:31 valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied
+++ /dev/null
-named[8020]: unexpected RCODE (REFUSED) resolving 'inteligentes.cjb.net/AAAA/IN': 200.206.159.96#53
-
-named[8020]: unexpected RCODE (REFUSED) resolving 'inteligentes.cjb.net/A/IN': 200.206.159.96#53
+++ /dev/null
-#Unknown
-May 26 12:53:57 atlas kernel: svc: unknown program 100227 (me 100003)
-Feb 28 07:46:15 bs11 kernel: svc: unknown program 100227 (me 100003)
-Jun 28 09:58:14 poseidon kernel: svc: unknown program 100227 (me 100003)
+++ /dev/null
-Mar 30 12:01:25 compute-0-0.local automount[6447]: mount(nfs): nfs: mount failure cares.local:/export/home/jfiske on /home/jfiske
-Mar 30 12:01:25 compute-0-0.local automount[6449]: mount(nfs): nfs: mount failure cares.local:/export/home/jfiske on /home/jfiske
-Aug 4 12:35:30 localhost automount[7203]: mount(nfs): nfs: mount failure 192.168.1.100:/compile/nfs/107 on /test/107
-Jul 2 22:37:52 gkar automount[2344]: mount(nfs): nfs: mount failure sunray:/exp
-Aug 4 12:31:56 localhost automount[5252]: mount(nfs): nfs: mount
-failure 192.168.1.100:/compile/nfs/16
+++ /dev/null
-rpc.mountd: refused mount request from 10.0.0.12 for /home2/files (/): no export entry
-Jan 12 08:20:00 gateway rpc.mountd: refused mount request from test.bscnet.com for /mnt (/): no export entry
-Jul 5 12:00:53 lili rpc.mountd: refused mount request from enigma for /bin (/): no export entry
-Jul 5 12:01:03 lili rpc.mountd: refused mount request from enigma for /etc (/): no export entry
+++ /dev/null
-Nov 9 05:00:07 ensim
-proftpd[21141]: ensim.domain.com
-(p50832E46.dip.t-dialin.net[80.131
-.46.70]) - FTP session opened.
-Nov 9 05:00:09 ensim
-proftpd[21141]: ensim.domain.com
-(p50832E46.dip.t-dialin.net[80.131
-.46.70]) - no such user
-'anonymous'
-Nov 9 05:00:14 ensim
-proftpd[21141]: ensim.domain.com
-(p50832E46.dip.t-dialin.net[80.131
-.46.70]) - FTP session closed.
-Nov 9 06:12:41 ensim
-proftpd[24994]: ensim.domain.com
-(ool-18bba13b.dyn.optonline.net[24
-.187.161.59]) - FTP session
-opened.
-Nov 9 06:12:41 ensim
-proftpd[24994]: ensim.domain.com
-(ool-18bba13b.dyn.optonline.net[24
-.187.161.59]) - no such user
-'vgodz'
-Nov 9 06:12:41 ensim
-proftpd[24994]: ensim.domain.com
-(ool-18bba13b.dyn.optonline.net[24
-.187.161.59]) - FTP session
-closed.
+++ /dev/null
-pptpd[7282]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available
-pptpd[7293]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available
-pptpd[7510]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available
-pptpd[8916]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available
+++ /dev/null
-Jan 25 21:05:40 horus xinetd[4479]: Deactivating service ftp due to excessive incoming connections. Restarting in 30 seconds.
-Feb 20 14:54:32 localhost xinetd[717]: Deactivating service nsca due to excessive incoming connections. Restarting in 30 seconds.
+++ /dev/null
-# freebsd invalid physical login
-login: 1 LOGIN FAILURE ON ttyv0
-login: 1 LOGIN FAILURE ON ttyv0, root
-
-# saslauthd
-saslauthd[113]: do_auth : auth failure: [user=SERVERWEB\Administrador] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
-
-# Strange sshd logs
-sshd[7386]: error: Bad prime description in line 73
-sshd[8143]: error: Bad prime description in line 73
+++ /dev/null
-Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from unknown
-Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from unknown
-Jan 22 10:37:41 frontend-0 ypserv[832]: refused connect from
-127.0.0.1:868
-Feb 21 15:14:29 my_ftp_host in.ftpd[32374]: refused connect from
-XX.XX.XX.67
-Feb 21 15:14:36 my_ftp_host in.ftpd[32375]: refused connect from
-XX.XX.XX.67
-Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11)
-
-Jan 14 18:29:26 elrond sshd[26895]: refused connect from pD952714D.dip.t-dialin.net (217.82.113.77)
-
-Jan 18 21:46:26 elrond sshd[9370]: refused connect from root@cops2.inf.ethz.ch (129.132.134.179)
-
-Jan 19 19:34:06 elrond sshd[12580]: refused connect from r88m211.cybercable.tm.fr (195.132.88.211)
-
-Jan 23 13:13:49 elrond sshd[25980]: refused connect from pD9527D56.dip.t-dialin.net (217.82.125.86)
-
-Jan 24 19:26:26 elrond sshd[30479]: refused connect from pD95279BD.dip.t-dialin.net (217.82.121.189)
-
-Jan 27 07:33:48 elrond sshd[7899]: refused connect from root@194.213.255.84 (194.213.255.84)
-
-Jan 31 20:48:07 elrond sshd[26946]: refused connect from wwwstud.hsk.no (158.36.81.145)
-
-Feb 1 01:30:49 elrond sshd[27872]: refused connect from co101359-a.olden1.ov.nl.home.com (213.51.84.16)
-
-Feb 4 07:06:59 elrond sshd[7766]: refused connect from moosrose.onlineunit.de (195.254.38.131)
-
-Feb 10 22:22:49 elrond sshd[2592]: refused connect from root@62.138.38.142 (62.138.38.142)
+++ /dev/null
-#Red Hat
-Feb 4 16:54:28 niban login[1074]: FAILED LOGIN 1 FROM (null) FOR dcid, Authentication failure
+++ /dev/null
-#FreeBSD
-Feb 15 14:32:20 freebsd-1 sshd[1374]: Illegal user dcid from 192.168.1.2
-Feb 15 16:11:56 freebsd-1 sshd[2690]: Illegal user dcid from 192.168.10.153
-Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
-Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
-Aug 1 15:44:11 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
-Aug 1 15:44:11 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
+++ /dev/null
-# Terminal failure
-Apr 27 17:27:19 niban login(pam_unix)[1059]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=root
-Apr 27 17:27:21 niban login[1059]: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure
-# ssh (pam) failure
-Apr 27 17:33:59 niban sshd(pam_unix)[9420]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=niban.sfeng.sourcefire.com user=dcid
-Apr 27 17:34:04 niban sshd(pam_unix)[9420]: 1 more authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=niban.sfeng.sourcefire.com user=dcid
-# ssh failure root
-Apr 27 17:34:26 niban sshd(pam_unix)[9425]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=niban.sfeng.sourcefire.com user=root
-
-# SSHD failed password
-Apr 27 17:34:04 niban sshd[9420]: Failed password for dcid from 10.4.12.26 port 40137 ssh2
-Apr 27 17:34:28 niban sshd[9425]: Failed password for root from 10.4.12.26 port 40138 ssh2
-
+++ /dev/null
-[Thu Dec 15 23:49:07 2005] [error] [client 85.107.239.37] client denied by server configuration: /home/myuser/wwwhome/.htm, referer: http://www.example.com/~user7/laodikeiaproject.htm?pswd=hhh
-[Mon Dec 19 18:04:14 2005] [error] [client 85.107.239.37] client denied by server configuration: /home/johndoe/wwwhome/index2.html, referer: http://www.server.com/~refuser/gatekeep.html
-[Mon Dec 19 18:46:05 2005] [error] [client 81.213.203.103] client denied by server configuration: /apache/web-data/htdocs/home/wwwrd/rcilo/announce/, referer: http://webmail.academia.edu/0/_top
-
-
-[Fri Dec 16 01:46:23 2005] [error] [client 80.230.208.105] Directory index forbidden by rule: /home/inst1/wwwhome/courses/es301/
-[Fri Dec 16 01:54:34 2005] [error] [client 131.193.170.106] Directory index forbidden by rule: /apache/web-data/hteng/home/ker/16imfiles/photos/1999cn/
-[Fri Dec 16 02:05:46 2005] [error] [client 195.229.242.53] Directory index forbidden by rule: /apache/web-data/htdocs/home/tuniv/assets/damascus3/
-[Fri Dec 16 11:02:09 2005] [error] [client 139.177.32.34] Directory index forbidden by rule: /apache/web-data/htdocs/home/maiam/research/groups, referer: http://www.akademi.edu.tr/research/groups/index.html
-
-
-[Fri Dec 16 02:25:55 2005] [error] [client 64.94.163.159] Client sent malformed Host header
-[Fri Dec 16 03:10:11 2005] [error] [client 64.94.163.159] Client sent malformed Host header
-[Fri Dec 16 04:04:36 2005] [error] [client 64.94.163.159] Client sent malformed Host header
-[Fri Dec 16 05:26:09 2005] [error] [client 64.94.163.137] Client sent malformed Host header
-
-
-[Mon Dec 19 19:29:17 2005] [warn] [client 85.98.37.115] [315546] auth_ldap authenticate: user administrator authentication failed; URI /exam/inter/Announce.htm [User not found][No such object], referer: http://www.akademi.edu.tr/
-[Mon Dec 19 20:35:25 2005] [warn] [client 213.139.197.178] [307420] auth_ldap authenticate: user user7 authentication failed; URI /exam/inter/Announce.htm [User not found][No such object], referer: http://www.akademi.edu.tr/
-[Mon Dec 19 22:06:34 2005] [warn] [client 85.101.143.252] [360448] auth_ldap authenticate: user user9 authentication failed; URI /files/pg/app_web/index.php [User not found][No such object], referer: http://www.example.com/index.php?sub=list
-
-
-[Mon Dec 19 23:01:11 2005] [error] [client 85.105.120.139] user qwerty not found: /~oahmet/gunce/ss.txt
-[Mon Dec 19 23:01:13 2005] [error] [client 85.105.120.139] user qwerty not found: /~oahmet/gunce/ss.txt
-[Mon Dec 19 23:01:14 2005] [error] [client 85.105.120.139] user qwerty not found: /~oahmet/gunce/ss.txt
-
-
-[Mon Dec 19 23:02:01 2005] [error] [client 85.105.120.139] user oahmet: authentication failure for "/~oahmet/gunce/ss.txt": Password Mismatch
-[Mon Dec 19 23:02:05 2005] [error] [client 85.105.120.139] user oahmet: authentication failure for "/~oahmet/gunce/ss.txt": Password Mismatch
-
-
-Sun Aug 5 16:23:04 2001] [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida
-[Sun Aug 5 16:26:02 2001] [error] [client 66.31.68.147] File does not exist: /var/www/html/default.ida
-[Sun Aug 5 16:32:01 2001] [error] [client 66.31.101.12] File does not exist: /var/www/html/default.ida
-
-[Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)
-[Tue Sep 12 10:39:38 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)
-[Tue Sep 12 10:40:17 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)
-[Mon Sep 11 16:55:08 2006] [error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed
+++ /dev/null
-Sep 1 10:24:59 10.10.10.1 %SYS-5-CONFIG_I: Configured from console by console
-Sep 1 10:25:18 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:49871 -> 10.10.10.10:80]
-Sep 1 10:25:18 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:59591 -> 10.10.10.10:80]
-Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:51654 -> 10.10.10.10:4444]
-Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80]
-Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:2 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:60797 -> 10.10.10.10:80]
-Sep 1 10:25:30 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:59816 -> 10.10.10.10:4444]
-Sep 1 10:26:52 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1232 -> 192.168.100.1:443]
-Sep 1 10:29:24 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1233 -> 192.168.100.1:443]
-Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]
-Sep 1 10:29:37 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1235 -> 192.168.100.1:443]
-Sep 1 10:30:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1236 -> 192.168.100.1:443]
-Sep 1 10:31:44 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1237 -> 192.168.100.1:443]
-Sep 1 10:31:55 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1238 -> 192.168.100.1:443]
-Sep 1 10:33:30 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1239 -> 192.168.100.1:443]
-Sep 1 10:34:27 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1240 -> 192.168.100.1:443]
-Sep 1 10:36:09 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1241 -> 192.168.100.1:443]
-Sep 1 10:36:12 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1242 -> 192.168.100.1:443]
-Sep 1 10:36:14 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1243 -> 192.168.100.1:443]
-Sep 1 10:37:28 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1244 -> 192.168.100.1:443]
-Sep 1 10:38:08 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1245 -> 192.168.100.1:443]
-Sep 1 10:38:36 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:0 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:59633 -> 10.10.10.10:80]
-%IPS-4-SIGNATURE: Sig:5769 Subsig:0 Sev:4 Malformed HTTP Request [192.168.100.11:59633 -> 10.10.10.10:80]
-%IPS-4-SIGNATURE: Sig:5123 Subsig:0 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:59633 -> 10.10.10.10:80]
-%IPS-4-SIGNATURE: Sig:5769 Subsig:0 Sev:4 Malformed HTTP Request [192.168.100.11:59633 -> 10.10.10.10:80]
+++ /dev/null
-Jul 10 16:07:14 cisco2621 %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet
-%SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.40.16(3059) -> 10.0.4.101(1060), 2 packets
-%SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.16.16(2179) -> 10.0.4.101(1060), 1 packet
-%SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.32.16(4206) -> 10.0.4.101(1060), 2 packets
-%SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet
-Jul 10 16:07:14 1.2.3.4 %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1469) -> 10.0.127.12(445), 1 packet
-%SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1496) -> 10.0.127.39(445), 1 packet
-%SEC-6-IPACCESSLOGP: list 100 denied udp 200.174.153.126(1028) -> 66.81.85.65(137), 1 packet
-Jul 10 16:07:14 myhost1 %SEC-6-IPACCESSLOGP: list 100 denied udp 195.23.72.148(1026) -> 66.81.85.65(137), 1 packet
+++ /dev/null
-May 28 19:38:24 valhalla ftpd[24474]: FTPD: IMPORT file local /mnt/1//ide9/s09099/public_html/tasarim_files/akis.bmp, remote
-Jun 1 22:50:26 valhalla ftpd[22898]: FTPD: IMPORT file local oledata.mso, remote
-May 28 15:14:02 valhalla ftpd[28616]: FTPD: EXPORT file local , remote Analiz.html
-May 28 21:40:31 valhalla ftpd[28432]: FTPD: EXPORT file local , remote arrows_up.gif
-May 28 15:50:36 valhalla ftpd[28370]: connection from dsl.static8596180144.ttnet.net.tr at Sun May 28 15:50:36 2006
-May 28 15:50:36 valhalla ftpd[28370]: FTP LOGIN FROM dsl.static8596180144.ttnet.net.tr, user12
-May 29 11:04:16 queen ftpd[417946]: connect from vlh102.tncc.mu.edu
-Jun 3 02:32:37 queen ftpd[418042]: refused connect from y-oper.labs.mu.edu
-Jun 3 13:37:10 queen ftpd[327802]: refused connect from 85.99.150.230
-Jun 3 11:38:08 queen ftpd[491744]: warning: can't verify hostname: gethostbyname(dsl85-102-24474.ttnet.net.tr) failed
-Jun 3 07:46:16 arguvan in.ftpd[18561]: [ID 484914 daemon.notice] gethostbyaddr: nameservices.net. != 216.117.134.168
-Jun 1 16:16:26 valhalla ftpd[39056]: repeated login failures from dsl.dynamic859622181.ttnet.net.tr
-Jun 2 16:44:05 valhalla ftpd[28662]: repeated login failures from 192.168.4.5
-May 28 15:52:51 valhalla ftpd[27654]: User oahmet timed out after 900 seconds at Sun May 28 15:52:51 2006
-May 30 00:06:23 valhalla ftpd[11452]: User redsp timed out after 900 seconds at Tue May 30 00:06:23 2006
+++ /dev/null
-2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-Update-Agent - - hostname 200 0 0 1467 841 31
-2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-Update-Agent - - hostname 400 0 0 1467 841 31
-2007-01-23 05:00:11 W3SVC22 xxx.ossec.net 1.2.3.4 GET / - 80 - 192.168.2.33 HTTP/1.1 Windows-Update-Agent - - myhost.name 500 0 0 1467 841 31
-2005-05-21 05:39:27 W3SVC1 hostname123 192.168.0.101 GET /VirtualServerError/VSWebApp.exe view=1 1024 WEBBROWSER\User 192.168.0.101 HTTP/1.0 Mozilla/4.0+(User-Agent) - - xx.nada.com 200 0 0
+++ /dev/null
-May 7 13:40:14 gaucha imapd[26772]: imap service init from 200.255.5.8
-May 7 13:40:14 gaucha imapd[26772]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:14 gaucha imapd[26772]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:20 gaucha imapd[26788]: imap service init from 200.255.5.8
-May 7 13:40:20 gaucha imapd[26788]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:21 gaucha imapd[26788]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:25 gaucha imapd[26792]: imap service init from 200.255.5.8
-May 7 13:40:25 gaucha imapd[26792]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:25 gaucha imapd[26792]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:33 gaucha imapd[26801]: imap service init from 200.255.5.8
-May 7 13:40:33 gaucha imapd[26801]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:33 gaucha imapd[26801]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:38 gaucha imapd[26803]: imap service init from 200.255.5.8
-May 7 13:40:38 gaucha imapd[26803]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:39 gaucha imapd[26803]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:45 gaucha imapd[26810]: imap service init from 200.255.5.8
-May 7 13:40:45 gaucha imapd[26810]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:45 gaucha imapd[26810]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:55 gaucha imapd[26820]: imap service init from 200.255.5.8
-May 7 13:40:55 gaucha imapd[26820]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:40:55 gaucha imapd[26820]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:41:24 gaucha imapd[26906]: imap service init from 200.255.5.8
-May 7 13:41:24 gaucha imapd[26906]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:41:25 gaucha imapd[26906]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:41:25 gaucha imapd[26908]: imap service init from 200.255.5.8
-May 7 13:41:25 gaucha imapd[26908]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:41:25 gaucha imapd[26908]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:41:39 gaucha imapd[26924]: imap service init from 200.255.5.8
-May 7 13:41:39 gaucha imapd[26924]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:41:40 gaucha imapd[26924]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:41:43 gaucha imapd[26932]: imap service init from 200.255.5.8
-May 7 13:41:43 gaucha imapd[26932]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:41:44 gaucha imapd[26932]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:41:59 gaucha imapd[26953]: imap service init from 200.255.5.8
-May 7 13:41:59 gaucha imapd[26953]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:41:59 gaucha imapd[26953]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:42:00 gaucha imapd[26959]: imap service init from 200.255.5.8
-May 7 13:42:00 gaucha imapd[26959]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:42:00 gaucha imapd[26959]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:42:19 gaucha imapd[27019]: imap service init from 200.255.5.8
-May 7 13:42:19 gaucha imapd[27019]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:42:21 gaucha imapd[27019]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:42:48 gaucha imapd[27094]: imap service init from 200.255.5.8
-May 7 13:42:48 gaucha imapd[27094]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:42:48 gaucha imapd[27094]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:42:48 gaucha imapd[27096]: imap service init from 200.255.5.8
-May 7 13:42:48 gaucha imapd[27096]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:42:48 gaucha imapd[27096]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:51:53 gaucha imapd[27832]: imap service init from 200.255.5.8
-May 7 13:51:56 gaucha imapd[27832]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:51:59 gaucha imapd[27832]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:52:02 gaucha imapd[27832]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:52:02 gaucha imapd[27832]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:52:41 gaucha imapd[27991]: imap service init from 200.255.5.8
-May 7 13:52:44 gaucha imapd[27991]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:52:47 gaucha imapd[27991]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:52:50 gaucha imapd[27991]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:52:50 gaucha imapd[27991]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:52:51 gaucha imapd[27999]: imap service init from 200.255.5.8
-May 7 13:52:54 gaucha imapd[27999]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:52:57 gaucha imapd[27999]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:53:00 gaucha imapd[27999]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:53:00 gaucha imapd[27999]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:53:39 gaucha imapd[28041]: imap service init from 200.255.5.8
-May 7 13:53:42 gaucha imapd[28041]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:53:45 gaucha imapd[28041]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:53:48 gaucha imapd[28041]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:53:48 gaucha imapd[28041]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:54:10 gaucha imapd[28129]: imap service init from 200.255.5.8
-May 7 13:54:13 gaucha imapd[28129]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:54:16 gaucha imapd[28129]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:54:19 gaucha imapd[28129]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:54:19 gaucha imapd[28129]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:54:39 gaucha imapd[28170]: imap service init from 200.255.5.8
-May 7 13:54:42 gaucha imapd[28170]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:54:45 gaucha imapd[28170]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:54:48 gaucha imapd[28170]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:54:48 gaucha imapd[28170]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:55:37 gaucha imapd[28236]: imap service init from 200.255.5.8
-May 7 13:55:40 gaucha imapd[28236]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:55:43 gaucha imapd[28236]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:55:46 gaucha imapd[28236]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:55:46 gaucha imapd[28236]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:56:23 gaucha imapd[28311]: imap service init from 200.255.5.8
-May 7 13:56:27 gaucha imapd[28311]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:56:30 gaucha imapd[28311]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:56:33 gaucha imapd[28311]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:56:33 gaucha imapd[28311]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:57:08 gaucha imapd[28414]: imap service init from 200.255.5.8
-May 7 13:57:08 gaucha imapd[28414]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:57:08 gaucha imapd[28414]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:57:08 gaucha imapd[28416]: imap service init from 200.255.5.8
-May 7 13:57:08 gaucha imapd[28416]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:57:10 gaucha imapd[28416]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:57:16 gaucha imapd[28424]: imap service init from 200.255.5.8
-May 7 13:57:17 gaucha imapd[28424]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:57:17 gaucha imapd[28424]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:57:17 gaucha imapd[28425]: imap service init from 200.255.5.8
-May 7 13:57:17 gaucha imapd[28425]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:57:17 gaucha imapd[28425]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:57:56 gaucha imapd[28469]: imap service init from 200.255.5.8
-May 7 13:57:56 gaucha imapd[28469]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:57:57 gaucha imapd[28469]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:11 gaucha imapd[28538]: imap service init from 200.255.5.8
-May 7 13:58:11 gaucha imapd[28538]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:11 gaucha imapd[28538]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:12 gaucha imapd[28539]: imap service init from 200.255.5.8
-May 7 13:58:12 gaucha imapd[28539]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:12 gaucha imapd[28539]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:12 gaucha imapd[28541]: imap service init from 200.255.5.8
-May 7 13:58:12 gaucha imapd[28541]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:12 gaucha imapd[28541]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:20 gaucha imapd[28553]: imap service init from 200.255.5.8
-May 7 13:58:20 gaucha imapd[28553]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:20 gaucha imapd[28553]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:24 gaucha imapd[28557]: imap service init from 200.255.5.8
-May 7 13:58:24 gaucha imapd[28557]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:24 gaucha imapd[28557]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:50 gaucha imapd[28646]: imap service init from 200.255.5.8
-May 7 13:58:50 gaucha imapd[28646]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:58:50 gaucha imapd[28646]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:59:12 gaucha imapd[28691]: imap service init from 200.255.5.8
-May 7 13:59:12 gaucha imapd[28691]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:59:13 gaucha imapd[28691]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:59:13 gaucha imapd[28692]: imap service init from 200.255.5.8
-May 7 13:59:13 gaucha imapd[28692]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:59:13 gaucha imapd[28692]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:59:39 gaucha imapd[28713]: imap service init from 200.255.5.8
-May 7 13:59:39 gaucha imapd[28713]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:59:39 gaucha imapd[28713]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:59:40 gaucha imapd[28714]: imap service init from 200.255.5.8
-May 7 13:59:40 gaucha imapd[28714]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:59:40 gaucha imapd[28714]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:59:43 gaucha imapd[28718]: imap service init from 200.255.5.8
-May 7 13:59:43 gaucha imapd[28718]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 13:59:43 gaucha imapd[28718]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:00:51 gaucha imapd[28821]: imap service init from 200.255.5.8
-May 7 14:00:53 gaucha imapd[28824]: imap service init from 200.255.5.8
-May 7 14:00:53 gaucha imapd[28824]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:00:53 gaucha imapd[28824]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:00:54 gaucha imapd[28821]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:00:57 gaucha imapd[28821]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:00 gaucha imapd[28821]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:00 gaucha imapd[28821]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:04 gaucha imapd[28827]: imap service init from 200.255.5.8
-May 7 14:01:04 gaucha imapd[28827]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:04 gaucha imapd[28827]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:27 gaucha imapd[28910]: imap service init from 200.255.5.8
-May 7 14:01:27 gaucha imapd[28910]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:27 gaucha imapd[28910]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:31 gaucha imapd[28912]: imap service init from 200.255.5.8
-May 7 14:01:34 gaucha imapd[28912]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:37 gaucha imapd[28912]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:40 gaucha imapd[28912]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:40 gaucha imapd[28912]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:50 gaucha imapd[28938]: imap service init from 200.255.5.8
-May 7 14:01:50 gaucha imapd[28938]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:01:50 gaucha imapd[28938]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:07 gaucha imapd[28959]: imap service init from 200.255.5.8
-May 7 14:02:10 gaucha imapd[28959]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:11 gaucha imapd[28968]: imap service init from 200.255.5.8
-May 7 14:02:11 gaucha imapd[28968]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:11 gaucha imapd[28968]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:13 gaucha imapd[28959]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:16 gaucha imapd[28959]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:16 gaucha imapd[28959]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:16 gaucha imapd[28977]: imap service init from 200.255.5.8
-May 7 14:02:18 gaucha imapd[28978]: imap service init from 200.255.5.8
-May 7 14:02:18 gaucha imapd[28978]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:18 gaucha imapd[28978]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:19 gaucha imapd[28977]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:22 gaucha imapd[28977]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:25 gaucha imapd[28977]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:25 gaucha imapd[28977]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:25 gaucha imapd[28988]: imap service init from 200.255.5.8
-May 7 14:02:28 gaucha imapd[28988]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:31 gaucha imapd[28988]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:34 gaucha imapd[28988]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:34 gaucha imapd[28988]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:42 gaucha imapd[29001]: imap service init from 200.255.5.8
-May 7 14:02:42 gaucha imapd[29001]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:02:42 gaucha imapd[29001]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:03:44 gaucha imapd[29105]: imap service init from 200.255.5.8
-May 7 14:03:44 gaucha imapd[29105]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:03:44 gaucha imapd[29105]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:04:25 gaucha imapd[29565]: imap service init from 200.255.5.8
-May 7 14:04:25 gaucha imapd[29565]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:04:25 gaucha imapd[29565]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:05:14 gaucha imapd[29645]: imap service init from 200.255.5.8
-May 7 14:05:14 gaucha imapd[29645]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:05:14 gaucha imapd[29645]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:18:34 gaucha imapd[30752]: imap service init from 200.255.5.8
-May 7 14:18:34 gaucha imapd[30752]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:18:34 gaucha imapd[30752]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:18:34 gaucha imapd[30754]: imap service init from 200.255.5.8
-May 7 14:18:34 gaucha imapd[30754]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:18:43 gaucha imapd[30754]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:18:47 gaucha imapd[30766]: imap service init from 200.255.5.8
-May 7 14:18:47 gaucha imapd[30766]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:18:48 gaucha imapd[30766]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:18:55 gaucha imapd[30769]: imap service init from 200.255.5.8
-May 7 14:18:55 gaucha imapd[30769]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:18:55 gaucha imapd[30769]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:18:56 gaucha imapd[30772]: imap service init from 200.255.5.8
-May 7 14:18:56 gaucha imapd[30772]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:18:59 gaucha imapd[30772]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:19:03 gaucha imapd[30779]: imap service init from 200.255.5.8
-May 7 14:19:03 gaucha imapd[30779]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:19:04 gaucha imapd[30779]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:19:30 gaucha imapd[30793]: imap service init from 200.255.5.8
-May 7 14:19:30 gaucha imapd[30793]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:19:30 gaucha imapd[30793]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:19:46 gaucha imapd[30813]: imap service init from 200.255.5.8
-May 7 14:19:46 gaucha imapd[30813]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:19:46 gaucha imapd[30813]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:20:04 gaucha imapd[30831]: imap service init from 200.255.5.8
-May 7 14:20:04 gaucha imapd[30831]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:20:04 gaucha imapd[30831]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:21:52 gaucha imapd[31001]: imap service init from 200.255.5.8
-May 7 14:21:52 gaucha imapd[31001]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:21:52 gaucha imapd[31001]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:26:30 gaucha imapd[31461]: imap service init from 200.255.5.8
-May 7 14:26:33 gaucha imapd[31461]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:26:39 gaucha imapd[31461]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:26:45 gaucha imapd[31480]: imap service init from 200.255.5.8
-May 7 14:26:45 gaucha imapd[31480]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:26:45 gaucha imapd[31480]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:26:45 gaucha imapd[31481]: imap service init from 200.255.5.8
-May 7 14:26:45 gaucha imapd[31481]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:26:45 gaucha imapd[31481]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:27:08 gaucha imapd[31495]: imap service init from 200.255.5.8
-May 7 14:27:08 gaucha imapd[31495]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:27:08 gaucha imapd[31495]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:27:11 gaucha imapd[31497]: imap service init from 200.255.5.8
-May 7 14:27:11 gaucha imapd[31497]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:27:11 gaucha imapd[31497]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:27:13 gaucha imapd[31500]: imap service init from 200.255.5.8
-May 7 14:27:13 gaucha imapd[31500]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:27:13 gaucha imapd[31500]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:27:55 gaucha imapd[31531]: imap service init from 200.255.5.8
-May 7 14:27:55 gaucha imapd[31531]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:27:55 gaucha imapd[31531]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:27:59 gaucha imapd[31542]: imap service init from 200.255.5.8
-May 7 14:27:59 gaucha imapd[31542]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:27:59 gaucha imapd[31542]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:00 gaucha imapd[31543]: imap service init from 200.255.5.8
-May 7 14:28:00 gaucha imapd[31543]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:00 gaucha imapd[31543]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:16 gaucha imapd[31574]: imap service init from 200.255.5.8
-May 7 14:28:16 gaucha imapd[31574]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:16 gaucha imapd[31574]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:20 gaucha imapd[31582]: imap service init from 200.255.5.8
-May 7 14:28:20 gaucha imapd[31582]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:20 gaucha imapd[31582]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:23 gaucha imapd[31588]: imap service init from 200.255.5.8
-May 7 14:28:23 gaucha imapd[31588]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:24 gaucha imapd[31588]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:38 gaucha imapd[31599]: imap service init from 200.255.5.8
-May 7 14:28:38 gaucha imapd[31599]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:38 gaucha imapd[31599]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:41 gaucha imapd[31602]: imap service init from 200.255.5.8
-May 7 14:28:41 gaucha imapd[31602]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:41 gaucha imapd[31602]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:46 gaucha imapd[31605]: imap service init from 200.255.5.8
-May 7 14:28:46 gaucha imapd[31605]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:46 gaucha imapd[31605]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:50 gaucha imapd[31611]: imap service init from 200.255.5.8
-May 7 14:28:50 gaucha imapd[31611]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:28:50 gaucha imapd[31611]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:11 gaucha imapd[31848]: imap service init from 200.255.5.8
-May 7 14:31:11 gaucha imapd[31848]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:11 gaucha imapd[31848]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:11 gaucha imapd[31849]: imap service init from 200.255.5.8
-May 7 14:31:11 gaucha imapd[31849]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:11 gaucha imapd[31849]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:15 gaucha imapd[31858]: imap service init from 200.255.5.8
-May 7 14:31:15 gaucha imapd[31858]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:15 gaucha imapd[31858]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:24 gaucha imapd[31873]: imap service init from 200.255.5.8
-May 7 14:31:24 gaucha imapd[31873]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:24 gaucha imapd[31873]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:26 gaucha imapd[31875]: imap service init from 200.255.5.8
-May 7 14:31:26 gaucha imapd[31875]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:26 gaucha imapd[31875]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:30 gaucha imapd[31879]: imap service init from 200.255.5.8
-May 7 14:31:30 gaucha imapd[31879]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:30 gaucha imapd[31879]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:32 gaucha imapd[31881]: imap service init from 200.255.5.8
-May 7 14:31:32 gaucha imapd[31881]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:31:32 gaucha imapd[31881]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:36:00 gaucha imapd[32375]: imap service init from 200.255.5.8
-May 7 14:36:00 gaucha imapd[32375]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:36:00 gaucha imapd[32375]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:36:04 gaucha imapd[32381]: imap service init from 200.255.5.8
-May 7 14:36:04 gaucha imapd[32381]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:36:04 gaucha imapd[32381]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:36:06 gaucha imapd[32385]: imap service init from 200.255.5.8
-May 7 14:36:06 gaucha imapd[32385]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:36:06 gaucha imapd[32385]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:36:15 gaucha imapd[32442]: imap service init from 200.255.5.8
-May 7 14:36:15 gaucha imapd[32442]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:36:15 gaucha imapd[32442]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:36:21 gaucha imapd[32443]: imap service init from 200.255.5.8
-May 7 14:36:21 gaucha imapd[32443]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:36:21 gaucha imapd[32443]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:14 gaucha imapd[32479]: imap service init from 200.255.5.8
-May 7 14:37:14 gaucha imapd[32479]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:15 gaucha imapd[32479]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:15 gaucha imapd[32485]: imap service init from 200.255.5.8
-May 7 14:37:15 gaucha imapd[32485]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:15 gaucha imapd[32485]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:18 gaucha imapd[32488]: imap service init from 200.255.5.8
-May 7 14:37:18 gaucha imapd[32488]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:18 gaucha imapd[32488]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:19 gaucha imapd[32489]: imap service init from 200.255.5.8
-May 7 14:37:19 gaucha imapd[32489]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:19 gaucha imapd[32489]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:20 gaucha imapd[32493]: imap service init from 200.255.5.8
-May 7 14:37:20 gaucha imapd[32493]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:20 gaucha imapd[32493]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:20 gaucha imapd[32494]: imap service init from 200.255.5.8
-May 7 14:37:20 gaucha imapd[32494]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:20 gaucha imapd[32494]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:25 gaucha imapd[32502]: imap service init from 200.255.5.8
-May 7 14:37:25 gaucha imapd[32502]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:25 gaucha imapd[32502]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:25 gaucha imapd[32503]: imap service init from 200.255.5.8
-May 7 14:37:25 gaucha imapd[32503]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:25 gaucha imapd[32503]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:34 gaucha imapd[32508]: imap service init from 200.255.5.8
-May 7 14:37:34 gaucha imapd[32508]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:34 gaucha imapd[32508]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:34 gaucha imapd[32509]: imap service init from 200.255.5.8
-May 7 14:37:34 gaucha imapd[32509]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:34 gaucha imapd[32509]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:45 gaucha imapd[32520]: imap service init from 200.255.5.8
-May 7 14:37:45 gaucha imapd[32520]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:37:45 gaucha imapd[32520]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:22 gaucha imapd[32552]: imap service init from 200.255.5.8
-May 7 14:38:22 gaucha imapd[32552]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:22 gaucha imapd[32552]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:25 gaucha imapd[32555]: imap service init from 200.255.5.8
-May 7 14:38:28 gaucha imapd[32555]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:31 gaucha imapd[32555]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:34 gaucha imapd[32555]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:34 gaucha imapd[32555]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:38 gaucha imapd[32574]: imap service init from 200.255.5.8
-May 7 14:38:38 gaucha imapd[32574]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:38 gaucha imapd[32574]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:47 gaucha imapd[32590]: imap service init from 200.255.5.8
-May 7 14:38:47 gaucha imapd[32590]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:47 gaucha imapd[32590]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:48 gaucha imapd[32591]: imap service init from 200.255.5.8
-May 7 14:38:48 gaucha imapd[32591]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:38:49 gaucha imapd[32591]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:39:20 gaucha imapd[32640]: imap service init from 200.255.5.8
-May 7 14:39:20 gaucha imapd[32640]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:39:21 gaucha imapd[32640]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:39:26 gaucha imapd[32648]: imap service init from 200.255.5.8
-May 7 14:39:26 gaucha imapd[32648]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:39:26 gaucha imapd[32648]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:06 gaucha imapd[32713]: imap service init from 200.255.5.8
-May 7 14:40:06 gaucha imapd[32713]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:06 gaucha imapd[32713]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:07 gaucha imapd[32716]: imap service init from 200.255.5.8
-May 7 14:40:07 gaucha imapd[32716]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:07 gaucha imapd[32716]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:11 gaucha imapd[32717]: imap service init from 200.255.5.8
-May 7 14:40:11 gaucha imapd[32717]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:12 gaucha imapd[32717]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:18 gaucha imapd[32729]: imap service init from 200.255.5.8
-May 7 14:40:18 gaucha imapd[32729]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:18 gaucha imapd[32729]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:24 gaucha imapd[32733]: imap service init from 200.255.5.8
-May 7 14:40:24 gaucha imapd[32733]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:24 gaucha imapd[32733]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:25 gaucha imapd[32734]: imap service init from 200.255.5.8
-May 7 14:40:25 gaucha imapd[32734]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:25 gaucha imapd[32734]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:41 gaucha imapd[32750]: imap service init from 200.255.5.8
-May 7 14:40:41 gaucha imapd[32750]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:41 gaucha imapd[32750]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:54 gaucha imapd[32766]: imap service init from 200.255.5.8
-May 7 14:40:54 gaucha imapd[32766]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:54 gaucha imapd[32766]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:58 gaucha imapd[304]: imap service init from 200.255.5.8
-May 7 14:40:58 gaucha imapd[304]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:59 gaucha imapd[304]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:59 gaucha imapd[309]: imap service init from 200.255.5.8
-May 7 14:40:59 gaucha imapd[309]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:40:59 gaucha imapd[309]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:41:03 gaucha imapd[311]: imap service init from 200.255.5.8
-May 7 14:41:03 gaucha imapd[311]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:41:03 gaucha imapd[311]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:41:14 gaucha imapd[341]: imap service init from 200.255.5.8
-May 7 14:41:14 gaucha imapd[341]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:41:14 gaucha imapd[341]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:41:22 gaucha imapd[352]: imap service init from 200.255.5.8
-May 7 14:41:22 gaucha imapd[352]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:41:22 gaucha imapd[352]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:41:32 gaucha imapd[367]: imap service init from 200.255.5.8
-May 7 14:41:32 gaucha imapd[367]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:41:32 gaucha imapd[367]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:50:37 gaucha imapd[1357]: imap service init from 200.255.5.8
-May 7 14:50:37 gaucha imapd[1357]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:50:37 gaucha imapd[1357]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:50:37 gaucha imapd[1359]: imap service init from 200.255.5.8
-May 7 14:50:37 gaucha imapd[1359]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:50:38 gaucha imapd[1359]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:50:49 gaucha imapd[1380]: imap service init from 200.255.5.8
-May 7 14:50:49 gaucha imapd[1380]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:50:49 gaucha imapd[1380]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:50:58 gaucha imapd[1390]: imap service init from 200.255.5.8
-May 7 14:50:58 gaucha imapd[1390]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:50:58 gaucha imapd[1390]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:51:05 gaucha imapd[1456]: imap service init from 200.255.5.8
-May 7 14:51:05 gaucha imapd[1456]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:51:05 gaucha imapd[1456]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:51:10 gaucha imapd[1466]: imap service init from 200.255.5.8
-May 7 14:51:10 gaucha imapd[1466]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:51:10 gaucha imapd[1466]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:51:19 gaucha imapd[1540]: imap service init from 200.255.5.8
-May 7 14:51:19 gaucha imapd[1540]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:51:19 gaucha imapd[1540]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:55:51 gaucha imapd[2016]: imap service init from 200.255.5.8
-May 7 14:55:51 gaucha imapd[2016]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:55:51 gaucha imapd[2016]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:55:52 gaucha imapd[2019]: imap service init from 200.255.5.8
-May 7 14:55:52 gaucha imapd[2019]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:55:52 gaucha imapd[2019]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:56:26 gaucha imapd[2103]: imap service init from 200.255.5.8
-May 7 14:56:26 gaucha imapd[2103]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:56:26 gaucha imapd[2103]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:56:28 gaucha imapd[2108]: imap service init from 200.255.5.8
-May 7 14:56:28 gaucha imapd[2108]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8]
-May 7 14:56:28 gaucha imapd[2108]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:10 gaucha imapd[2571]: imap service init from 200.255.5.8
-May 7 15:01:10 gaucha imapd[2571]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:10 gaucha imapd[2571]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:11 gaucha imapd[2574]: imap service init from 200.255.5.8
-May 7 15:01:11 gaucha imapd[2574]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:12 gaucha imapd[2574]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:17 gaucha imapd[2579]: imap service init from 200.255.5.8
-May 7 15:01:17 gaucha imapd[2579]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:17 gaucha imapd[2579]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:20 gaucha imapd[2583]: imap service init from 200.255.5.8
-May 7 15:01:20 gaucha imapd[2583]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:20 gaucha imapd[2583]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:21 gaucha imapd[2586]: imap service init from 200.255.5.8
-May 7 15:01:21 gaucha imapd[2586]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:21 gaucha imapd[2586]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:23 gaucha imapd[2591]: imap service init from 200.255.5.8
-May 7 15:01:23 gaucha imapd[2591]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:32 gaucha imapd[2591]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:45 gaucha imapd[2622]: imap service init from 200.255.5.8
-May 7 15:01:45 gaucha imapd[2622]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:01:45 gaucha imapd[2622]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:02:27 gaucha imapd[2694]: imap service init from 200.255.5.8
-May 7 15:02:27 gaucha imapd[2694]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:02:27 gaucha imapd[2694]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:02:32 gaucha imapd[2704]: imap service init from 200.255.5.8
-May 7 15:02:32 gaucha imapd[2704]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:02:32 gaucha imapd[2704]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:02:39 gaucha imapd[2707]: imap service init from 200.255.5.8
-May 7 15:02:39 gaucha imapd[2707]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:02:39 gaucha imapd[2707]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:02:51 gaucha imapd[2716]: imap service init from 200.255.5.8
-May 7 15:02:51 gaucha imapd[2716]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:02:51 gaucha imapd[2716]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:03:00 gaucha imapd[2723]: imap service init from 200.255.5.8
-May 7 15:03:00 gaucha imapd[2723]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:03:00 gaucha imapd[2723]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:03:22 gaucha imapd[2760]: imap service init from 200.255.5.8
-May 7 15:03:22 gaucha imapd[2760]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:03:22 gaucha imapd[2760]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:03:27 gaucha imapd[2765]: imap service init from 200.255.5.8
-May 7 15:03:27 gaucha imapd[2765]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:03:28 gaucha imapd[2765]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:03:50 gaucha imapd[2787]: imap service init from 200.255.5.8
-May 7 15:03:50 gaucha imapd[2787]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:03:50 gaucha imapd[2787]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:03:57 gaucha imapd[2802]: imap service init from 200.255.5.8
-May 7 15:03:57 gaucha imapd[2802]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:03:57 gaucha imapd[2802]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:04:01 gaucha imapd[2806]: imap service init from 200.255.5.8
-May 7 15:04:01 gaucha imapd[2806]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:04:03 gaucha imapd[2806]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:04:26 gaucha imapd[2846]: imap service init from 200.255.5.8
-May 7 15:04:26 gaucha imapd[2846]: Authenticated user=tupa8 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:04:26 gaucha imapd[2846]: Logout user=tupa8 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:04:26 gaucha imapd[2847]: imap service init from 200.255.5.8
-May 7 15:04:26 gaucha imapd[2847]: Authenticated user=tupa8 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:04:26 gaucha imapd[2847]: Logout user=tupa8 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:06:38 gaucha imapd[2983]: imap service init from 200.255.5.8
-May 7 15:06:38 gaucha imapd[2983]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:06:38 gaucha imapd[2983]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:06:38 gaucha imapd[2984]: imap service init from 200.255.5.8
-May 7 15:06:38 gaucha imapd[2984]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:06:38 gaucha imapd[2984]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:06:43 gaucha imapd[2985]: imap service init from 200.255.5.8
-May 7 15:06:43 gaucha imapd[2985]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:06:43 gaucha imapd[2985]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:06:43 gaucha imapd[2986]: imap service init from 200.255.5.8
-May 7 15:06:43 gaucha imapd[2986]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:06:43 gaucha imapd[2986]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:06:43 gaucha imapd[2987]: imap service init from 200.255.5.8
-May 7 15:06:44 gaucha imapd[2987]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:06:44 gaucha imapd[2987]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:07:14 gaucha imapd[2999]: imap service init from 200.255.5.8
-May 7 15:07:14 gaucha imapd[2999]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:07:15 gaucha imapd[2999]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:07:22 gaucha imapd[3001]: imap service init from 200.255.5.8
-May 7 15:07:22 gaucha imapd[3001]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:07:22 gaucha imapd[3001]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:09:06 gaucha imapd[3166]: imap service init from 200.255.5.8
-May 7 15:09:06 gaucha imapd[3166]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:09:06 gaucha imapd[3166]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:09:07 gaucha imapd[3169]: imap service init from 200.255.5.8
-May 7 15:09:07 gaucha imapd[3169]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:09:07 gaucha imapd[3169]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:09:26 gaucha imapd[3187]: imap service init from 200.255.5.8
-May 7 15:09:26 gaucha imapd[3187]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:09:26 gaucha imapd[3187]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:09:29 gaucha imapd[3188]: imap service init from 200.255.5.8
-May 7 15:09:29 gaucha imapd[3188]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:09:29 gaucha imapd[3188]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:09:32 gaucha imapd[3191]: imap service init from 200.255.5.8
-May 7 15:09:32 gaucha imapd[3191]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:09:32 gaucha imapd[3191]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:22 gaucha imapd[3259]: imap service init from 200.255.5.8
-May 7 15:10:22 gaucha imapd[3259]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:22 gaucha imapd[3259]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:31 gaucha imapd[3263]: imap service init from 200.255.5.8
-May 7 15:10:31 gaucha imapd[3263]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:31 gaucha imapd[3263]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:39 gaucha imapd[3273]: imap service init from 200.255.5.8
-May 7 15:10:39 gaucha imapd[3273]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:39 gaucha imapd[3273]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:40 gaucha imapd[3275]: imap service init from 200.255.5.8
-May 7 15:10:40 gaucha imapd[3275]: Authenticated user=leobarroso host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:40 gaucha imapd[3275]: Logout user=leobarroso host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:41 gaucha imapd[3276]: imap service init from 200.255.5.8
-May 7 15:10:41 gaucha imapd[3276]: Authenticated user=leobarroso host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:41 gaucha imapd[3276]: Logout user=leobarroso host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:58 gaucha imapd[3283]: imap service init from 200.255.5.8
-May 7 15:10:58 gaucha imapd[3283]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:59 gaucha imapd[3283]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:59 gaucha imapd[3285]: imap service init from 200.255.5.8
-May 7 15:10:59 gaucha imapd[3285]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:10:59 gaucha imapd[3285]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:11:06 gaucha imapd[3290]: imap service init from 200.255.5.8
-May 7 15:11:06 gaucha imapd[3290]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:11:06 gaucha imapd[3290]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:13:03 gaucha imapd[3386]: imap service init from 200.255.5.8
-May 7 15:13:03 gaucha imapd[3386]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:13:03 gaucha imapd[3386]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
-May 7 15:14:04 gaucha imapd[3455]: imap service init from 200.255.5.8
-May 7 15:14:04 gaucha imapd[3455]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br
-May 9 07:22:56 gaucha imapd[13648]: Logout user=marciabernardes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:23:45 gaucha imapd[13784]: imap service init from 200.255.5.8
-May 9 07:23:45 gaucha imapd[13784]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:23:45 gaucha imapd[13784]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:23:45 gaucha imapd[13785]: imap service init from 200.255.5.8
-May 9 07:23:45 gaucha imapd[13785]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:23:47 gaucha imapd[13785]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:23:53 gaucha imapd[13795]: imap service init from 200.255.5.8
-May 9 07:23:53 gaucha imapd[13795]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:23:53 gaucha imapd[13795]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:24:01 gaucha imapd[13816]: imap service init from 200.255.5.8
-May 9 07:24:01 gaucha imapd[13816]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:24:01 gaucha imapd[13816]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:24:04 gaucha imapd[13824]: imap service init from 200.255.5.8
-May 9 07:24:04 gaucha imapd[13824]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:24:04 gaucha imapd[13824]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:24:06 gaucha imapd[13825]: imap service init from 200.255.5.8
-May 9 07:24:06 gaucha imapd[13825]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:24:06 gaucha imapd[13825]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:24:14 gaucha imapd[13897]: imap service init from 200.255.5.8
-May 9 07:24:14 gaucha imapd[13897]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:24:14 gaucha imapd[13897]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:25:46 gaucha imapd[14162]: imap service init from 200.255.5.8
-May 9 07:25:46 gaucha imapd[14162]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:25:46 gaucha imapd[14162]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:25:46 gaucha imapd[14164]: imap service init from 200.255.5.8
-May 9 07:25:46 gaucha imapd[14164]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:25:47 gaucha imapd[14164]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:03 gaucha imapd[14186]: imap service init from 200.255.5.8
-May 9 07:26:03 gaucha imapd[14186]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:03 gaucha imapd[14186]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:04 gaucha imapd[14190]: imap service init from 200.255.5.8
-May 9 07:26:04 gaucha imapd[14190]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:05 gaucha imapd[14190]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:07 gaucha imapd[14249]: imap service init from 200.255.5.8
-May 9 07:26:07 gaucha imapd[14249]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:07 gaucha imapd[14249]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:10 gaucha imapd[14307]: imap service init from 200.255.5.8
-May 9 07:26:10 gaucha imapd[14307]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:10 gaucha imapd[14307]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:13 gaucha imapd[14316]: imap service init from 200.255.5.8
-May 9 07:26:13 gaucha imapd[14316]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:13 gaucha imapd[14316]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:13 gaucha imapd[14318]: imap service init from 200.255.5.8
-May 9 07:26:13 gaucha imapd[14318]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:14 gaucha imapd[14318]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:16 gaucha imapd[14322]: imap service init from 200.255.5.8
-May 9 07:26:16 gaucha imapd[14322]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:16 gaucha imapd[14322]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:46 gaucha imapd[14421]: imap service init from 200.255.5.8
-May 9 07:26:46 gaucha imapd[14421]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:46 gaucha imapd[14421]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:48 gaucha imapd[14422]: imap service init from 200.255.5.8
-May 9 07:26:48 gaucha imapd[14422]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:48 gaucha imapd[14422]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:53 gaucha imapd[14432]: imap service init from 200.255.5.8
-May 9 07:26:53 gaucha imapd[14432]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:26:53 gaucha imapd[14432]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:27:01 gaucha imapd[14452]: imap service init from 200.255.5.8
-May 9 07:27:01 gaucha imapd[14452]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:27:01 gaucha imapd[14452]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:27:07 gaucha imapd[14463]: imap service init from 200.255.5.8
-May 9 07:27:07 gaucha imapd[14463]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:27:07 gaucha imapd[14463]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:27:20 gaucha imapd[14492]: imap service init from 200.255.5.8
-May 9 07:27:20 gaucha imapd[14492]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:27:21 gaucha imapd[14492]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:28:03 gaucha imapd[14618]: imap service init from 200.255.5.8
-May 9 07:28:03 gaucha imapd[14618]: Authenticated user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:28:03 gaucha imapd[14618]: Logout user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:28:18 gaucha imapd[14644]: imap service init from 200.255.5.8
-May 9 07:28:18 gaucha imapd[14644]: Authenticated user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:28:18 gaucha imapd[14644]: Logout user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:28:19 gaucha imapd[14649]: imap service init from 200.255.5.8
-May 9 07:28:19 gaucha imapd[14649]: Authenticated user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:28:19 gaucha imapd[14649]: Logout user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:02 gaucha imapd[15751]: imap service init from 200.255.5.8
-May 9 07:36:02 gaucha imapd[15751]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:02 gaucha imapd[15751]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:03 gaucha imapd[15752]: imap service init from 200.255.5.8
-May 9 07:36:03 gaucha imapd[15752]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:06 gaucha imapd[15752]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:09 gaucha imapd[15763]: imap service init from 200.255.5.8
-May 9 07:36:09 gaucha imapd[15763]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:09 gaucha imapd[15763]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:19 gaucha imapd[15782]: imap service init from 200.255.5.8
-May 9 07:36:19 gaucha imapd[15782]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:19 gaucha imapd[15782]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:33 gaucha imapd[15805]: imap service init from 200.255.5.8
-May 9 07:36:33 gaucha imapd[15805]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:33 gaucha imapd[15805]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:39 gaucha imapd[15811]: imap service init from 200.255.5.8
-May 9 07:36:39 gaucha imapd[15811]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:40 gaucha imapd[15811]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:42 gaucha imapd[15817]: imap service init from 200.255.5.8
-May 9 07:36:42 gaucha imapd[15817]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:36:42 gaucha imapd[15817]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:37:21 gaucha imapd[15954]: imap service init from 200.255.5.8
-May 9 07:37:21 gaucha imapd[15954]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:37:21 gaucha imapd[15954]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:00 gaucha imapd[16051]: imap service init from 200.255.5.8
-May 9 07:38:00 gaucha imapd[16051]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:01 gaucha imapd[16051]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:01 gaucha imapd[16053]: imap service init from 200.255.5.8
-May 9 07:38:01 gaucha imapd[16053]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:01 gaucha imapd[16053]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:14 gaucha imapd[16081]: imap service init from 200.255.5.8
-May 9 07:38:14 gaucha imapd[16081]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:14 gaucha imapd[16081]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:17 gaucha imapd[16139]: imap service init from 200.255.5.8
-May 9 07:38:17 gaucha imapd[16139]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:17 gaucha imapd[16139]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:19 gaucha imapd[16151]: imap service init from 200.255.5.8
-May 9 07:38:19 gaucha imapd[16151]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:19 gaucha imapd[16151]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:22 gaucha imapd[16207]: imap service init from 200.255.5.8
-May 9 07:38:22 gaucha imapd[16207]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:22 gaucha imapd[16207]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:31 gaucha imapd[16229]: imap service init from 200.255.5.8
-May 9 07:38:31 gaucha imapd[16229]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:31 gaucha imapd[16229]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:33 gaucha imapd[16237]: imap service init from 200.255.5.8
-May 9 07:38:33 gaucha imapd[16237]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:33 gaucha imapd[16237]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:36 gaucha imapd[16240]: imap service init from 200.255.5.8
-May 9 07:38:36 gaucha imapd[16240]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:36 gaucha imapd[16240]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:48 gaucha imapd[16260]: imap service init from 200.255.5.8
-May 9 07:38:48 gaucha imapd[16260]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:48 gaucha imapd[16260]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:54 gaucha imapd[16277]: imap service init from 200.255.5.8
-May 9 07:38:54 gaucha imapd[16277]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:54 gaucha imapd[16277]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:58 gaucha imapd[16286]: imap service init from 200.255.5.8
-May 9 07:38:58 gaucha imapd[16286]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:38:58 gaucha imapd[16286]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:05 gaucha imapd[16297]: imap service init from 200.255.5.8
-May 9 07:39:05 gaucha imapd[16297]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:05 gaucha imapd[16297]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:07 gaucha imapd[16301]: imap service init from 200.255.5.8
-May 9 07:39:07 gaucha imapd[16301]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:07 gaucha imapd[16301]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:08 gaucha imapd[16302]: imap service init from 200.255.5.8
-May 9 07:39:08 gaucha imapd[16302]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:09 gaucha imapd[16302]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:10 gaucha imapd[16304]: imap service init from 200.255.5.8
-May 9 07:39:10 gaucha imapd[16304]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:10 gaucha imapd[16304]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:16 gaucha imapd[16315]: imap service init from 200.255.5.8
-May 9 07:39:16 gaucha imapd[16315]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:16 gaucha imapd[16315]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:51 gaucha imapd[16397]: imap service init from 200.255.5.8
-May 9 07:39:51 gaucha imapd[16397]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:51 gaucha imapd[16397]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:54 gaucha imapd[16404]: imap service init from 200.255.5.8
-May 9 07:39:54 gaucha imapd[16404]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:39:54 gaucha imapd[16404]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:40:20 gaucha imapd[16514]: imap service init from 200.255.5.8
-May 9 07:40:20 gaucha imapd[16514]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:40:20 gaucha imapd[16514]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:40:22 gaucha imapd[16524]: imap service init from 200.255.5.8
-May 9 07:40:22 gaucha imapd[16524]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:40:22 gaucha imapd[16524]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:40:45 gaucha imapd[16638]: imap service init from 200.255.5.8
-May 9 07:40:45 gaucha imapd[16638]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:40:45 gaucha imapd[16638]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:41:11 gaucha imapd[16683]: imap service init from 200.255.5.8
-May 9 07:41:11 gaucha imapd[16683]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:41:11 gaucha imapd[16683]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:41:21 gaucha imapd[16703]: imap service init from 200.255.5.8
-May 9 07:41:21 gaucha imapd[16703]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:41:21 gaucha imapd[16703]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:41:24 gaucha imapd[16713]: imap service init from 200.255.5.8
-May 9 07:41:24 gaucha imapd[16713]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:41:28 gaucha imapd[16713]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:41:40 gaucha imapd[16789]: imap service init from 200.255.5.8
-May 9 07:41:40 gaucha imapd[16789]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:41:40 gaucha imapd[16789]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:41:57 gaucha imapd[16821]: imap service init from 200.255.5.8
-May 9 07:41:57 gaucha imapd[16821]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:41:58 gaucha imapd[16821]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:42:21 gaucha imapd[16892]: imap service init from 200.255.5.8
-May 9 07:42:21 gaucha imapd[16892]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:42:21 gaucha imapd[16892]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:42:22 gaucha imapd[16897]: imap service init from 200.255.5.8
-May 9 07:42:22 gaucha imapd[16897]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:42:22 gaucha imapd[16897]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:42:28 gaucha imapd[16900]: imap service init from 200.255.5.8
-May 9 07:42:28 gaucha imapd[16900]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:42:28 gaucha imapd[16900]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:42:51 gaucha imapd[16993]: imap service init from 200.255.5.8
-May 9 07:42:51 gaucha imapd[16993]: Authenticated user=bedan host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:42:51 gaucha imapd[16993]: Logout user=bedan host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:42:58 gaucha imapd[17002]: imap service init from 200.255.5.8
-May 9 07:42:58 gaucha imapd[17002]: Authenticated user=bedan host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:43:04 gaucha imapd[17002]: Logout user=bedan host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:43:56 gaucha imapd[17079]: imap service init from 200.255.5.8
-May 9 07:43:56 gaucha imapd[17079]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:43:57 gaucha imapd[17079]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:44:00 gaucha imapd[17086]: imap service init from 200.255.5.8
-May 9 07:44:00 gaucha imapd[17086]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:44:01 gaucha imapd[17086]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:44:08 gaucha imapd[17152]: imap service init from 200.255.5.8
-May 9 07:44:09 gaucha imapd[17152]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:44:09 gaucha imapd[17152]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:44:14 gaucha imapd[17161]: imap service init from 200.255.5.8
-May 9 07:44:14 gaucha imapd[17161]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:44:14 gaucha imapd[17161]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:44:41 gaucha imapd[17217]: imap service init from 200.255.5.8
-May 9 07:44:41 gaucha imapd[17217]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:44:41 gaucha imapd[17217]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:00 gaucha imapd[17263]: imap service init from 200.255.5.8
-May 9 07:45:00 gaucha imapd[17263]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:01 gaucha imapd[17263]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:21 gaucha imapd[17329]: imap service init from 200.255.5.8
-May 9 07:45:21 gaucha imapd[17329]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:22 gaucha imapd[17329]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:26 gaucha imapd[17405]: imap service init from 200.255.5.8
-May 9 07:45:29 gaucha imapd[17405]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:32 gaucha imapd[17405]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:35 gaucha imapd[17405]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:35 gaucha imapd[17405]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:39 gaucha imapd[17480]: imap service init from 200.255.5.8
-May 9 07:45:42 gaucha imapd[17480]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:45 gaucha imapd[17480]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:48 gaucha imapd[17480]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:48 gaucha imapd[17480]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:48 gaucha imapd[17488]: imap service init from 200.255.5.8
-May 9 07:45:48 gaucha imapd[17488]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:48 gaucha imapd[17488]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:49 gaucha imapd[17489]: imap service init from 200.255.5.8
-May 9 07:45:49 gaucha imapd[17489]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:49 gaucha imapd[17490]: imap service init from 200.255.5.8
-May 9 07:45:49 gaucha imapd[17490]: Authenticated user=carolduarte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:49 gaucha imapd[17490]: Logout user=carolduarte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:49 gaucha imapd[17489]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:49 gaucha imapd[17491]: imap service init from 200.255.5.8
-May 9 07:45:49 gaucha imapd[17491]: Authenticated user=carolduarte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:52 gaucha imapd[17494]: imap service init from 200.255.5.8
-May 9 07:45:52 gaucha imapd[17494]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:53 gaucha imapd[17494]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:45:59 gaucha imapd[17549]: imap service init from 200.255.5.8
-May 9 07:45:59 gaucha imapd[17549]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:46:00 gaucha imapd[17549]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:46:12 gaucha imapd[17575]: imap service init from 200.255.5.8
-May 9 07:46:12 gaucha imapd[17575]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:46:12 gaucha imapd[17575]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:46:14 gaucha imapd[17577]: imap service init from 200.255.5.8
-May 9 07:46:14 gaucha imapd[17577]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:46:15 gaucha imapd[17577]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:47:09 gaucha imapd[17491]: Command stream end of file, while reading line user=carolduarte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:48:48 gaucha imapd[17978]: imap service init from 200.255.5.8
-May 9 07:48:48 gaucha imapd[17978]: Authenticated user=wald-meister host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:48:48 gaucha imapd[17978]: Logout user=wald-meister host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:48:48 gaucha imapd[17979]: imap service init from 200.255.5.8
-May 9 07:48:48 gaucha imapd[17979]: Authenticated user=wald-meister host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:48:48 gaucha imapd[17979]: Logout user=wald-meister host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:48:54 gaucha imapd[17985]: imap service init from 200.255.5.8
-May 9 07:48:54 gaucha imapd[17985]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:48:54 gaucha imapd[17985]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:48:55 gaucha imapd[17986]: imap service init from 200.255.5.8
-May 9 07:48:55 gaucha imapd[17986]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:48:58 gaucha imapd[17986]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:13 gaucha imapd[18022]: imap service init from 200.255.5.8
-May 9 07:49:13 gaucha imapd[18022]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:13 gaucha imapd[18022]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:17 gaucha imapd[18076]: imap service init from 200.255.5.8
-May 9 07:49:17 gaucha imapd[18076]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:17 gaucha imapd[18076]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:23 gaucha imapd[18094]: imap service init from 200.255.5.8
-May 9 07:49:23 gaucha imapd[18094]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:23 gaucha imapd[18094]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:33 gaucha imapd[18164]: imap service init from 200.255.5.8
-May 9 07:49:33 gaucha imapd[18164]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:33 gaucha imapd[18164]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:39 gaucha imapd[18191]: imap service init from 200.255.5.8
-May 9 07:49:39 gaucha imapd[18191]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:40 gaucha imapd[18191]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:42 gaucha imapd[18199]: imap service init from 200.255.5.8
-May 9 07:49:42 gaucha imapd[18199]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:42 gaucha imapd[18199]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:47 gaucha imapd[18225]: imap service init from 200.255.5.8
-May 9 07:49:47 gaucha imapd[18225]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:49:47 gaucha imapd[18225]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:02 gaucha imapd[18304]: imap service init from 200.255.5.8
-May 9 07:50:02 gaucha imapd[18304]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:02 gaucha imapd[18304]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:05 gaucha imapd[18319]: imap service init from 200.255.5.8
-May 9 07:50:05 gaucha imapd[18319]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:05 gaucha imapd[18319]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:10 gaucha imapd[18350]: imap service init from 200.255.5.8
-May 9 07:50:10 gaucha imapd[18350]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:10 gaucha imapd[18350]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:13 gaucha imapd[18411]: imap service init from 200.255.5.8
-May 9 07:50:13 gaucha imapd[18411]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:13 gaucha imapd[18411]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:16 gaucha imapd[18420]: imap service init from 200.255.5.8
-May 9 07:50:16 gaucha imapd[18420]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:16 gaucha imapd[18420]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:33 gaucha imapd[18508]: imap service init from 200.255.5.8
-May 9 07:50:33 gaucha imapd[18508]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:33 gaucha imapd[18508]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:38 gaucha imapd[18527]: imap service init from 200.255.5.8
-May 9 07:50:38 gaucha imapd[18527]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:38 gaucha imapd[18527]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:57 gaucha imapd[18626]: imap service init from 200.255.5.8
-May 9 07:50:57 gaucha imapd[18626]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:50:57 gaucha imapd[18626]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:51:04 gaucha imapd[18650]: imap service init from 200.255.5.8
-May 9 07:51:04 gaucha imapd[18650]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:51:05 gaucha imapd[18650]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:51:07 gaucha imapd[18670]: imap service init from 200.255.5.8
-May 9 07:51:07 gaucha imapd[18670]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:51:07 gaucha imapd[18670]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:51:15 gaucha imapd[18708]: imap service init from 200.255.5.8
-May 9 07:51:15 gaucha imapd[18708]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:51:15 gaucha imapd[18708]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:51:57 gaucha imapd[18897]: imap service init from 200.255.5.8
-May 9 07:51:58 gaucha imapd[18897]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:51:58 gaucha imapd[18897]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:52:14 gaucha imapd[18968]: imap service init from 200.255.5.8
-May 9 07:52:14 gaucha imapd[18968]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:52:15 gaucha imapd[18968]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:52:17 gaucha imapd[18986]: imap service init from 200.255.5.8
-May 9 07:52:17 gaucha imapd[18986]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:52:17 gaucha imapd[18986]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:53:53 gaucha imapd[19553]: imap service init from 200.255.5.8
-May 9 07:53:53 gaucha imapd[19553]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:53:53 gaucha imapd[19553]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:53:54 gaucha imapd[19558]: imap service init from 200.255.5.8
-May 9 07:53:54 gaucha imapd[19558]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:53:54 gaucha imapd[19558]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:54:24 gaucha imapd[19699]: imap service init from 200.255.5.8
-May 9 07:54:24 gaucha imapd[19699]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:54:24 gaucha imapd[19699]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:54:29 gaucha imapd[19724]: imap service init from 200.255.5.8
-May 9 07:54:29 gaucha imapd[19724]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:54:29 gaucha imapd[19724]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:54:33 gaucha imapd[19747]: imap service init from 200.255.5.8
-May 9 07:54:33 gaucha imapd[19747]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:54:33 gaucha imapd[19747]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:55:07 gaucha imapd[20068]: imap service init from 200.255.5.8
-May 9 07:55:07 gaucha imapd[20068]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:55:07 gaucha imapd[20068]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:55:19 gaucha imapd[20104]: imap service init from 200.255.5.8
-May 9 07:55:19 gaucha imapd[20104]: Authenticated user=valseved host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:55:19 gaucha imapd[20104]: Logout user=valseved host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:55:19 gaucha imapd[20105]: imap service init from 200.255.5.8
-May 9 07:55:19 gaucha imapd[20105]: Authenticated user=valseved host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:55:27 gaucha imapd[20105]: Logout user=valseved host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:56:24 gaucha imapd[20542]: imap service init from 200.255.5.8
-May 9 07:56:24 gaucha imapd[20542]: Authenticated user=valseved host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:56:24 gaucha imapd[20542]: Logout user=valseved host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:59:06 gaucha imapd[20981]: imap service init from 200.255.5.8
-May 9 07:59:06 gaucha imapd[20981]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:59:06 gaucha imapd[20981]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:59:06 gaucha imapd[20982]: imap service init from 200.255.5.8
-May 9 07:59:06 gaucha imapd[20982]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:59:09 gaucha imapd[20982]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:59:43 gaucha imapd[21049]: imap service init from 200.255.5.8
-May 9 07:59:43 gaucha imapd[21049]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:59:43 gaucha imapd[21049]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:59:43 gaucha imapd[21050]: imap service init from 200.255.5.8
-May 9 07:59:43 gaucha imapd[21050]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8]
-May 9 07:59:43 gaucha imapd[21050]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:21 gaucha imapd[21262]: imap service init from 200.255.5.8
-May 9 08:00:21 gaucha imapd[21262]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:21 gaucha imapd[21262]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:23 gaucha imapd[21271]: imap service init from 200.255.5.8
-May 9 08:00:23 gaucha imapd[21271]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:23 gaucha imapd[21271]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:37 gaucha imapd[21282]: imap service init from 200.255.5.8
-May 9 08:00:37 gaucha imapd[21282]: Authenticated user=bgr host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:37 gaucha imapd[21282]: Logout user=bgr host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:38 gaucha imapd[21283]: imap service init from 200.255.5.8
-May 9 08:00:38 gaucha imapd[21283]: Authenticated user=bgr host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:38 gaucha imapd[21283]: Logout user=bgr host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:58 gaucha imapd[21362]: imap service init from 200.255.5.8
-May 9 08:00:58 gaucha imapd[21362]: Authenticated user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:58 gaucha imapd[21362]: Logout user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:58 gaucha imapd[21363]: imap service init from 200.255.5.8
-May 9 08:00:58 gaucha imapd[21363]: Authenticated user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:00:58 gaucha imapd[21363]: Logout user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:01:28 gaucha imapd[21427]: imap service init from 200.255.5.8
-May 9 08:01:28 gaucha imapd[21427]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:01:28 gaucha imapd[21427]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:01:43 gaucha imapd[21459]: imap service init from 200.255.5.8
-May 9 08:01:43 gaucha imapd[21459]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:01:43 gaucha imapd[21459]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:01:44 gaucha imapd[21460]: imap service init from 200.255.5.8
-May 9 08:01:44 gaucha imapd[21460]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:01:44 gaucha imapd[21460]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:01:46 gaucha imapd[21462]: imap service init from 200.255.5.8
-May 9 08:01:46 gaucha imapd[21462]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:01:47 gaucha imapd[21462]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:02:03 gaucha imapd[21486]: imap service init from 200.255.5.8
-May 9 08:02:03 gaucha imapd[21486]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:02:04 gaucha imapd[21486]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:02:05 gaucha imapd[21491]: imap service init from 200.255.5.8
-May 9 08:02:05 gaucha imapd[21491]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:02:06 gaucha imapd[21491]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:01 gaucha imapd[21603]: imap service init from 200.255.5.8
-May 9 08:03:01 gaucha imapd[21603]: Authenticated user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:01 gaucha imapd[21603]: Logout user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:02 gaucha imapd[21610]: imap service init from 200.255.5.8
-May 9 08:03:02 gaucha imapd[21610]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:02 gaucha imapd[21610]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:02 gaucha imapd[21611]: imap service init from 200.255.5.8
-May 9 08:03:02 gaucha imapd[21611]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:04 gaucha imapd[21611]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:05 gaucha imapd[21615]: imap service init from 200.255.5.8
-May 9 08:03:06 gaucha imapd[21615]: Authenticated user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:06 gaucha imapd[21615]: Logout user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:10 gaucha imapd[21620]: imap service init from 200.255.5.8
-May 9 08:03:10 gaucha imapd[21620]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:10 gaucha imapd[21620]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:13 gaucha imapd[21632]: imap service init from 200.255.5.8
-May 9 08:03:13 gaucha imapd[21632]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:13 gaucha imapd[21632]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:28 gaucha imapd[21652]: imap service init from 200.255.5.8
-May 9 08:03:28 gaucha imapd[21652]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:28 gaucha imapd[21652]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:31 gaucha imapd[21658]: imap service init from 200.255.5.8
-May 9 08:03:31 gaucha imapd[21658]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:31 gaucha imapd[21658]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:44 gaucha imapd[21671]: imap service init from 200.255.5.8
-May 9 08:03:44 gaucha imapd[21671]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:44 gaucha imapd[21671]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:55 gaucha imapd[21693]: imap service init from 200.255.5.8
-May 9 08:03:55 gaucha imapd[21693]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:56 gaucha imapd[21693]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:59 gaucha imapd[21695]: imap service init from 200.255.5.8
-May 9 08:03:59 gaucha imapd[21695]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:03:59 gaucha imapd[21695]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:01 gaucha imapd[21699]: imap service init from 200.255.5.8
-May 9 08:04:01 gaucha imapd[21699]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:01 gaucha imapd[21699]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:19 gaucha imapd[21725]: imap service init from 200.255.5.8
-May 9 08:04:19 gaucha imapd[21725]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:19 gaucha imapd[21725]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:23 gaucha imapd[21735]: imap service init from 200.255.5.8
-May 9 08:04:23 gaucha imapd[21735]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:23 gaucha imapd[21735]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:26 gaucha imapd[21743]: imap service init from 200.255.5.8
-May 9 08:04:26 gaucha imapd[21743]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:26 gaucha imapd[21743]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:32 gaucha imapd[21749]: imap service init from 200.255.5.8
-May 9 08:04:32 gaucha imapd[21749]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:46 gaucha imapd[21749]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:55 gaucha imapd[21881]: imap service init from 200.255.5.8
-May 9 08:04:55 gaucha imapd[21881]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:56 gaucha imapd[21881]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:58 gaucha imapd[21940]: imap service init from 200.255.5.8
-May 9 08:04:58 gaucha imapd[21940]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:04:58 gaucha imapd[21940]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:01 gaucha imapd[21947]: imap service init from 200.255.5.8
-May 9 08:05:01 gaucha imapd[21947]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:01 gaucha imapd[21947]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:05 gaucha imapd[21964]: imap service init from 200.255.5.8
-May 9 08:05:05 gaucha imapd[21964]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:05 gaucha imapd[21964]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:18 gaucha imapd[22030]: imap service init from 200.255.5.8
-May 9 08:05:18 gaucha imapd[22030]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:18 gaucha imapd[22030]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:21 gaucha imapd[22038]: imap service init from 200.255.5.8
-May 9 08:05:21 gaucha imapd[22038]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:22 gaucha imapd[22038]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:24 gaucha imapd[22040]: imap service init from 200.255.5.8
-May 9 08:05:24 gaucha imapd[22040]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:24 gaucha imapd[22040]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:35 gaucha imapd[22057]: imap service init from 200.255.5.8
-May 9 08:05:35 gaucha imapd[22057]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:35 gaucha imapd[22057]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:37 gaucha imapd[22062]: imap service init from 200.255.5.8
-May 9 08:05:37 gaucha imapd[22062]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:37 gaucha imapd[22062]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:40 gaucha imapd[22067]: imap service init from 200.255.5.8
-May 9 08:05:40 gaucha imapd[22067]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:40 gaucha imapd[22067]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:55 gaucha imapd[22140]: imap service init from 200.255.5.8
-May 9 08:05:55 gaucha imapd[22140]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:05:56 gaucha imapd[22140]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:06:13 gaucha imapd[22167]: imap service init from 200.255.5.8
-May 9 08:06:13 gaucha imapd[22167]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:06:13 gaucha imapd[22167]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:06:18 gaucha imapd[22176]: imap service init from 200.255.5.8
-May 9 08:06:18 gaucha imapd[22176]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:06:18 gaucha imapd[22176]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:06:31 gaucha imapd[22209]: imap service init from 200.255.5.8
-May 9 08:06:31 gaucha imapd[22209]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:06:31 gaucha imapd[22209]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:06:31 gaucha imapd[22212]: imap service init from 200.255.5.8
-May 9 08:06:31 gaucha imapd[22212]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:06:43 gaucha imapd[22212]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:32 gaucha imapd[22350]: imap service init from 200.255.5.8
-May 9 08:07:32 gaucha imapd[22350]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:33 gaucha imapd[22350]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:36 gaucha imapd[22355]: imap service init from 200.255.5.8
-May 9 08:07:36 gaucha imapd[22355]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:36 gaucha imapd[22355]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:48 gaucha imapd[22382]: imap service init from 200.255.5.8
-May 9 08:07:48 gaucha imapd[22382]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:48 gaucha imapd[22382]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:48 gaucha imapd[22387]: imap service init from 200.255.5.8
-May 9 08:07:48 gaucha imapd[22387]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:48 gaucha imapd[22387]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:51 gaucha imapd[22395]: imap service init from 200.255.5.8
-May 9 08:07:51 gaucha imapd[22395]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:51 gaucha imapd[22395]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:55 gaucha imapd[22401]: imap service init from 200.255.5.8
-May 9 08:07:55 gaucha imapd[22401]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:55 gaucha imapd[22401]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:58 gaucha imapd[22409]: imap service init from 200.255.5.8
-May 9 08:07:58 gaucha imapd[22409]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:07:58 gaucha imapd[22409]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:08:00 gaucha imapd[22417]: imap service init from 200.255.5.8
-May 9 08:08:00 gaucha imapd[22417]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:08:00 gaucha imapd[22417]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:08:09 gaucha imapd[22427]: imap service init from 200.255.5.8
-May 9 08:08:10 gaucha imapd[22427]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:08:10 gaucha imapd[22427]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:08:55 gaucha imapd[22498]: imap service init from 200.255.5.8
-May 9 08:08:55 gaucha imapd[22498]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:08:55 gaucha imapd[22498]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:08:58 gaucha imapd[22502]: imap service init from 200.255.5.8
-May 9 08:08:58 gaucha imapd[22502]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:04 gaucha imapd[22502]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:12 gaucha imapd[22530]: imap service init from 200.255.5.8
-May 9 08:09:12 gaucha imapd[22530]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:13 gaucha imapd[22530]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:14 gaucha imapd[22539]: imap service init from 200.255.5.8
-May 9 08:09:14 gaucha imapd[22539]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:15 gaucha imapd[22539]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:19 gaucha imapd[22600]: imap service init from 200.255.5.8
-May 9 08:09:19 gaucha imapd[22600]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:19 gaucha imapd[22600]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:24 gaucha imapd[22604]: imap service init from 200.255.5.8
-May 9 08:09:24 gaucha imapd[22604]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:24 gaucha imapd[22604]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:25 gaucha imapd[22606]: imap service init from 200.255.5.8
-May 9 08:09:25 gaucha imapd[22606]: Authenticated user=fonterra host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:26 gaucha imapd[22606]: Logout user=fonterra host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:26 gaucha imapd[22608]: imap service init from 200.255.5.8
-May 9 08:09:26 gaucha imapd[22608]: Authenticated user=fonterra host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:27 gaucha imapd[22608]: Logout user=fonterra host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:51 gaucha imapd[22633]: imap service init from 200.255.5.8
-May 9 08:09:51 gaucha imapd[22633]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:52 gaucha imapd[22633]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:58 gaucha imapd[22650]: imap service init from 200.255.5.8
-May 9 08:09:58 gaucha imapd[22650]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:09:58 gaucha imapd[22650]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:10:17 gaucha imapd[22800]: imap service init from 200.255.5.8
-May 9 08:10:17 gaucha imapd[22800]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:10:17 gaucha imapd[22800]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:10:18 gaucha imapd[22801]: imap service init from 200.255.5.8
-May 9 08:10:18 gaucha imapd[22801]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:10:18 gaucha imapd[22801]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:10:19 gaucha imapd[22805]: imap service init from 200.255.5.8
-May 9 08:10:19 gaucha imapd[22805]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:10:20 gaucha imapd[22805]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:10:30 gaucha imapd[22825]: imap service init from 200.255.5.8
-May 9 08:10:30 gaucha imapd[22825]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:10:30 gaucha imapd[22825]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:10:38 gaucha imapd[22836]: imap service init from 200.255.5.8
-May 9 08:10:38 gaucha imapd[22836]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:10:38 gaucha imapd[22836]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
-May 9 08:11:00 gaucha imapd[22914]: imap service init from 200.255.5.8
-May 9 08:11:00 gaucha imapd[22914]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+++ /dev/null
-kernel: tcp_parse_options: Illegal window scaling value 200 >14 received.
+++ /dev/null
-OSSEC HIDS Notification.
-2006 May 25 17:07:58
-
-Received From: (gaucha) 200.255.5.5->/var/log/maillog
-Rule: 6254 fired (level 10) -> "Multiple attempts to send e-mail from invalid/unkonown sender domain.'"
-Portion of the log(s):
-
-sm-mta[20900]: k4PK8NYf020900: ruleset=check_mail, arg1=<brbomaquinas@brbom.com>, relay=200-138-41-205.ctame705.dsl.brasiltelecom.net.br [200.138.41.205] (may be forged), reject=553 5.1.8 <brbomaquinas@brbom.com>... Domain of sender address brbomaquinas@brbom.com does not exist
-sm-mta[20881]: k4PK8FOQ020881: ruleset=check_mail, arg1=<brbomaquinas@brbom.com>, relay=200-138-41-205.ctame705.dsl.brasiltelecom.net.br [200.138.41.205] (may be forged), reject=553 5.1.8 <brbomaquinas@brbom.com>... Domain of sender address brbomaquinas@brbom.com does not exist
-sm-mta[20867]: k4PK86E0020867: ruleset=check_mail, arg1=<brbomaquinas@brbom.com>, relay=200-138-41-205.ctame705.dsl.brasiltelecom.net.br [200.138.41.205] (may be forged), reject=553 5.1.8 <brbomaquinas@brbom.com>... Domain of sender address brbomaquinas@brbom.com does not exist
-
-
-
-
-OSSEC HIDS Notification.
-2006 May 25 16:40:15
-
-Received From: (gaucha) 200.255.5.5->/var/log/maillog
-Rule: 6253 fired (level 10) -> "Multiple relaying attempts for spam.'"
-Portion of the log(s):
-
-sm-mta[14582]: k4PJeY7S014582: ruleset=check_rcpt, arg1=<andre.pereira@gerdau.com.br>, relay=200-207-91-189.speedycti.com.br [200.207.91.189] (may be forged), reject=550 5.7.1 <andre.pereira@gerdau.com.br>... Relaying denied. IP name possibly forged [200.207.91.189]
-sm-mta[14582]: k4PJeY7S014582: ruleset=check_rcpt, arg1=<andre.nichele@gerdau.com.br>, relay=200-207-91-189.speedycti.com.br [200.207.91.189] (may be forged), reject=550 5.7.1 <andre.nichele@gerdau.com.br>... Relaying denied. IP name possibly forged [200.207.91.189]
-sm-mta[14582]: k4PJeY7S014582: ruleset=check_rcpt, arg1=<andre.celiberto@gerdau.com.br>, relay=200-207-91-189.speedycti.com.br [200.207.91.189] (may be forged), reject=550 5.7.1 <andre.celiberto@gerdau.com.br>... Relaying denied. IP name possibly forged [200.207.91.189]
-
-
-
- --END OF NOTIFICATION
-
-
-
-OSSEC HIDS Notification.
-2006 May 24 20:25:21
-
-Received From: (gaucha) 200.255.5.5->/var/log/maillog
-Rule: 6253 fired (level 10) -> "Multiple relaying attempts for spam.'"
-Portion of the log(s):
-
-sm-mta[22707]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org
-sm-mta[22675]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org
-sm-mta[22653]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org
-sm-mta[22625]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org
-
-
-
-
-OSSEC HIDS Notification.
-2006 May 25 03:13:08
-
-Received From: (gaucha) 200.255.5.5->/var/log/maillog
-Rule: 6253 fired (level 10) -> "Multiple relaying attempts for spam.'"
-Portion of the log(s):
-
-sm-mta[21399]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org
-sm-mta[21392]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org
-sm-mta[21377]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org
-sm-mta[21373]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org
-
-
-
- --END OF NOTIFICATION
-
-
+++ /dev/null
-pop3d: authentication error: Input/output error
-pop3d: authentication error: Input/output error
-postfix/postfix-script: fatal: the Postfix mail system is not running
-postfix/postfix-script: fatal: the Postfix mail system is not running
-
-OSSEC HIDS Notification.
-2006 May 25 03:50:36
-
-Received From: /var/log/maillog
-Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
-Portion of the log(s):
-
- postfix/smtp[8909]: 774C14AEF2: to=<rj-bounces@spacedelic.com.br>, relay=127.0.0.1[127.0.0.1], delay=423, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 Local Error (in reply to end of DATA command))
-
-
-
- --END OF NOTIFICATION
-
-
-OSSEC HIDS Notification.
-2006 May 25 03:32:34
-
-Received From: /var/log/maillog
-Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
-Portion of the log(s):
-
-scorpion postfix/smtp[9144]: connect to rmailb2.walla.co.il[192.118.82.145]: Connection refused (port 25)
-
-
-
- --END OF NOTIFICATION
-
+++ /dev/null
-> 1:Nov 30 18:01:53 xx.xx.xx.xx ns204: NetScreen device_id=ns204
-> [Root]system-critical-00027: 2nd push has been confirmed. (2005-11-30
-> 17:56:44)
->
-> 2:Nov 30 18:01:59 xx.xx.xx.xx ns204: NetScreen device_id=ns204
-> [Root]system-critical-00027: Configuration Erase sequence accepted,
-> unit reset. (2005-11-30 17:56:50)
->
-> 3:Nov 30 18:01:59 xx.xx.xx.xx ns204: NetScreen device_id=ns204
-> [Root]system-notification-00033: NSM keys were deleted. (2005-11-30
-> 17:56:50)
+++ /dev/null
-May 21 20:20:44 slacker proftpd[25526] slacker.lab.ossec.net: ProFTPD 1.2.10 (stable) (built Tue Aug 2 22:33:07 PDT 2005) standalone mode STARTUP
-May 21 20:21:18 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session opened.
-May 21 20:21:21 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): no such user 'a'
-May 21 20:21:21 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): USER a: no such user found from 192.168.2.10 [192.168.2.10] to 192.168.2.32:21
-May 21 20:22:14 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session closed.
-May 21 20:22:15 slacker proftpd[25556] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session opened.
-May 21 20:22:28 slacker proftpd[25556] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): USER dcid: Login successful.
-May 21 20:22:35 slacker proftpd[25556] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session closed.
-May 21 20:22:42 slacker proftpd[25557] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session opened.
-May 21 20:22:44 slacker proftpd[25557] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): USER dcid (Login failed): Incorrect password.
-May 21 20:22:46 slacker proftpd[25557] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session closed.
-
-May 30 14:41:52 valhalla proftpd[11727]: valhalla.ahmetozturk.name.tr (85.103.201.222[85.103.201.222]) - unable to find open port in PassivePorts range 65532-65533: defaulting to INPORT_ANY
-May 30 15:39:27 valhalla proftpd[13464]: valhalla.ahmetozturk.name.tr (212.156.175.130[212.156.175.130]) - unable to find open port in PassivePorts range 65532-65533: defaulting to INPORT_ANY
-
-
-May 29 18:49:42 valhalla proftpd[16661]: valhalla.ahmetozturk.name.tr (85.103.107.214[85.103.107.214]) - Refused PORT 192,168,1,33,4,83 (address mismatch)
-May 31 13:11:38 valhalla proftpd[10486]: valhalla.ahmetozturk.name.tr (85.102.240.252[85.102.240.252]) - Refused PORT 10,0,65,23,19,139 (address mismatch)
-
-
-Jun 1 11:51:24 valhalla proftpd[7301]: valhalla.ahmetozturk.name.tr (81.215.6.178[81.215.6.178]) - Maximum login attempts (3) exceeded
-Jun 1 11:51:24 valhalla proftpd[7301]: valhalla.ahmetozturk.name.tr (81.215.6.178[81.215.6.178]) - Maximum login attempts (3) exceeded
-
-
-
-May 29 11:27:28 hayaletgemi proftpd[4874]: warning: host name/name mismatch: www.ahmetozturk.name.tr != nil.alannim.com
-Jun 3 07:48:10 hayaletgemi proftpd[1026]: warning: host name/address mismatch: 216.117.134.168 != nameservices.net
-
-
-Jun 2 15:07:14 hayaletgemi proftpd[458988]: warning: can't verify hostname: gethostbyname(designstudio) failed
-Jun 3 15:35:28 hayaletgemi proftpd[696376]: warning: can't verify hostname: gethostbyname(dsl.dynamic859612386.ttnet.net.tr) failed
-
-
-
-May 30 17:06:40 queen proftpd[1769554]: connect from 212.146.159.45
-May 30 21:46:50 queen proftpd[2142266]: connect from 88.224.90.235
-
-
-May 30 21:04:35 valhalla proftpd[22104]: valhalla.ahmetozturk.name.tr (85.97.67.160[85.97.67.160]) - FTP no transfer timeout, disconnected
-May 30 22:53:09 valhalla proftpd[24395]: valhalla.ahmetozturk.name.tr (88.240.52.97[88.240.52.97]) - FTP no transfer timeout, disconnected
-
-
-May 31 06:50:39 valhalla proftpd[345]: valhalla.ahmetozturk.name.tr (217.20.94.150[217.20.94.150]) - FTP login timed out, disconnected
-May 31 15:13:38 valhalla proftpd[14273]: valhalla.ahmetozturk.name.tr (85.104.215.80[85.104.215.80]) - FTP login timed out, disconnected
-
-
-
-May 31 11:26:23 valhalla proftpd[6399]: valhalla.ahmetozturk.name.tr (88.226.116.196[88.226.116.196]) - FTP session idle timeout, disconnected.
-May 31 13:10:54 valhalla proftpd[8987]: valhalla.ahmetozturk.name.tr (85.104.215.80[85.104.215.80]) - FTP session idle timeout, disconnected.
-
-
-May 30 13:44:57 valhalla proftpd[8521]: valhalla.ahmetozturk.name.tr (84.134.231.103[84.134.231.103]) - Data transfer stall timeout: 3600 seconds
-Jun 3 08:24:13 valhalla proftpd[24038]: valhalla.ahmetozturk.name.tr (85.104.252.16[85.104.252.16]) - Data transfer stall timeout: 3600 seconds
-
-
-May 29 15:13:37 whale proftpd[4555]: whale.ahmetozturk.name.tr (dsl85-105-3059.ttnet.net.tr[85.105.10.139]) - ProFTPD terminating (signal 11)
-May 29 15:13:53 whale proftpd[4592]: whale.ahmetozturk.name.tr (dsl85-105-3059.ttnet.net.tr[85.105.10.139]) - ProFTPD terminating (signal 11)
-
-
-May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 10 entries to 20 entries
-May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 20 entries to 40 entries
-May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 40 entries to 80 entries
-May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 80 entries to 160 entries
-May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 160 entries to 320 entries
-
-
-May 30 16:22:39 whale proftpd[25749]: whale.ahmetozturk.name.tr (adsl85-105-30850.tt.net.tr[85.105.10.222]) - listen() failed in inet_listen(): Address already in use
-May 31 13:21:13 whale proftpd[15942]: whale.ahmetozturk.name.tr (adsl85-105-30850.tt.net.tr[85.105.10.222]) - listen() failed in inet_listen(): Address already in use
+++ /dev/null
-smbd[12252]: getpeername failed. Error was Transport endpoint is not connected
-smbd[12252]: Denied connection from (0.0.0.0)
-smbd[12252]: getpeername failed. Error was Transport endpoint is not connected
-smbd[12252]: Connection denied from 0.0.0.0
-smbd[12252]: write_socket_data: write failure. Error = Connection reset by peer
-smbd[12252]: write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection reset by peer
-smbd[12252]: Error writing 5 bytes to client. -1. (Connection reset by peer)
-May 31 15:54:18 homesmbsrv smbd[124]: Permission denied-- user not allowed to delete, pause, or resume print job. User name: oahmet. Printer name: prnq1.
-
+++ /dev/null
-A clean mail:
-
-Mar 19 08:21:13 h780152 spamd[11565]: connection from localhost [127.0.0.1] at port 49144
-Mar 19 08:21:13 h780152 spamd[11565]: checking message <20060318231614.f9991a2d.johnxj@comcast.net> for root:98.
-Mar 19 08:21:14 h780152 spamd[11565]: clean message (0.0/6.0) for root:98 in 1.6 seconds, 3347 bytes.
-Mar 19 08:21:14 h780152 spamd[11565]: result: . 0 - AWL,FORGED_RCVD_HELO scantime=1.6,size=3347,mid=<20060318231614.f9991a2d.johnxj@comcast.net>,autolearn=ham
-Mar 19 08:21:14 h780152 qmail-scanner[25042]: Clear:RC:0(217.72.192.234):SA:0(0.0/6.0): 1.681359 3302 sylpheed-admin@good-day.net peter@ifup.de [sylpheed:27685]_Sync_two_copies_of_Sylpheed <20060318231614.f9991a2d.johnxj@comcast.net> 1142752873.25044-0.ifup.de:898
-
-
-and a recognized spam:
-
-Mar 19 08:36:33 h780152 spamd[18424]: connection from localhost [127.0.0.1] at port 49145
-Mar 19 08:36:33 h780152 spamd[18424]: checking message <3388717865.3821662804@douglas.co.za> for root:98.
-Mar 19 08:36:37 h780152 spamd[18424]: identified spam (8.1/6.0) for root:98 in 4.2 seconds, 1432 bytes.
-Mar 19 08:36:37 h780152 spamd[18424]: result: Y 8 - FORGED_RCVD_HELO,INFO_TLD,RCVD_BY_IP,RCVD_IN_XBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=4.2,size=1432,mid=<3388717865.3821662804@douglas.co.za>,autolearn=no
-Mar 19 08:36:37 h780152 qmail-scanner[31528]: Clear:RC:0(213.165.64.100):SA:1(8.1/6.0): 4.195255 1371 srs0=k3bc=5k=douglas.co.za=deonegqf@gmx.net peter@ifup.de $E}{UALLYY_EXPLICIT:_Group_glorious_teens_hardcoore <3388717865.3821662804@douglas.co.za> 1142753793.31530-0.ifup.de:134
-
-
-Thanks Peter
+++ /dev/null
-Jul 7 10:51:24 eva sshd[19537]: Invalid user admin from 83.15.231.75
-Jul 7 10:51:25 eva sshd[19539]: Invalid user admin from 83.15.231.75
-Jul 7 10:51:26 eva sshd[19542]: Invalid user admin from 83.15.231.75
-Jul 7 10:51:26 eva sshd[19544]: Invalid user admin from 83.15.231.75
-Jul 7 10:51:28 eva sshd[19546]: Invalid user admin from 83.15.231.75
-Jul 7 10:51:28 eva sshd[19548]: Invalid user admin from 83.15.231.75
-Jul 7 10:51:29 eva sshd[19550]: Invalid user admin from 83.15.231.75
-Jul 7 10:51:30 eva sshd[19553]: Invalid user admin from 83.15.231.75
-Jul 7 10:51:31 eva sshd[19555]: Invalid user admin1 from 83.15.231.75
-Jul 7 10:51:32 eva sshd[19557]: Invalid user admin1 from 83.15.231.75
-Jul 7 10:51:33 eva sshd[19559]: Invalid user admin1 from 83.15.231.75
-Jul 7 10:51:34 eva sshd[19561]: Invalid user admin1 from 83.15.231.75
-Jul 7 10:51:35 eva sshd[19564]: Invalid user admin1 from 83.15.231.75
-Jul 7 10:51:36 eva sshd[19566]: Invalid user admin1 from 83.15.231.75
-Jul 7 10:51:37 eva sshd[19568]: Invalid user admin01 from 83.15.231.75
-Jul 7 10:51:38 eva sshd[19570]: Invalid user admin01 from 83.15.231.75
-Jul 7 10:51:39 eva sshd[19572]: Invalid user admin01 from 83.15.231.75
-Jul 7 10:51:40 eva sshd[19574]: Invalid user admin01 from 83.15.231.75
-Jul 7 10:51:41 eva sshd[19577]: Invalid user admin01 from 83.15.231.75
-Jul 7 10:51:42 eva sshd[19579]: Invalid user test from 83.15.231.75
-Jul 7 10:51:43 eva sshd[19581]: Invalid user test from 83.15.231.75
-Jul 7 10:51:44 eva sshd[19583]: Invalid user test from 83.15.231.75
-Jul 7 10:51:45 eva sshd[19585]: Invalid user test from 83.15.231.75
-Jul 7 10:51:45 eva sshd[19588]: Invalid user test from 83.15.231.75
-Jul 7 10:51:46 eva sshd[19590]: Invalid user test from 83.15.231.75
-Jul 7 10:51:47 eva sshd[19592]: Invalid user test from 83.15.231.75
-Jul 7 10:51:48 eva sshd[19594]: Invalid user test1 from 83.15.231.75
-Jul 7 10:51:49 eva sshd[19596]: Invalid user test1 from 83.15.231.75
-Jul 7 10:51:50 eva sshd[19598]: Invalid user test1 from 83.15.231.75
-Jul 7 10:51:51 eva sshd[19601]: Invalid user test1 from 83.15.231.75
-Jul 7 10:51:52 eva sshd[19603]: Invalid user test1 from 83.15.231.75
-Jul 7 10:51:53 eva sshd[19605]: Invalid user test1 from 83.15.231.75
-Jul 7 10:51:54 eva sshd[19607]: Invalid user test01 from 83.15.231.75
-Jul 7 10:51:55 eva sshd[19609]: Invalid user test01 from 83.15.231.75
-Jul 7 10:51:56 eva sshd[19612]: Invalid user test01 from 83.15.231.75
-Jul 7 10:51:56 eva sshd[19614]: Invalid user test01 from 83.15.231.75
-Jul 7 10:51:58 eva sshd[19616]: Invalid user test01 from 83.15.231.75
-Jul 7 10:51:58 eva sshd[19618]: Invalid user test02 from 83.15.231.75
-Jul 7 10:52:00 eva sshd[19620]: Invalid user test02 from 83.15.231.75
-Jul 7 10:52:00 eva sshd[19623]: Invalid user test02 from 83.15.231.75
-Jul 7 10:52:01 eva sshd[19625]: Invalid user test02 from 83.15.231.75
-Jul 7 10:52:02 eva sshd[19627]: Invalid user test02 from 83.15.231.75
-Jul 7 10:52:03 eva sshd[19629]: Invalid user test03 from 83.15.231.75
-Jul 7 10:52:04 eva sshd[19631]: Invalid user test03 from 83.15.231.75
-Jul 7 10:52:05 eva sshd[19633]: Invalid user test03 from 83.15.231.75
-Jul 7 10:52:06 eva sshd[19636]: Invalid user test03 from 83.15.231.75
-Jul 7 10:52:07 eva sshd[19638]: Invalid user test03 from 83.15.231.75
-Jul 7 10:52:08 eva sshd[19640]: Invalid user test04 from 83.15.231.75
-Jul 7 10:52:09 eva sshd[19642]: Invalid user test04 from 83.15.231.75
-Jul 7 10:52:18 eva sshd[19646]: Invalid user test04 from 83.15.231.75
-Jul 7 10:52:20 eva sshd[19648]: Invalid user test04 from 83.15.231.75
-Jul 7 10:52:20 eva sshd[19651]: Invalid user guest from 83.15.231.75
-Jul 7 10:52:21 eva sshd[19653]: Invalid user guest from 83.15.231.75
-Jul 7 10:52:22 eva sshd[19655]: Invalid user guest from 83.15.231.75
-Jul 7 10:52:23 eva sshd[19657]: Invalid user guest from 83.15.231.75
-Jul 7 10:52:24 eva sshd[19659]: Invalid user guest from 83.15.231.75
-Jul 7 10:52:25 eva sshd[19661]: Invalid user guest from 83.15.231.75
-Jul 7 10:52:26 eva sshd[19664]: Invalid user guest from 83.15.231.75
-Jul 7 10:52:27 eva sshd[19666]: Invalid user guest01 from 83.15.231.75
-Jul 7 10:52:28 eva sshd[19668]: Invalid user guest01 from 83.15.231.75
-Jul 7 10:52:29 eva sshd[19670]: Invalid user ftpadmin from 83.15.231.75
-Jul 7 10:52:30 eva sshd[19672]: Invalid user ftpadmin from 83.15.231.75
-Jul 7 10:52:31 eva sshd[19675]: Invalid user ftpadmin from 83.15.231.75
-Jul 7 10:52:32 eva sshd[19677]: Invalid user ftpadmin from 83.15.231.75
-Jul 7 10:52:33 eva sshd[19679]: Invalid user ftpuser from 83.15.231.75
-Jul 7 10:52:33 eva sshd[19681]: Invalid user ftpuser from 83.15.231.75
-Jul 7 10:52:35 eva sshd[19683]: Invalid user ftpuser from 83.15.231.75
-Jul 7 10:52:35 eva sshd[19686]: Invalid user ftpuser from 83.15.231.75
-Jul 7 10:52:36 eva sshd[19688]: Invalid user backup from 83.15.231.75
-Jul 7 10:52:37 eva sshd[19690]: Invalid user backup from 83.15.231.75
-Jul 7 10:52:38 eva sshd[19692]: Invalid user backup from 83.15.231.75
-Jul 7 10:52:39 eva sshd[19694]: Invalid user backup from 83.15.231.75
-Jul 7 10:52:40 eva sshd[19696]: Invalid user postgres from 83.15.231.75
-Jul 7 10:52:41 eva sshd[19699]: Invalid user postgres from 83.15.231.75
-Jul 7 10:52:43 eva sshd[19703]: Invalid user account from 83.15.231.75
-Jul 7 10:52:44 eva sshd[19705]: Invalid user webmaster from 83.15.231.75
-Jul 7 10:52:45 eva sshd[19707]: Invalid user webmaster from 83.15.231.75
-Jul 7 10:52:46 eva sshd[19710]: Invalid user webmaster from 83.15.231.75
-Jul 7 10:52:46 eva sshd[19712]: Invalid user webmaster from 83.15.231.75
-Jul 7 10:52:48 eva sshd[19714]: Invalid user webmaster from 83.15.231.75
-Jul 7 10:52:48 eva sshd[19716]: Invalid user webadmin from 83.15.231.75
-Jul 7 10:52:49 eva sshd[19718]: Invalid user webadmin from 83.15.231.75
-Jul 7 10:52:50 eva sshd[19721]: Invalid user webadmin from 83.15.231.75
-Jul 7 10:52:51 eva sshd[19723]: Invalid user webadmin from 83.15.231.75
-Jul 7 10:52:52 eva sshd[19725]: Invalid user webadmin from 83.15.231.75
-Jul 7 10:52:53 eva sshd[19727]: Invalid user nagios from 83.15.231.75
-Jul 7 10:52:54 eva sshd[19729]: Invalid user nagios from 83.15.231.75
-Jul 7 10:52:55 eva sshd[19731]: Invalid user nagios from 83.15.231.75
-Jul 7 10:52:56 eva sshd[19734]: Invalid user nagios from 83.15.231.75
-Jul 7 10:52:57 eva sshd[19736]: Invalid user nagios from 83.15.231.75
-Jul 7 10:52:58 eva sshd[19738]: Invalid user ftptest from 83.15.231.75
-Jul 7 10:52:59 eva sshd[19740]: Invalid user ftptest from 83.15.231.75
-Jul 7 10:53:00 eva sshd[19742]: Invalid user ftptest from 83.15.231.75
-Jul 7 10:53:01 eva sshd[19745]: Invalid user ftptest from 83.15.231.75
-Jul 7 10:53:01 eva sshd[19747]: Invalid user ftptest from 83.15.231.75
-Jul 7 10:53:02 eva sshd[19749]: Invalid user ftptest from 83.15.231.75
-Jul 7 10:53:03 eva sshd[19751]: Invalid user library from 83.15.231.75
-Jul 7 10:53:04 eva sshd[19753]: Invalid user library from 83.15.231.75
-Jul 7 10:53:05 eva sshd[19755]: Invalid user library from 83.15.231.75
-Jul 7 10:53:06 eva sshd[19758]: Invalid user ftpguest from 83.15.231.75
-Jul 7 10:53:07 eva sshd[19760]: Invalid user ftpguest from 83.15.231.75
-Jul 7 10:53:08 eva sshd[19762]: Invalid user ftpguest from 83.15.231.75
-Jul 7 10:53:09 eva sshd[19764]: Invalid user ftpguest from 83.15.231.75
-Jul 7 10:53:10 eva sshd[19766]: Invalid user info from 83.15.231.75
-Jul 7 10:53:11 eva sshd[19769]: Invalid user info from 83.15.231.75
-Jul 7 10:53:11 eva sshd[19771]: Invalid user info from 83.15.231.75
-Jul 7 10:53:13 eva sshd[19782]: Invalid user info from 83.15.231.75
-Jul 7 10:53:13 eva sshd[19787]: Invalid user info from 83.15.231.75
-Jul 7 10:53:21 eva sshd[19805]: Invalid user upload from 83.15.231.75
-Jul 7 10:53:22 eva sshd[19807]: Invalid user upload from 83.15.231.75
-Jul 7 10:53:23 eva sshd[19809]: Invalid user upload from 83.15.231.75
-Jul 7 10:53:23 eva sshd[19811]: Invalid user upload from 83.15.231.75
-Jul 7 10:53:25 eva sshd[19813]: Invalid user upload from 83.15.231.75
-Jul 7 10:53:25 eva sshd[19816]: Invalid user upload from 83.15.231.75
-Jul 7 10:53:26 eva sshd[19818]: Invalid user upload from 83.15.231.75
-Jul 7 10:53:27 eva sshd[19820]: Invalid user usertest from 83.15.231.75
-Jul 7 10:53:28 eva sshd[19822]: Invalid user update from 83.15.231.75
-Jul 7 10:53:29 eva sshd[19824]: Invalid user update from 83.15.231.75
-Jul 7 10:53:30 eva sshd[19826]: Invalid user update from 83.15.231.75
-Jul 7 10:53:31 eva sshd[19829]: Invalid user update from 83.15.231.75
-Jul 7 10:53:32 eva sshd[19831]: Invalid user update from 83.15.231.75
-Jul 7 10:53:33 eva sshd[19833]: Invalid user update from 83.15.231.75
-Jul 7 10:53:40 eva sshd[19845]: Invalid user apache from 83.15.231.75
-Jul 7 10:53:41 eva sshd[19847]: Invalid user apache from 83.15.231.75
-Jul 7 10:53:42 eva sshd[19849]: Invalid user apache from 83.15.231.75
-Jul 7 10:53:43 eva sshd[19851]: Invalid user apache from 83.15.231.75
-Jul 7 10:53:44 eva sshd[19853]: Invalid user apache from 83.15.231.75
-Jul 7 10:53:45 eva sshd[19855]: Invalid user apache from 83.15.231.75
-Jul 7 10:53:46 eva sshd[19858]: Invalid user webuser from 83.15.231.75
-Jul 7 10:53:47 eva sshd[19860]: Invalid user webuser from 83.15.231.75
-Jul 7 10:53:48 eva sshd[19862]: Invalid user webuser from 83.15.231.75
-Jul 7 10:53:49 eva sshd[19864]: Invalid user webuser from 83.15.231.75
-Jul 7 10:53:50 eva sshd[19866]: Invalid user webuser from 83.15.231.75
-Jul 7 10:53:51 eva sshd[19869]: Invalid user webuser from 83.15.231.75
-Jul 7 10:53:51 eva sshd[19871]: Invalid user webuser from 83.15.231.75
-Jul 7 10:53:53 eva sshd[19873]: Invalid user oracle from 83.15.231.75
-Jul 7 10:53:54 eva sshd[19875]: Invalid user oracle from 83.15.231.75
-Jul 7 10:53:58 eva sshd[19878]: Invalid user oracle from 83.15.231.75
-Jul 7 10:53:59 eva sshd[19880]: Invalid user oracle from 83.15.231.75
-Jul 7 10:54:00 eva sshd[19882]: Invalid user cyrus from 83.15.231.75
-Jul 7 10:54:01 eva sshd[19885]: Invalid user cyrus from 83.15.231.75
-Jul 7 10:54:01 eva sshd[19887]: Invalid user cyrus from 83.15.231.75
-Jul 7 10:54:02 eva sshd[19889]: Invalid user cyrus from 83.15.231.75
-Jul 7 10:54:03 eva sshd[19891]: Invalid user server from 83.15.231.75
-Jul 7 10:54:04 eva sshd[19893]: Invalid user server from 83.15.231.75
-Jul 7 10:54:06 eva sshd[19898]: Invalid user daniel from 83.15.231.75
-Jul 7 10:54:07 eva sshd[19900]: Invalid user user from 83.15.231.75
-Jul 7 10:54:08 eva sshd[19902]: Invalid user user from 83.15.231.75
-Jul 7 10:54:09 eva sshd[19904]: Invalid user user from 83.15.231.75
-Jul 7 10:54:10 eva sshd[19906]: Invalid user user from 83.15.231.75
-Jul 7 10:54:11 eva sshd[19909]: Invalid user user from 83.15.231.75
-Jul 7 10:54:12 eva sshd[19911]: Invalid user linux from 83.15.231.75
-Jul 7 10:54:13 eva sshd[19913]: Invalid user linux from 83.15.231.75
-Jul 7 10:54:13 eva sshd[19915]: Invalid user linux from 83.15.231.75
-Jul 7 10:54:15 eva sshd[19917]: Invalid user linux from 83.15.231.75
-Jul 7 10:54:15 eva sshd[19920]: Invalid user linux from 83.15.231.75
-Jul 7 10:54:16 eva sshd[19922]: Invalid user student from 83.15.231.75
-Jul 7 10:54:17 eva sshd[19924]: Invalid user student from 83.15.231.75
-Jul 7 10:54:18 eva sshd[19926]: Invalid user student from 83.15.231.75
-Jul 7 10:54:19 eva sshd[19928]: Invalid user student from 83.15.231.75
-Jul 7 10:54:20 eva sshd[19930]: Invalid user student from 83.15.231.75
-Jul 7 10:54:21 eva sshd[19933]: Invalid user temp from 83.15.231.75
-Jul 7 10:54:22 eva sshd[19935]: Invalid user temp from 83.15.231.75
-Jul 7 10:54:23 eva sshd[19937]: Invalid user temp from 83.15.231.75
-Jul 7 10:54:24 eva sshd[19939]: Invalid user temp from 83.15.231.75
-Jul 7 10:54:25 eva sshd[19941]: Invalid user temp from 83.15.231.75
-Jul 7 10:54:26 eva sshd[19944]: Invalid user contact from 83.15.231.75
-Jul 7 10:54:26 eva sshd[19946]: Invalid user contact from 83.15.231.75
-Jul 7 10:54:27 eva sshd[19948]: Invalid user ftpd from 83.15.231.75
-Jul 7 10:54:28 eva sshd[19950]: Invalid user gopher from 83.15.231.75
-Jul 7 10:54:29 eva sshd[19952]: Invalid user gopher from 83.15.231.75
-Jul 7 10:54:30 eva sshd[19954]: Invalid user jobs from 83.15.231.75
-Jul 7 10:54:31 eva sshd[19957]: Invalid user sysadmin from 83.15.231.75
-Jul 7 10:54:32 eva sshd[19959]: Invalid user sysadmin from 83.15.231.75
-Jul 7 10:54:33 eva sshd[19961]: Invalid user sysadmin from 83.15.231.75
-Jul 7 10:54:34 eva sshd[19963]: Invalid user sysadmin from 83.15.231.75
-Jul 7 10:54:35 eva sshd[19965]: Invalid user named from 83.15.231.75
-Jul 7 10:54:36 eva sshd[19968]: Invalid user pgsql from 83.15.231.75
-Jul 7 10:54:36 eva sshd[19970]: Invalid user pgsql from 83.15.231.75
-Jul 7 10:54:38 eva sshd[19972]: Invalid user pgsql from 83.15.231.75
-Jul 7 10:54:38 eva sshd[19974]: Invalid user pgsql from 83.15.231.75
-Jul 7 10:54:39 eva sshd[19976]: Invalid user unix from 83.15.231.75
-Jul 7 10:54:40 eva sshd[19979]: Invalid user unix from 83.15.231.75
-Jul 7 10:54:41 eva sshd[19981]: Invalid user unix from 83.15.231.75
-Jul 7 10:54:42 eva sshd[19983]: Invalid user unix from 83.15.231.75
-Jul 7 10:54:49 eva sshd[20000]: Invalid user postmaster from 83.15.231.75
-Jul 7 10:54:50 eva sshd[20003]: Invalid user postmaster from 83.15.231.75
-Jul 7 10:54:51 eva sshd[20005]: Invalid user operator from 83.15.231.75
-Jul 7 10:54:52 eva sshd[20007]: Invalid user operator from 83.15.231.75
-Jul 7 10:54:54 eva sshd[20011]: Invalid user users from 83.15.231.75
-Jul 7 10:54:55 eva sshd[20013]: Invalid user internet from 83.15.231.75
-Jul 7 10:54:56 eva sshd[20016]: Invalid user internet from 83.15.231.75
-Jul 7 10:54:58 eva sshd[20020]: Invalid user carlos from 83.15.231.75
-Jul 7 10:54:58 eva sshd[20022]: Invalid user adm from 83.15.231.75
-Jul 7 10:55:00 eva sshd[20024]: Invalid user data from 83.15.231.75
-Jul 7 10:55:00 eva sshd[20027]: Invalid user nologin from 83.15.231.75
-Jul 7 10:55:01 eva sshd[20029]: Invalid user smtp from 83.15.231.75
-Jul 7 10:55:03 eva sshd[20031]: Invalid user gdm from 83.15.231.75
-Jul 7 10:55:04 eva sshd[20033]: Invalid user martin from 83.15.231.75
-Jul 7 10:55:05 eva sshd[20035]: Invalid user carlos from 83.15.231.75
-Jul 7 10:55:06 eva sshd[20038]: Invalid user david from 83.15.231.75
-Jul 7 10:55:06 eva sshd[20040]: Invalid user richard from 83.15.231.75
-Jul 7 10:55:08 eva sshd[20042]: Invalid user andy from 83.15.231.75
-Jul 7 10:55:08 eva sshd[20044]: Invalid user kevin from 83.15.231.75
-Jul 7 10:55:10 eva sshd[20046]: Invalid user jeff from 83.15.231.75
-Jul 7 10:55:10 eva sshd[20049]: Invalid user data from 83.15.231.75
-Jul 7 10:55:11 eva sshd[20051]: Invalid user patrick from 83.15.231.75
-Jul 7 10:55:12 eva sshd[20053]: Invalid user jane from 83.15.231.75
-Jul 7 10:55:13 eva sshd[20055]: Invalid user sql from 83.15.231.75
-Jul 7 10:55:14 eva sshd[20057]: Invalid user tester from 83.15.231.75
-Jul 7 10:55:15 eva sshd[20059]: Invalid user andrew from 83.15.231.75
-Jul 7 10:55:16 eva sshd[20062]: Invalid user steven from 83.15.231.75
-Jul 7 10:55:17 eva sshd[20064]: Invalid user angela from 83.15.231.75
-Jul 7 10:55:18 eva sshd[20066]: Invalid user andrea from 83.15.231.75
-Jul 7 10:55:19 eva sshd[20068]: Invalid user webaccount from 83.15.231.75
-Jul 7 10:55:20 eva sshd[20070]: Invalid user seth from 83.15.231.75
-Jul 7 10:55:21 eva sshd[20073]: Invalid user bobby from 83.15.231.75
-Jul 7 10:55:21 eva sshd[20075]: Invalid user peter from 83.15.231.75
-Jul 7 10:55:23 eva sshd[20077]: Invalid user john from 83.15.231.75
-Jul 7 10:55:23 eva sshd[20079]: Invalid user mike from 83.15.231.75
-Jul 7 10:55:24 eva sshd[20081]: Invalid user ally from 83.15.231.75
-Jul 7 10:55:25 eva sshd[20084]: Invalid user norman from 83.15.231.75
-Jul 7 10:55:26 eva sshd[20086]: Invalid user nike from 83.15.231.75
-Jul 7 10:55:27 eva sshd[20088]: Invalid user diana from 83.15.231.75
-Jul 7 10:55:28 eva sshd[20090]: Invalid user george from 83.15.231.75
-Jul 7 10:55:29 eva sshd[20092]: Invalid user james from 83.15.231.75
-Jul 7 10:55:30 eva sshd[20094]: Invalid user transfer from 83.15.231.75
-Jul 7 10:55:31 eva sshd[20097]: Invalid user spam from 83.15.231.75
-Jul 7 10:55:32 eva sshd[20099]: Invalid user spam from 83.15.231.75
-Jul 7 10:55:35 eva sshd[20102]: Invalid user denis from 83.15.231.75
-Jul 7 10:55:36 eva sshd[20104]: Invalid user anders from 83.15.231.75
-Jul 7 10:55:37 eva sshd[20106]: Invalid user friends from 83.15.231.75
-Jul 7 10:55:38 eva sshd[20108]: Invalid user friend from 83.15.231.75
-Jul 7 10:55:39 eva sshd[20110]: Invalid user blast from 83.15.231.75
-Jul 7 10:55:40 eva sshd[20112]: Invalid user ferrari from 83.15.231.75
-Jul 7 10:55:41 eva sshd[20115]: Invalid user bill from 83.15.231.75
-Jul 7 10:55:42 eva sshd[20117]: Invalid user bill from 83.15.231.75
-Jul 7 10:55:43 eva sshd[20119]: Invalid user bill from 83.15.231.75
-Jul 7 10:55:44 eva sshd[20121]: Invalid user bill from 83.15.231.75
-Jul 7 10:55:45 eva sshd[20123]: Invalid user demo from 83.15.231.75
-Jul 7 10:55:46 eva sshd[20126]: Invalid user forum from 83.15.231.75
-Jul 7 10:55:47 eva sshd[20128]: Invalid user master from 83.15.231.75
-Jul 7 10:55:48 eva sshd[20130]: Invalid user pat from 83.15.231.75
-Jul 7 10:55:49 eva sshd[20132]: Invalid user jan from 83.15.231.75
-Jul 7 10:55:50 eva sshd[20134]: Invalid user mark from 83.15.231.75
-Jul 7 10:55:50 eva sshd[20137]: Invalid user support from 83.15.231.75
-Jul 7 10:55:51 eva sshd[20139]: Invalid user cold from 83.15.231.75
-Jul 7 10:55:52 eva sshd[20141]: Invalid user smith from 83.15.231.75
-Jul 7 10:55:53 eva sshd[20143]: Invalid user ppp from 83.15.231.75
-Jul 7 10:55:54 eva sshd[20145]: Invalid user anna from 83.15.231.75
-Jul 7 10:55:55 eva sshd[20147]: Invalid user seba from 83.15.231.75
-Jul 7 10:55:56 eva sshd[20150]: Invalid user lotus from 83.15.231.75
-Jul 7 10:55:57 eva sshd[20152]: Invalid user engine from 83.15.231.75
-Jul 7 10:55:58 eva sshd[20154]: Invalid user domain from 83.15.231.75
-Jul 7 10:55:59 eva sshd[20156]: Invalid user www from 83.15.231.75
-Jul 7 10:56:00 eva sshd[20158]: Invalid user www from 83.15.231.75
-Jul 7 10:56:01 eva sshd[20161]: Invalid user www from 83.15.231.75
-Jul 7 10:56:02 eva sshd[20163]: Invalid user www from 83.15.231.75
-Jul 7 10:56:03 eva sshd[20165]: Invalid user www from 83.15.231.75
-Jul 7 10:56:03 eva sshd[20167]: Invalid user masters from 83.15.231.75
-Jul 7 10:56:05 eva sshd[20169]: Invalid user users from 83.15.231.75
-Jul 7 10:56:05 eva sshd[20172]: Invalid user users from 83.15.231.75
-Jul 7 10:56:06 eva sshd[20174]: Invalid user solaris from 83.15.231.75
-Jul 7 10:56:07 eva sshd[20176]: Invalid user cvs from 83.15.231.75
-Jul 7 10:56:08 eva sshd[20178]: Invalid user guest1 from 83.15.231.75
-Jul 7 10:56:09 eva sshd[20180]: Invalid user guest02 from 83.15.231.75
-Jul 7 10:56:10 eva sshd[20182]: Invalid user www-data from 83.15.231.75
-Aug 7 15:13:17 eva sshd[27633]: Invalid user webmaster from 200.94.18.3
-Aug 7 15:13:23 eva sshd[27650]: Invalid user sales from 200.94.18.3
-Aug 7 15:13:24 eva sshd[27652]: Invalid user admin from 200.94.18.3
-Aug 7 15:13:26 eva sshd[27655]: Invalid user andrea from 200.94.18.3
-Aug 7 15:13:28 eva sshd[27657]: Invalid user backup from 200.94.18.3
-Aug 7 15:13:29 eva sshd[27659]: Invalid user guest from 200.94.18.3
-Aug 7 15:13:31 eva sshd[27662]: Invalid user guest1 from 200.94.18.3
-Aug 7 15:13:33 eva sshd[27664]: Invalid user guest2 from 200.94.18.3
-Aug 7 15:13:34 eva sshd[27666]: Invalid user guest3 from 200.94.18.3
-Aug 7 15:13:36 eva sshd[27669]: Invalid user guest4 from 200.94.18.3
-Aug 7 15:13:38 eva sshd[27671]: Invalid user guest5 from 200.94.18.3
-Aug 7 15:13:39 eva sshd[27673]: Invalid user guest6 from 200.94.18.3
-Aug 7 15:13:41 eva sshd[27676]: Invalid user guest7 from 200.94.18.3
-Aug 7 15:13:43 eva sshd[27678]: Invalid user guest8 from 200.94.18.3
-Aug 7 15:13:44 eva sshd[27680]: Invalid user guest9 from 200.94.18.3
-Aug 7 15:13:46 eva sshd[27683]: Invalid user guest10 from 200.94.18.3
-Aug 7 15:13:48 eva sshd[27685]: Invalid user michael from 200.94.18.3
-Aug 7 15:13:50 eva sshd[27688]: Invalid user gigi from 200.94.18.3
-Aug 7 15:13:52 eva sshd[27692]: Invalid user france from 200.94.18.3
-Aug 7 15:13:54 eva sshd[27694]: Invalid user raider from 200.94.18.3
-Aug 7 15:13:55 eva sshd[27696]: Invalid user movie from 200.94.18.3
-Aug 7 15:13:57 eva sshd[27699]: Invalid user movies from 200.94.18.3
-Aug 7 15:13:59 eva sshd[27701]: Invalid user judith from 200.94.18.3
-Aug 7 15:14:00 eva sshd[27705]: Invalid user default from 200.94.18.3
-Aug 7 15:14:02 eva sshd[27708]: Invalid user sean from 200.94.18.3
-Aug 7 15:14:04 eva sshd[27710]: Invalid user erik from 200.94.18.3
-Aug 7 15:14:05 eva sshd[27713]: Invalid user house from 200.94.18.3
-Aug 7 15:14:07 eva sshd[27721]: Invalid user status from 200.94.18.3
-Aug 7 15:14:09 eva sshd[27727]: Invalid user music from 200.94.18.3
-Aug 7 15:14:10 eva sshd[27734]: Invalid user test from 200.94.18.3
-Aug 7 15:14:12 eva sshd[27737]: Invalid user christian from 200.94.18.3
-Aug 7 15:14:14 eva sshd[27744]: Invalid user upload from 200.94.18.3
-Aug 7 15:14:15 eva sshd[27746]: Invalid user security from 200.94.18.3
-Aug 7 15:14:17 eva sshd[27749]: Invalid user scanner from 200.94.18.3
-Aug 7 15:14:19 eva sshd[27751]: Invalid user work from 200.94.18.3
-Aug 7 15:14:20 eva sshd[27753]: Invalid user eli from 200.94.18.3
-Aug 7 15:14:22 eva sshd[27756]: Invalid user ariel from 200.94.18.3
-Aug 7 15:14:24 eva sshd[27759]: Invalid user matt from 200.94.18.3
-Aug 7 15:14:25 eva sshd[27761]: Invalid user smoke from 200.94.18.3
-Aug 7 15:14:27 eva sshd[27764]: Invalid user papa from 200.94.18.3
-Aug 7 15:14:29 eva sshd[27766]: Invalid user beth from 200.94.18.3
-Aug 7 15:14:30 eva sshd[27768]: Invalid user samba from 200.94.18.3
-Aug 7 15:14:32 eva sshd[27771]: Invalid user library from 200.94.18.3
-Aug 7 15:14:34 eva sshd[27773]: Invalid user don from 200.94.18.3
-Aug 7 15:14:35 eva sshd[27775]: Invalid user webuser from 200.94.18.3
-Aug 7 15:14:37 eva sshd[27778]: Invalid user monitor from 200.94.18.3
-Aug 7 15:14:39 eva sshd[27780]: Invalid user roberto from 200.94.18.3
-Aug 7 15:14:40 eva sshd[27782]: Invalid user mama from 200.94.18.3
-Aug 7 15:14:42 eva sshd[27785]: Invalid user windows from 200.94.18.3
-Aug 7 15:14:44 eva sshd[27787]: Invalid user fritz from 200.94.18.3
-Aug 7 15:14:45 eva sshd[27789]: Invalid user linux from 200.94.18.3
-Aug 7 15:14:47 eva sshd[27797]: Invalid user debian from 200.94.18.3
-Aug 7 15:14:49 eva sshd[27805]: Invalid user darwin from 200.94.18.3
-Aug 7 15:14:50 eva sshd[27807]: Invalid user redhat from 200.94.18.3
-Aug 7 15:14:52 eva sshd[27810]: Invalid user edith from 200.94.18.3
-Aug 7 15:14:54 eva sshd[27812]: Invalid user neo from 200.94.18.3
-Aug 7 15:14:55 eva sshd[27814]: Invalid user neo from 200.94.18.3
-Aug 7 15:14:57 eva sshd[27817]: Invalid user bebe from 200.94.18.3
-Aug 7 15:14:59 eva sshd[27819]: Invalid user postgres from 200.94.18.3
-Aug 7 15:15:00 eva sshd[27821]: Invalid user antonio from 200.94.18.3
-Aug 7 15:15:02 eva sshd[27824]: Invalid user archive from 200.94.18.3
-Aug 7 15:15:05 eva sshd[27845]: Invalid user cathy from 200.94.18.3
-Aug 7 15:15:06 eva sshd[27848]: Invalid user alex from 200.94.18.3
-Aug 7 15:15:08 eva sshd[27850]: Invalid user download from 200.94.18.3
-Aug 7 15:15:10 eva sshd[27852]: Invalid user eric from 200.94.18.3
-Aug 7 15:15:11 eva sshd[27855]: Invalid user gaby from 200.94.18.3
-Aug 7 15:15:13 eva sshd[27857]: Invalid user beer from 200.94.18.3
-Aug 7 15:15:15 eva sshd[27859]: Invalid user mp3 from 200.94.18.3
-Aug 7 15:15:16 eva sshd[27862]: Invalid user ghost from 200.94.18.3
-Aug 7 15:15:18 eva sshd[27864]: Invalid user virus from 200.94.18.3
-Aug 7 15:15:20 eva sshd[27871]: Invalid user gloria from 200.94.18.3
-Aug 7 15:15:21 eva sshd[27874]: Invalid user erwin from 200.94.18.3
-Aug 7 15:15:23 eva sshd[27881]: Invalid user update from 200.94.18.3
-Aug 7 15:15:25 eva sshd[27883]: Invalid user kiss from 200.94.18.3
-Aug 7 15:15:26 eva sshd[27886]: Invalid user army from 200.94.18.3
-Aug 7 15:15:28 eva sshd[27888]: Invalid user andreas from 200.94.18.3
-Aug 7 15:15:33 eva sshd[27891]: Invalid user jojo from 200.94.18.3
-Aug 7 15:15:34 eva sshd[27893]: Invalid user service from 200.94.18.3
+++ /dev/null
-20070717,30020,1=3,41=SWS-3.0.1.86/lists,100=Version 3.0.3299,3=7,2=29
-20070717,30024,100=SWS-3.0.1.86,2=36
-20070717,30044,1=3,3=1,2=302
-20070717,30044,1=3,1202=20070715.002,1203=20070715.002,3=7,2=301
-20070717,30225,1=3,41=SWS-3.0.1.86/dictionaries,100=Version 3.0.638,3=7,2=29
-20070717,30517,1=3,41=SWS-3.0.1.86/vendor-config,100=Version 3.0.6,3=7,2=29
-20070717,40031,1=3,41=SWS-3.0.1.86/lists,100=Version 3.0.3299,3=7,2=29
-20070717,73613,1=5,11=10.1.1.3,10=userc,3=1,2=1
-20070717,103426,1=5,11=1.2.3.4,10=virtadmin,3=1,2=1
-20070717,73614,1=5,11=1.2.3.4,1106=News,60=http://news.bbc.co.uk/,10=userX,1000=212.58.240.42,2=27
-20070717,115252,1=5,11=1.2.3.4,1106=Miscellaneous,60=https://ad.doubleclick.net/,10=userY,1000=216.73.87.52,2=27
-20070717,122017,1=5,11=2.3.4.5,1106=Finance,60=http://www.esl.org/abc.exe,10=userB,1000=208.2.188.219,2=27
+++ /dev/null
-May 27 15:52:37 valhalla telnetd[4882]: refused connect from mstr195175-16075.dial-in.ttnet.net.tr
-May 27 16:48:29 valhalla telnetd[5010]: refused connect from 88.226.34.75
-Jun 2 09:50:28 queen in.telnetd[19636]: [ID 947420 local2.warning] refused connect from 220-129-149-114.dynamic.hinet.net
-May 11 10:28:07 queen in.telnetd[19847]: [ID 927837 local2.info] connect from dsl85-105-30859.ttnet.net.tr
-May 30 17:11:32 hayaletgemi telnetd[360652]: connect from valhalla.metu.edu.tr
-May 12 14:45:17 hayaletgemi in.telnetd[4821]: [ID 927837 local2.info] connect from dsl85-105-30859.ttnet.net.tr
-May 12 14:45:17 hayaletgemi telnetd[4821]: [ID 682499 daemon.info] ttloop: read: Not a data message
-May 28 17:14:52 queen telnetd[76014]: connect from vod85-15-3859.ttnet.net.tr
-May 28 17:14:53 queen telnetd[76014]: ttloop: read: A connection with a remote socket was reset by that socket.
-Jun 2 09:59:27 valhalla-eth in.telnetd[19826]: [ID 927837 local2.info] connect from adsl105-3085-tr.ttnet.net.tr
-Jun 2 09:59:28 valhalla-eth telnetd[19826]: [ID 485252 daemon.info] ttloop: peer died: Error 0
-May 29 23:57:28 isik telnetd[946360]: connect from 85-10-085.ttnet.net.tr
-May 29 23:57:28 isik telnetd[946360]: ttloop: peer died: A file or directory in the path name does not exist.
-May 29 20:59:00 valhalla-eth telnetd[2507000]: warning: can't verify hostname: gethostbyname(dsl.dynamic812154227.ttnet.net.tr
-May 30 00:19:11 valhalla-eth telnetd[987186]: warning: can't verify hostname: gethostbyname(131.1.satis-tl.ru) failed
+++ /dev/null
- Apr 14 19:18:56 mozart in.telnetd[11634]: connect from 192.168.11.200
- Apr 14 19:18:56 mozart imapd[11635]: connect from 192.168.11.200
- Apr 14 19:18:56 mozart in.fingerd[11637]: connect from 192.168.11.200
- Apr 14 19:18:56 mozart ipop3d[11638]: connect from 192.168.11.200
- Apr 14 19:18:56 mozart in.telnetd[11639]: connect from 192.168.11.200
- Apr 14 19:18:56 mozart in.ftpd[11640]: connect from 192.168.11.200
- Apr 14 19:19:03 mozart ipop3d[11642]: connect from 192.168.11.200
- Apr 14 19:19:03 mozart imapd[11643]: connect from 192.168.11.200
- Apr 14 19:19:04 mozart in.fingerd[11646]: connect from 192.168.11.200
- Apr 14 19:19:05 mozart in.fingerd[11648]: connect from 192.168.11.200
-
- Apr 14 21:01:58 mozart imapd[11667]: command stream end of file, while reading line user=??? host=[192.168.11.200]
- Apr 14 21:01:58 mozart ipop3d[11668]: No such file or directory while reading line user=??? host=[192.168.11.200]
- Apr 14 21:02:05 mozart sendmail[11675]: NOQUEUE: [192.168.11.200]: expn root
-
- Apr 14 21:03:09 mozart telnetd[11682]: ttloop: peer died: Invalid or incomplete multibyte or wide character
- Apr 14 21:03:12 mozart ftpd[11688]: FTP session closed
+++ /dev/null
-31220 06/01/2005 19:05:22.120 SEV=8 IKEDBG/0 RPT=41554 12.34.56.78 RECEIVED Message (msgid=0) with payloads :HDR + SA (1) + NONE (0) total length : 84
-31222 06/01/2005 19:05:22.120 SEV=8 IKEDBG/0 RPT=41555 12.34.56.78 RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84
-31224 06/01/2005 19:05:22.120 SEV=9 IKEDBG/0 RPT=41556 12.34.56.78 processing SA payload
-31225 06/01/2005 19:05:22.120 SEV=8 IKEDECODE/0 RPT=28390 12.34.56.78 SA Payload Decode : DOI : IPSEC (1)
-31228 06/01/2005 19:05:22.120 SEV=8 IKEDECODE/0 RPT=28391 12.34.56.78 Proposal Decode:
-31233 06/01/2005 19:05:22.120 SEV=8 IKEDECODE/0 RPT=28393 12.34.56.78 Phase 1 SA Attribute Decode for Transform # 1:
-31238 06/01/2005 19:05:22.120 SEV=12 IKEDECODE/0 RPT=28394 IKE Decode of received SA attributes follows: 0000: 80010005 80020002 80030001 80040002 ................
-31241 06/01/2005 19:05:22.120 SEV=7 IKEDBG/0 RPT=41557 12.34.56.78 Oakley proposal is acceptable
-31244 06/01/2005 19:05:22.230 SEV=9 IKEDBG/46 RPT=12648 12.34.56.78 constructing Cisco Unity VID payload
-31245 06/01/2005 19:05:22.230 SEV=9 IKEDBG/46 RPT=12649 12.34.56.78 constructing xauth V6 VID payload
-31247 06/01/2005 19:05:22.230 SEV=9 IKEDBG/38 RPT=1153 12.34.56.78 Constructing VPN 3000 spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)
-31286 06/01/2005 19:05:22.460 SEV=8 AUTHDBG/1 RPT=1302 AUTH_Open() returns 277
-31287 06/01/2005 19:05:22.460 SEV=7 AUTH/12 RPT=1302 Authentication session opened: handle = 277
-31311 06/01/2005 19:05:22.560 SEV=6 AUTH/41 RPT=1240 12.34.56.78 Authentication successful: handle = 277, server = Internal, group = L2L: Smc
-31325 06/01/2005 19:05:22.560 SEV=4 AUTH/22 RPT=1084 User [L2L: Smc] Group [L2L: Smc] connected, Session Type: IPSec/LAN-to-LAN
-31326 06/01/2005 19:05:22.570 SEV=4 AUTH/84 RPT=1029 LAN-to-LAN tunnel to headend device 12.34.56.78 connected
-31351 06/01/2005 19:05:22.580 SEV=7 AUTH/13 RPT=1300 Authentication session closed: handle = 277
-31352 06/01/2005 19:05:25.540 SEV=4 EVENT/39 RPT=1915 Event Manager erased file(s) LOG34591.TXT when saving file: log35028.txt
-22929 04/06/2005 10:07:08.170 SEV=3 AUTH/5 RPT=10801 66.119.119.212 Authentication rejected: Reason = Unspecified handle = 732, server = 162.116.30.137, user = Romano_Bobby, domain = <not specified>
-Nov 23 19:10:03 test.net 24067 23/11/2006 19:10:03.123 SEV=4 IKE/52 RPT=764 112.10.1.1 Group [NONE] User [xyz] User (xyz) authenticated.
+++ /dev/null
-Sep 14 07:21:42 iron vpopmail[939]: vchkpw-pop3: password fail keith1@xxxx.com:219.136.100.198
-Sep 14 07:21:42 iron vpopmail[937]: vchkpw-pop3: password fail keith2@xxxx.com:219.136.100.198
-Sep 14 07:21:42 iron vpopmail[935]: vchkpw-pop3: password fail keith3@xxxx.com:219.136.100.198
-Sep 14 07:21:42 iron vpopmail[931]: vchkpw-pop3: password fail keith4@xxxx.com:219.136.100.198
-Sep 14 07:21:41 iron vpopmail[923]: vchkpw-pop3: password fail keith5@xxxx.com:219.136.100.198
-Sep 14 07:21:40 iron vpopmail[910]: vchkpw-pop3: password fail keith6@xxxx.com:219.136.100.198
-Sep 14 07:21:40 iron vpopmail[903]: vchkpw-pop3: password fail keith7@xxxx.com:219.136.100.198
-Sep 14 07:21:40 iron vpopmail[901]: vchkpw-pop3: password fail keith9@xxxx.com:219.136.100.198
-Sep 14 07:21:39 iron vpopmail[899]: vchkpw-pop3: password fail keitha@xxxx.com:219.136.100.198
-Sep 14 07:21:39 iron vpopmail[896]: vchkpw-pop3: password fail keithb@xxxx.com:219.136.100.198
-Sep 14 07:21:39 iron vpopmail[893]: vchkpw-pop3: password fail keithc@xxxx.com:219.136.100.198
-Sep 14 07:21:39 iron vpopmail[890]: vchkpw-pop3: password fail keithd@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[883]: vchkpw-pop3: password fail keithe@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[888]: vchkpw-pop3: password fail keithf@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[881]: vchkpw-pop3: password fail keithg@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[884]: vchkpw-pop3: password fail keithh@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[878]: vchkpw-pop3: password fail keithi@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[872]: vchkpw-pop3: password fail keithj@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[873]: vchkpw-pop3: password fail keithk@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[876]: vchkpw-pop3: password fail keithl@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[870]: vchkpw-pop3: password fail keithm@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[868]: vchkpw-pop3: password fail keithn@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[866]: vchkpw-pop3: password fail keitho@xxxx.com:219.136.100.198
-Sep 14 07:21:38 iron vpopmail[863]: vchkpw-pop3: password fail keithp@xxxx.com:219.136.100.198
-Sep 14 07:21:37 iron vpopmail[858]: vchkpw-pop3: password fail keithq@xxxx.com:219.136.100.198
-Sep 14 07:21:37 iron vpopmail[860]: vchkpw-pop3: password fail keiths@xxxx.com:219.136.100.198
+++ /dev/null
-86 200.255.5.155 TCP_MISS/404 1495 GET http://pawlacz.com/nul.php - DIRECT/193.84.182.19 text/html
-588 200.255.5.155 TCP_MISS/404 1495 GET http://pawlacz.com/nul.php - DIRECT/193.84.182.19 text/html
-9 200.255.5.155 TCP_NEGATIVE_HIT/404 726 GET http://arborfolia.com/nul.php - NONE/- text/html
-326 200.255.5.155 TCP_MISS/404 717 GET http://arborfolia.com/nul.php - DIRECT/66.49.208.142 text/html
-1001 200.255.5.155 TCP_MISS/404 4439 GET http://appaloosa.no/nul.php - DIRECT/85.19.133.103 text/html
-966 200.255.5.155 TCP_MISS/404 4439 GET http://appaloosa.no/nul.php - DIRECT/85.19.133.103 text/html
-543 200.255.5.155 TCP_MISS/404 518 GET http://1point2.iae.nl/nul.php - DIRECT/212.61.24.92 text/html
-545 200.255.5.155 TCP_MISS/404 518 GET http://1point2.iae.nl/nul.php - DIRECT/212.61.24.92 text/html
-504 200.255.5.155 TCP_MISS/404 443 GET http://ujscie.one.pl/nul.php - DIRECT/82.96.66.63 text/html
-
-
-OSSEC HIDS Notification.
-2006 Jun 20 08:09:32
-
-Received From: (wrouter) 200.255.5.3->/usr/local/squid/var/logs/access.log
-Rule: 5055 fired (level 10) -> "Multiple attempts to access a non-existent file.'"
-Portion of the log(s):
-
-576 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html
-543 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html
-955 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
-934 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
-328 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
-329 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
-546 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
-512 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
-2085 200.255.5.155 TCP_MISS/404 502 GET http://www.jonogueira.com/nul.php - DIRECT/69.0.160.233 text/html
-
-
-
- --END OF NOTIFICATION
-
-
-
- OSSEC HIDS Notification.
- 2006 Jun 20 08:09:33
-
- Received From: (wrouter) 200.255.5.3->/usr/local/squid/var/logs/access.log
- Rule: 5055 fired (level 10) -> "Multiple attempts to access a non-existent file.'"
- Portion of the log(s):
-
- 1004 200.255.5.155 TCP_MISS/404 1812 GET http://avenue.ee/nul.php - DIRECT/195.5.116.3 text/html
- 784 200.255.5.155 TCP_MISS/404 1812 GET http://avenue.ee/nul.php - DIRECT/195.5.116.3 text/html
- 543 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html
- 955 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
- 934 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
- 328 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
- 329 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
- 546 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
- 512 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
-
-http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=223894
-
-http://www.trendmicro.co.jp/vinfo/virusencyclo/default5.asp?VName=TROJ_BAGLE.EY&VSect=T
+++ /dev/null
-Fri Mar 31 10:22:44 2006 0 201.44.122.146 32003 /usr/pages/users/resende/htdocs/images/festas/bannerterror.jpg a _ d r canalresende ftp 0 * c
-
- "Fri Mar 31 10:22:45 2006 0 201.44.122.146 88302
- /usr/pages/users/resende/htdocs/images/festas/banterror.jpg a _ d r
- canalresende ftp 0 * c"
-
-Mon Apr 17 18:27:14 2006 1 64.160.42.130 0 /pub/lyx/devel/log b _ o a mozilla@example.com ftp 0 * i
-Mon Apr 17 18:27:20 2006 2 64.160.42.130 42930 /pub/lyx/devel/log/qtbuild.log b _ o a mozilla@example.com ftp 0 * c
-Mon Apr 17 20:35:20 2006 1 66.249.66.74 0 /pub/noweb b _ o a googlebot@google.com ftp 0 * i
-Tue Apr 18 00:29:01 2006 176 193.219.28.2 6359760 /pub/lyx/devel/lyx-devel.tar.bz2 b _ o a mirror@icm.edu.pl ftp 0 * i
-Tue Apr 18 00:30:02 2006 60 193.219.28.2 0 /pub/lyx/devel/log/xformsbuild.log b _ o a mirror@icm.edu.pl ftp 0 * i
-Tue Apr 18 00:31:02 2006 60 193.219.28.2 0 /pub/lyx/devel/log/qtbuild.log b _ o a mirror@icm.edu.pl ftp 0 * i
-Tue Apr 18 10:47:30 2006 1 66.249.65.137 0 /pub/lyx/html b _ o a googlebot@google.com ftp 0 * i
-Tue Apr 18 15:48:41 2006 1 83.135.64.94 0 /pub/lyx b _ o a mozilla@example.com ftp 0 * i
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/mailscanner_rules.xml, 2011/09/08 dcid Exp $
-
- - Example of MailScanner rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,mailscanner,">
- <rule id="3700" level="0">
- <decoded_as>mailscanner</decoded_as>
- <description>Grouping of mailscanner rules.</description>
- </rule>
-
- <rule id="3701" level="0">
- <if_sid>3700</if_sid>
- <action>not</action>
- <description>Non spam message. Ignored.</description>
- </rule>
-
- <rule id="3702" level="5">
- <if_sid>3700</if_sid>
- <action>spam</action>
- <description>Mail Scanner spam detected.</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3751" level="6" frequency="6" timeframe="180">
- <if_matched_sid>3702</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts of spam.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3752" level="0">
- <if_sid>1002</if_sid>
- <program_name>update.bad.phishing.sites</program_name>
- <match>^Phishing bad sites list updated</match>
- <description>ignore</description>
- </rule>
-
-</group> <!-- SYSLOG,MAILSCANNER -->
-
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/mcafee_av_rules.xml, 2011/09/08 dcid Exp $
-
- - McAfee AV rules for OSSEC.
- -
- - Copyright (C) 2008 Michael Starks
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
- - Foundation.
- -->
-
-<var name="MCAFEE_ERROR">^259$|^100$|^1000$|^1001$|^1002$|^1003$|^1004$|^1005$|^1006$|^1007$|^1008$|^5003$|^5005$|^5008$|^5010$|^5011$|^5019$|^5020$|^5021$|^5022$|^5030$|^5031$|^5032$|^5033$|^5034$|^5035$|^5046$|^5047$|^5048$|^5049$|^5051$|^5054$|^5057$|^5059$|^5060$|^5063$|^5063$</var>
-<var name="MCAFEE_WARN">^258$|^5001$|^5028$|^5036$|^5037$|^5038$|^5039$|^5040$|^5041$|^5053$|^5056$|^5061$|^5062$|^5065$</var>
-<var name="MCAFEE_INFO">^257$|^5000$|^5026$|^5052$|^5055$</var>
-<var name="MCAFEE_VIRUS_OK">quarantined|moved to quarantine|file was deleted|deleted successfully|has been deleted|message deleted|deleted after|cleaned|successfully deleted</var>
-<var name="MCAFEE_VIRUS">The file \.+ contain|infected with|User defined detection|scan found|error attempting to clean</var>
-<var name="MCAFEE_FREQ">10</var>
-
-<group name="mcafee,">
- <rule id="7500" level="0">
- <if_sid>18101,18102,18103</if_sid>
- <category>windows</category>
- <extra_data>^McLogEvent</extra_data>
- <description>Grouping of McAfee Windows AV rules.</description>
- </rule>
-
- <rule id="7501" level="2">
- <if_sid>7500</if_sid>
- <id>$MCAFEE_INFO</id>
- <description>McAfee Windows AV informational event.</description>
- </rule>
-
- <rule id="7502" level="3">
- <if_sid>7500</if_sid>
- <id>$MCAFEE_WARN</id>
- <description>McAfee Windows AV warning event.</description>
- </rule>
-
- <rule id="7503" level="4">
- <if_sid>7500</if_sid>
- <id>$MCAFEE_ERROR</id>
- <description>McAfee Windows AV error event.</description>
- </rule>
-
- <rule id="7504" level="12">
- <if_sid>7500</if_sid>
- <regex>$MCAFEE_VIRUS</regex>
- <group>virus</group>
- <description>McAfee Windows AV - Virus detected and not removed.</description>
- </rule>
-
- <rule id="7505" level="7">
- <if_sid>7504</if_sid>
- <match>$MCAFEE_VIRUS_OK</match>
- <group>virus</group>
- <description>McAfee Windows AV - Virus detected and properly removed.</description>
- </rule>
-
- <rule id="7506" level="7">
- <if_sid>7504</if_sid>
- <match>Will be deleted</match>
- <group>virus</group>
- <description>McAfee Windows AV - Virus detected and file will be deleted.</description>
- </rule>
-
- <rule id="7507" level="3">
- <if_sid>7500</if_sid>
- <match>scan started|scan stopped</match>
- <description>McAfee Windows AV - Scan started or stopped.</description>
- </rule>
-
- <rule id="7508" level="3">
- <if_sid>7501</if_sid>
- <id>^257</id>
- <match>completed. No detections</match>
- <description>McAfee Windows AV - Scan completed with no viruses found.</description>
- </rule>
-
- <rule id="7509" level="5">
- <if_sid>7500</if_sid>
- <match>scan was cancelled |has taken too long</match>
- <description>McAfee Windows AV - Virus scan cancelled.</description>
- </rule>
-
- <rule id="7510" level="5">
- <if_sid>7500</if_sid>
- <match>scan was canceled because</match>
- <description>McAfee Windows AV - Virus scan cancelled due to shutdown.</description>
- </rule>
-
- <rule id="7511" level="3">
- <if_sid>7500</if_sid>
- <match>update was successful</match>
- <description>McAfee Windows AV - Virus program or DAT update succeeded.</description>
- </rule>
-
- <rule id="07512" level="7">
- <if_sid>7500</if_sid>
- <match>update failed</match>
- <description>McAfee Windows AV - Virus program or DAT update failed.</description>
- </rule>
-
- <rule id="7513" level="7">
- <if_sid>7500</if_sid>
- <match>update was cancelled</match>
- <description>McAfee Windows AV - Virus program or DAT update cancelled.</description>
- </rule>
-
- <rule id="7514" level="5">
- <if_sid>7505</if_sid>
- <match>contains the EICAR test file</match>
- <options>alert_by_email</options>
- <description>McAfee Windows AV - EICAR test file detected.</description>
- </rule>
-
- <!-- Composite rules -->
-
- <rule id="7550" level="10" frequency="$MCAFEE_FREQ" timeframe="240">
- <if_matched_sid>7502</if_matched_sid>
- <description>Multiple McAfee AV warning events.</description>
- </rule>
-
-</group>
-
+++ /dev/null
-<!-- Rules for Modern Honeypot Network - Cowrie, -->
-
-<!-- IDs: 53830 - 53840 -->
-<!-- include /var/log/mhn/mhn-json.log to ossec.conf -->
-
-<group name="mhn,json">
-
- <rule id="53830" level="8">
- <decoded_as>cowrie</decoded_as>
- <action>SSH login attempted on cowrie honeypot</action>
- <description>SSH login attempted on cowrie honeypot</description>
- </rule>
-
- <rule id="53831" level="8">
- <decoded_as>cowrie</decoded_as>
- <action>SSH session on cowrie honeypot</action>
- <description>SSH session established on cowrie honeypot</description>
- </rule>
-
- <rule id="53832" level="8">
- <decoded_as>cowrie</decoded_as>
- <action>command attempted on cowrie honeypot</action>
- <description>A command was attempted in SSH session on cowrie honeypot</description>
- </rule>
-
-</group>
+++ /dev/null
-<!-- Rules for Modern Honeypot Network - Dionaea, -->
-
-<!-- IDs: 53826 - 53829 -->
-<!-- include /var/log/mhn/mhn-json.log to ossec.conf -->
-
-<group name="mhn,json">
-
- <rule id="53826" level="8">
- <decoded_as>dionaea</decoded_as>
- <description>Connection to Dionaea Honeypot identified</description>
- </rule>
-
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/ms-exchange_rules.xml, 2011/09/08 dcid Exp $
-
- - Example of MS Exchange rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- Still BETA - anyone using it? -->
-
-
-<group name="ms,exchange,">
- <rule id="3800" level="0">
- <decoded_as>msexchange</decoded_as>
- <description>Grouping of Exchange rules.</description>
- </rule>
-
- <rule id="3801" level="4">
- <if_sid>3800</if_sid>
- <action>RCPT</action>
- <id>^550</id>
- <description>E-mail rcpt is not valid (invalid account).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3802" level="4">
- <if_sid>3800</if_sid>
- <id>^5</id>
- <description>E-mail 500 error code.</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3851" level="9" frequency="10" timeframe="120" ignore="120">
- <if_matched_sid>3801</if_matched_sid>
- <same_source_ip />
- <description>Multiple e-mail attempts to an invalid account.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3852" level="9" frequency="12" timeframe="120" ignore="240">
- <if_matched_sid>3802</if_matched_sid>
- <same_source_ip />
- <description>Multiple e-mail 500 error code (spam).</description>
- <group>multiple_spam,</group>
- </rule>
-
-
-</group> <!-- MS,Exchange -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/ms-se_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Microsoft Security Essentials rules for OSSEC.
- -
- - Copyright (C) 2010 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-
-
-<group name="windows,mse,">
- <rule id="7701" level="0">
- <category>windows</category>
- <if_sid>18101,18102,18103</if_sid>
- <extra_data>^Microsoft Antimalware</extra_data>
- <description>Grouping of Microsoft Security Essentials rules.</description>
- </rule>
-
- <rule id="7710" level="12">
- <if_sid>7701</if_sid>
- <id>^1118$|^1119$</id>
- <group>virus</group>
- <description>Microsoft Security Essentials - Virus detected, but unable to remove.</description>
- </rule>
-
- <rule id="7711" level="7">
- <if_sid>7701</if_sid>
- <id>^1107$</id>
- <group>virus</group>
- <description>Microsoft Security Essentials - Virus detected and properly removed.</description>
- </rule>
-
- <rule id="7712" level="7">
- <if_sid>7701</if_sid>
- <id>^1119$|^1118$|^1117$|^1116$</id>
- <group>virus</group>
- <description>Microsoft Security Essentials - Virus detected.</description>
- </rule>
-
- <rule id="7713" level="7">
- <if_sid>7701</if_sid>
- <id>^1015$</id>
- <group>virus,</group>
- <description>Microsoft Security Essentials - Suspicious activity detected.</description>
- </rule>
-
- <rule id="7720" level="3">
- <if_sid>7701</if_sid>
- <id>^5007$</id>
- <description>Microsoft Security Essentials - Configuration changed.</description>
- <group>policy_changed,</group>
- </rule>
-
- <rule id="7721" level="9">
- <if_sid>7701</if_sid>
- <id>^5008$</id>
- <description>Microsoft Security Essentials - Service failed.</description>
- </rule>
-
- <rule id="7722" level="9">
- <if_sid>7701</if_sid>
- <id>^3002$</id>
- <description>Microsoft Security Essentials - Real time protection failed.</description>
- </rule>
-
- <rule id="7723" level="8">
- <if_sid>7701</if_sid>
- <id>^2012$</id>
- <description>Microsoft Security Essentials - Cannot use Dynamic Signature Service.</description>
- </rule>
-
- <rule id="7724" level="8">
- <if_sid>7701</if_sid>
- <id>^2004$</id>
- <description>Microsoft Security Essentials - Loading definitions failed. Using last good set.</description>
- </rule>
-
- <rule id="7725" level="8">
- <if_sid>7701</if_sid>
- <id>^2003$</id>
- <description>Microsoft Security Essentials - Engine update failed.</description>
- </rule>
-
- <rule id="7726" level="8">
- <if_sid>7701</if_sid>
- <id>^2001$</id>
- <description>Microsoft Security Essentials - Definitions update failed.</description>
- </rule>
-
- <rule id="7727" level="7">
- <if_sid>7701</if_sid>
- <id>^1005$</id>
- <description>Microsoft Security Essentials - Scan error. Scan has stopped.</description>
- </rule>
-
- <rule id="7728" level="5">
- <if_sid>7701</if_sid>
- <id>^1002$</id>
- <description>Microsoft Security Essentials - Scan stopped before completion.</description>
- </rule>
-
-
- <rule id="7731" level="5">
- <if_sid>7711, 7712</if_sid>
- <match>Virus:DOS/EICAR_Test_File</match>
- <options>alert_by_email</options>
- <description>Microsoft Security Essentials - EICAR test file detected.</description>
- </rule>
-
-
- <rule id="7750" level="10" frequency="6" timeframe="240">
- <if_matched_sid>7711</if_matched_sid>
- <description>Multiple Microsoft Security Essentials AV warnings detected.</description>
- </rule>
-
- <rule id="7751" level="10" frequency="6" timeframe="240">
- <if_matched_sid>7712</if_matched_sid>
- <description>Multiple Microsoft Security Essentials AV warnings detected.</description>
- </rule>
-</group> <!-- mse -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- OSSEC USB-detection Rule for Windows 2016 / Windows 10 (previous versions does not log usb connection) - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416 -->
-
-<group name="windows,usb,">
- <rule id="53626" level="8">
- <if_sid>18104</if_sid>
- <id>^6416$</id>
- <description>A new external device was recognized by the System</description>
- <group>windows,</group>
- </rule>
-</group>
+++ /dev/null
-
-<!-- @(#) $Id: ./etc/rules/ms_dhcp_rules.xml, 2011/09/08 dcid Exp $
-
- - Microsoft Windows 2003 ipv4, Windows 2008 ipv4/ipv6 DHCP rules for OSSEC.
- - Author: phishphreek@gmail.com
- - License: http://www.ossec.net/en/licensing.html (http://gplv3.fsf.org)
- -->
-
-
-<!--Server 2003 and 2008 IPv4 Event ID Meaning
-00 The log was started.
-01 The log was stopped.
-02 The log was temporarily paused due to low disk space.
-10 A new IP address was leased to a client.
-11 A lease was renewed by a client.
-12 A lease was released by a client.
-13 An IP address was found to be in use on the network.
-14 A lease request could not be satisfied because the scope's address pool was exhausted.
-15 A lease was denied.
-16 A lease was deleted.
-17 A lease was expired.
-18 A lease was expired and DNS records were deleted. (Server 2008 Only)
-20 A BOOTP address was leased to a client.
-21 A dynamic BOOTP address was leased to a client.
-22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
-23 A BOOTP IP address was deleted after checking to see it was not in use.
-24 IP address cleanup operation has began.
-25 IP address cleanup statistics.
-30 DNS update request to the named DNS server
-31 DNS update failed
-32 DNS update successful
-33 Packet dropped due to NAP policy. Server 2008 Only)
-50+ Codes above 50 are used for Rogue Server Detection information.
--->
-
-
-<!--Server 2003 IPv4 Log Sample
-ID,Date,Time,Description,IP Address,Host Name,MAC Address
-24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
-31,3/10/2009,0:00:46,DNS Update Failed,192.168.10.201,OPS03W034.,2,
-30,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
-25,3/10/2009,0:00:46,0 leases expired and 0 leases deleted,,,,
-11,3/10/2009,0:01:40,Renew,192.168.10.201,OPS03W034.,001AA0DA3062,
-32,3/10/2009,0:01:55,DNS Update Successful,192.168.10.204,ex03.domain.local,,
-15,3/10/2009,8:49:10,NACK,192.168.10.205,,000B97A0B7E8,
-10,3/10/2009,8:49:10,Assign,192.168.10.205,6ftya92251.domain.local,000B97A0B7E8,
-12,3/10/2009,15:52:38,Release,192.168.112.32,6ftya91701.,000B97A0B41D,
-18,3/10/2009,19:59:11,Expired,192.168.10.205,,,
-17,3/10/2009,23:59:16,DNS record not deleted,192.168.10.205,,,
--->
-
-
-<group name="windows,dhcp,">
- <rule id="6300" level="0">
- <decoded_as>ms-dhcp-ipv4</decoded_as>
- <description>Grouping for the MS-DHCP rules.</description>
- </rule>
-
- <rule id="6301" level="2">
- <if_sid>6300</if_sid>
- <id>^00</id>
- <description>The log was started.</description>
- <group>service_start,</group>
- </rule>
-
- <rule id="6302" level="3">
- <if_sid>6300</if_sid>
- <id>^01</id>
- <description>The log was stopped.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="6303" level="10">
- <if_sid>6300</if_sid>
- <id>^02</id>
- <description>The log was temporarily paused due to low disk space.</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="6304" level="0">
- <if_sid>6300</if_sid>
- <id>^10</id>
- <description>A new IP address was leased to a client.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6305" level="0">
- <if_sid>6300</if_sid>
- <id>^11</id>
- <description>A lease was renewed by a client.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6306" level="0">
- <if_sid>6300</if_sid>
- <id>^12</id>
- <description>A lease was released by a client.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6307" level="0">
- <if_sid>6300</if_sid>
- <id>^13</id>
- <description>An IP address was found to be in use on the network.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6308" level="12">
- <if_sid>6300</if_sid>
- <id>^14</id>
- <description>A lease request could not be satisfied because the scope's address pool was exhausted.</description>
- <group>service_availability,dhcp_lease_action,</group>
- </rule>
-
- <rule id="6309" level="7">
- <if_sid>6300</if_sid>
- <id>^15</id>
- <description>A lease was denied.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6310" level="0">
- <if_sid>6300</if_sid>
- <id>^16</id>
- <description>A lease was deleted.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6311" level="0">
- <if_sid>6300</if_sid>
- <id>^17</id>
- <description>A lease was expired and DNS records for an expired leases have not been deleted.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6322" level="0">
- <if_sid>6300</if_sid>
- <id>^18</id>
- <description>A lease was expired and DNS records were deleted.</description>
- <group>dhcp_lease_action,dhcp_dns_maintenance</group>
- </rule>
-
- <rule id="6312" level="0">
- <if_sid>6300</if_sid>
- <id>^20</id>
- <description>A BOOTP address was leased to a client.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6313" level="0">
- <if_sid>6300</if_sid>
- <id>^21</id>
- <description>A dynamic BOOTP address was leased to a client.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
-
- <rule id="6314" level="10">
- <if_sid>6300</if_sid>
- <id>^22</id>
- <description>A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6315" level="0">
- <if_sid>6300</if_sid>
- <id>^23</id>
- <description>A BOOTP IP address was deleted after checking to see it was not in use.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6316" level="3">
- <if_sid>6300</if_sid>
- <id>^24</id>
- <description>IP address cleanup operation has began.</description>
- <group>dhcp_maintenance,</group>
- </rule>
-
- <rule id="6317" level="2">
- <if_sid>6300</if_sid>
- <id>^25</id>
- <description>IP address cleanup statistics.</description>
- <group>dhcp_maintenance,</group>
- </rule>
-
- <rule id="6318" level="0">
- <if_sid>6300</if_sid>
- <id>^30</id>
- <description>DNS update request to the named DNS server.</description>
- <group>dhcp_dns_maintenance,</group>
- </rule>
-
- <rule id="6319" level="7">
- <if_sid>6300</if_sid>
- <id>^31</id>
- <description>DNS update failed.</description>
- <group>dhcp_dns_maintenance,</group>
- </rule>
-
- <rule id="6320" level="0">
- <if_sid>6300</if_sid>
- <id>^32</id>
- <description>DNS update successful.</description>
- <group>dhcp_dns_maintenance,</group>
- </rule>
-
- <rule id="6323" level="12">
- <if_sid>6300</if_sid>
- <id>^33</id>
- <description>Packet dropped due to NAP policy.</description>
- <group>dhcp_lease_action,</group>
-
- </rule>
-
- <rule id="6321" level="12">
- <if_sid>6300</if_sid>
- <id>^5</id>
- <description>Codes above 50 are used for Rogue Server Detection information.</description>
- <group>dhcp_rogue_server,</group>
- </rule>
-
-
-
-<!--
-Server 2008 IPv6 Event ID Meaning
-11000 Solicit.
-11001 Advertise.
-11002 Request.
-11003 Confirm.
-11004 Renew.
-11005 Rebind.
-11006 Decline.
-11007 Release.
-11008 Information Request.
-11009 Scope Full.
-11010 Started.
-11011 Stopped.
-11012 Audit log paused.
-11013 DHCP Log File.
-11014 Bad Address.
-11015 Address is already in use.
-11016 Client deleted.
-11017 DNS record not deleted.
-11018 Expired.
-11019 Expired and Deleted count.
-11020 Database cleanup begin.
-11021 Database cleanup end.
-11023 Service not authorized in AD.
-11024 Service authorized in AD.
-11025 Service has not determined if it authorized in AD.
--->
-<!--Server 2008 IPv6 Log Sample (short on samples, not currently using)
-11020,05/05/09,00:00:38,DHCPV6 Database Cleanup Begin,,,,,,
-11019,05/05/09,00:00:38,DHCPV6 0 leases expired and 0 leases deleted,,,,,,
-11021,05/05/09,00:00:38,DHCPV6 Database Cleanup End,,,,,,
-11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,
-11010,05/05/09,10:55:58,DHCPV6 Started,,,,,,
--->
-
- <rule id="6350" level="0">
- <decoded_as>ms-dhcp-ipv6</decoded_as>
- <description>Grouping for the MS-DHCP rules.</description>
- </rule>
-
- <rule id="6351" level="0">
- <if_sid>6350</if_sid>
- <id>^11000</id>
- <description>Solicit.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6352" level="0">
- <if_sid>6350</if_sid>
- <id>^11001|^11002</id>
- <description>Advertise.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6354" level="0">
- <if_sid>6350</if_sid>
- <id>^11003</id>
- <description>Confirm.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6355" level="0">
- <if_sid>6350</if_sid>
- <id>^11004</id>
- <description>Renew.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6356" level="0">
- <if_sid>6350</if_sid>
- <id>^11005</id>
- <description>Rebind.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
-
- <rule id="6357" level="7">
- <if_sid>6350</if_sid>
- <id>^11006</id>
- <description>DHCP Decline.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6358" level="0">
- <if_sid>6350</if_sid>
- <id>^11007</id>
- <description>Release.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6359" level="0">
- <if_sid>6350</if_sid>
- <id>^11008</id>
- <description>Information Request.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6360" level="12">
- <if_sid>6350</if_sid>
- <id>^11009</id>
- <description>Scope Full.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6361" level="3">
- <if_sid>6350</if_sid>
- <id>^11010</id>
- <description>Started.</description>
- <group>service_start,</group>
- </rule>
-
- <rule id="6362" level="7">
- <if_sid>6350</if_sid>
- <id>^11011</id>
- <description>Stopped.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="6363" level="10">
- <if_sid>6350</if_sid>
- <id>^11012</id>
- <description>Audit log paused.</description>
- <group>service_availability,</group>
- </rule>
-
-
- <rule id="6364" level="7">
- <if_sid>6350</if_sid>
- <id>^11013</id>
- <description>DHCP Log File.</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="6365" level="7">
- <if_sid>6350</if_sid>
- <id>^11014</id>
- <description>Bad Address.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6366" level="4">
- <if_sid>6350</if_sid>
- <id>^11015</id>
- <description>Address is already in use.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6367" level="0">
- <if_sid>6350</if_sid>
- <id>^11016</id>
- <description>Client deleted.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6368" level="0">
- <if_sid>6350</if_sid>
- <id>^11017</id>
- <description>DNS record not deleted.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6369" level="0">
- <if_sid>6350</if_sid>
- <id>^11018</id>
- <description>Expired.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6370" level="0">
- <if_sid>6350</if_sid>
- <id>^11019</id>
- <description>Expired and Deleted count.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6371" level="2">
- <if_sid>6350</if_sid>
- <id>^11020</id>
- <description>Database cleanup begin.</description>
- <group>dhcp_ipv6,</group>
-
- </rule>
-
- <rule id="6372" level="2">
- <if_sid>6350</if_sid>
- <id>^11021</id>
- <description>Database cleanup end.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6373" level="12">
- <if_sid>6350</if_sid>
- <id>^11023</id>
- <description>Service not authorized in AD.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6374" level="3">
- <if_sid>6350</if_sid>
- <id>^11024</id>
- <description>Service authorized in AD.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6376" level="12">
- <if_sid>6350</if_sid>
- <id>^11025</id>
- <description>Service has not determined if it is authorized in AD.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-</group>
-
+++ /dev/null
-<!-- OSSEC Rules for Windows Firewall - https://support.microsoft.com/en-us/help/977519/description-of-security-events-in-windows-7-and-in-windows-server-2008 -->
-
-<group name="windows,firewall,">
-
- <rule id="53631" level="3">
- <if_sid>18104</if_sid>
- <id>^5024$</id>
- <description>Windows Firewall Service has started successfully</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53632" level="8">
- <if_sid>18104</if_sid>
- <id>^5025$</id>
- <description>Windows Firewall Service has been stopped</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53633" level="4">
- <if_sid>18104</if_sid>
- <id>^5027$</id>
- <description>Windows Firewall Service was unable to retrieve the security policy from the local storage. Windows Firewall will continue to enforce the current policy</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53634" level="4">
- <if_sid>18104</if_sid>
- <id>^5028$</id>
- <description>Windows Firewall was unable to parse the new security policy. Windows Firewall will continue to enforce the current policy</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53635" level="4">
- <if_sid>18104</if_sid>
- <id>^5029$</id>
- <description>The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53636" level="8">
- <if_sid>18104</if_sid>
- <id>^5030$</id>
- <description>Windows Firewall Service failed to start</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53637" level="2">
- <if_sid>18105</if_sid>
- <id>^5031$</id>
- <description>Windows Firewall Service blocked an application from accepting incoming connections on the network</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53638" level="2">
- <if_sid>18105</if_sid>
- <id>^5032$</id>
- <description>Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53639" level="3">
- <if_sid>18104</if_sid>
- <id>^5033$</id>
- <description>Windows Firewall Driver started successfully</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53640" level="8">
- <if_sid>18104</if_sid>
- <id>^5034$</id>
- <description>Windows Firewall Driver was stopped</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53641" level="8">
- <if_sid>18105</if_sid>
- <id>^5035$</id>
- <description>Windows Firewall Driver failed to start</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53642" level="8">
- <if_sid>18105</if_sid>
- <id>^5037$</id>
- <description>Windows Firewall Driver detected a critical runtime error, terminating</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53643" level="8">
- <if_sid>18104</if_sid>
- <id>^4946$</id>
- <description>A rule was added to Windows Firewall exception list</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53644" level="8">
- <if_sid>18104</if_sid>
- <id>^4947$</id>
- <description>A rule was modified from Windows Firewall exception list</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53645" level="8">
- <if_sid>18104</if_sid>
- <id>^4948$</id>
- <description>A rule was deleted from Windows Firewall exception list</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53646" level="8">
- <if_sid>18104</if_sid>
- <id>^4949$</id>
- <description>Windows Firewall settings were restored to the default values</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53647" level="8">
- <if_sid>18104</if_sid>
- <id>^4950$</id>
- <description>A Windows Firewall setting was changed</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53648" level="8">
- <if_sid>18105</if_sid>
- <id>^4951$</id>
- <description>Windows Firewall ignored a rule because its major version number is not recognized.</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53649" level="8">
- <if_sid>18105</if_sid>
- <id>^4952$</id>
- <description>Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53650" level="8">
- <if_sid>18105</if_sid>
- <id>^4953$</id>
- <description>Windows Firewall ignored a rule because it could not be parsed</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53651" level="8">
- <if_sid>18104</if_sid>
- <id>^4954$</id>
- <description>Group Policy settings for Windows Firewall were changed, and the new settings were applied</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53652" level="8">
- <if_sid>18104</if_sid>
- <id>^4956$</id>
- <description>Windows Firewall changed the active profile</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53653" level="8">
- <if_sid>18105</if_sid>
- <id>^4957$</id>
- <description>Windows Firewall did not apply some rules</description>
- <group>windows_firewall</group>
- </rule>
-
- <rule id="53654" level="8">
- <if_sid>18105</if_sid>
- <id>^4958$</id>
- <description>Windows Firewall did not apply some rules because the rule referred to items not configured on this computer</description>
- <group>windows_firewall</group>
- </rule>
-
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/ms_ftpd_rules.xml, 2011/09/08 dcid Exp $
-
- - Example of Microsoft FTP rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,msftp,">
- <rule id="11500" level="0">
- <decoded_as>msftp</decoded_as>
- <description>Grouping for the Microsoft ftp rules.</description>
- </rule>
-
- <rule id="11501" level="3">
- <if_sid>11500</if_sid>
- <action>USER</action>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11502" level="5">
- <if_sid>11500</if_sid>
- <action>PASS</action>
- <id>530</id>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11503" level="3">
- <if_sid>11500</if_sid>
- <action>PASS</action>
- <id>230</id>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="11504" level="4">
- <if_sid>11500</if_sid>
- <id>^5</id>
- <description>FTP client request failed.</description>
- </rule>
-
- <rule id="11510" level="10" frequency="6" timeframe="120">
- <if_matched_sid>11502</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11511" level="10" frequency="8" timeframe="30">
- <if_matched_sid>11501</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11512" level="10" frequency="6" timeframe="120">
- <if_matched_sid>11504</if_matched_sid>
- <same_source_ip />
- <description>Multiple FTP errors from same source.</description>
- </rule>
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- OSSEC Rules for Windows Firewall - https://www.csoonline.com/article/2619761/security/what-to-monitor-to-stop-hacker-and-malware-attacks.html?page=3, https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor -->
-
-
-<group name="windows, ipsec,">
-
- <rule id="18651" level="8">
- <if_sid>18104</if_sid>
- <id>^4646$</id>
- <description>IKE DoS-prevention mode started</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18652" level="8">
- <if_sid>18105</if_sid>
- <id>^4652$|^4653$</id>
- <description>An IPsec Main Mode negotiation failed</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18653" level="8">
- <if_sid>18105</if_sid>
- <id>^4654$</id>
- <description>An IPsec Quick Mode negotiation failed</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18654" level="8">
- <if_sid>18104</if_sid>
- <id>^4983$|^4984$</id>
- <description>An IPsec Extended Mode negotiation failed</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18655" level="4">
- <if_sid>18104</if_sid>
- <id>^4960$</id>
- <description>IPsec dropped an inbound packet that failed an integrity check</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18656" level="8">
- <if_sid>18104</if_sid>
- <id>^4961$|^4962$</id>
- <description>IPsec dropped an inbound packet that failed a replay check</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18657" level="8">
- <if_sid>18104</if_sid>
- <id>^4963$</id>
- <description>IPsec dropped an inbound clear text packet that should have been secured</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18658" level="4">
- <if_sid>18104</if_sid>
- <id>^4965$</id>
- <description>IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18659" level="7">
- <if_sid>18104</if_sid>
- <id>^4976$</id>
- <description>During Main Mode negotiation, IPsec received an invalid negotiation packet</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18660" level="7">
- <if_sid>18104</if_sid>
- <id>^4977$</id>
- <description>During Quick Mode negotiation, IPsec received an invalid negotiation packet</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18661" level="7">
- <if_sid>18104</if_sid>
- <id>^4978$</id>
- <description>During Extended Mode negotiation, IPsec received an invalid negotiation packet</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18662" level="8">
- <if_sid>18104</if_sid>
- <id>^5453$</id>
- <description>An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18663" level="8">
- <if_sid>18105</if_sid>
- <id>^5480$</id>
- <description>IPsec Services failed to get the complete list of network interfaces on the computer</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18664" level="8">
- <if_sid>18105</if_sid>
- <id>^5483$</id>
- <description>IPsec Services failed to initialize RPC server. IPsec Services could not be started</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18665" level="8">
- <if_sid>18105</if_sid>
- <id>^5484$</id>
- <description>IPsec Services has experienced a critical failure and has been shut down</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18666" level="8">
- <if_sid>18105</if_sid>
- <id>^5485$</id>
- <description>IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18667" level="8">
- <if_sid>18104</if_sid>
- <id>^4710$</id>
- <description>IPsec Services was disabled</description>
- <group>windows,</group>
- </rule>
-
-
- <rule id="18668" level="8">
- <if_sid>18105</if_sid>
- <id>^4712$</id>
- <description>IPsec Services encountered a potentially serious failure</description>
- <group>windows,</group>
- </rule>
-
-</group>
+++ /dev/null
-<!-- OSSEC PowerShell event rules for Windows (https://www.rootusers.com/enable-and-configure-module-script-block-and-transcription-logging-in-windows-powershell/, https://www.searchdatacenter.de/tipp/PowerShell-Logging-steigert-die-Unternehmenssicherheit, https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5760096ecf80a129e0b17634/1465911664070/Windows-PowerShell+Logging+Cheat+Sheet+ver+June+2016+v2.pdf -->
-
-<!-- Not recommended by CIS due to Windows default ACL settings -->
-<!-- Turn on logging: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell -> Turn on PowerShell Script Block Logging -->
-<!-- Add <localfile> <location>Powershell</location> <log_format>eventlog</log_format> </localfile> to ossec.conf on Windows Agent -->
-
-<!-- Rule IDs 20500-2509 -->
-
-<group name="windows,powershell,">
-
- <rule id="20500" level="8">
- <if_sid>18101</if_sid>
- <id>^400$</id>
- <match>PowerShell</match>
- <description>Windows PowerShell was started.</description>
- </rule>
-
- <rule id="20501" level="8">
- <if_sid>18101</if_sid>
- <id>^800$</id>
- <match>PowerShell</match>
- <description>Windows PowerShell command executed.</description>
- </rule>
-
- <rule id="20502" level="8">
- <if_sid>18101</if_sid>
- <id>^403$</id>
- <match>PowerShell</match>
- <description>Windows PowerShell was stopped.</description>
- </rule>
-
- <rule id="20503" level="2">
- <if_sid>20501</if_sid>
- <regex>Set-StrictMode -Version 1; \.+\w+</regex>
- <description>A wrong/misspelled command was tried</description>
- </rule>
-
- <rule id="20504" level="2">
- <if_sid>20501</if_sid>
- <match>CommandLine= CommandInvocation</match>
- <description>Powershell background activity</description>
- </rule>
-
- <rule id="20505" level="12">
- <if_sid>20501</if_sid>
- <match>Set-ExecutionPolicy|Mimikatz|EncodedCommand|Payload|Find-AVSignature|DllInjection|ReflectivePEInjection|Invoke-Shellcode|Invoke--Shellcode|Invoke-ShellcodeMSIL|Get-GPPPassword|Get-Keystrokes|Get-TimedScreenshot|Get-VaultCredential|Invoke-CredentialInjection|Invoke-NinjaCopy|Invoke-TokenManipulation|Out-Minidump|Set-MasterBootRecord|New-ElevatedPersistenceOption|Invoke-CallbackIEX|Invoke-PSInject|Invoke-DllEncode|Get-ServiceUnquoted|Get-ServiceEXEPerms|Get-ServicePerms|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-UserAddMSI|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Invoke-FindDLLHijack|Invoke-FindPathHijack|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-UnattendedInstallFiles|Get-Webconfig|Get-Webconfig|Get-ApplicationHost|Invoke-AllChecks|Invoke-MassCommand|Invoke-MassMimikatz|Invoke-MassSearch|Invoke-MassTemplate|Invoke-MassTokens|HTTP-Backdoor|Add-ScrnSaveBackdoor|Gupt-Backdoor|Invoke-ADSBackdoor|Execute-OnTime|DNS_TXT_Pwnage|Out-Word|Out-Excel|Out-Java|Out-Shortcut|Out-CHM|Out-HTA|Enable-DuplicateToken|Remove-Update|Execute-DNSTXT-Code|Download-Execute-PS|Execute-Command-MSSQL|Download_Execute|Get-PassHashes|Invoke-CredentialsPhish|Get-LsaSecret|Get-Information|Invoke-MimikatzWDigestDowngrade|Copy-VSS|Check-VM|Invoke-NetworkRelay|Create-MultipleSessions|Run-EXEonRemote|Invoke-BruteForce|Port-Scan|Invoke-PowerShellIcmp|Invoke-PowerShellUdp|Invoke-PsGcatAgent|Invoke-PoshRatHttps|Invoke-PowerShellTcp|Invoke-PoshRatHttp|Invoke-PowerShellWmi|Invoke-PSGcat|Remove-PoshRat|TexttoEXE|Invoke-Encode|Invoke-Decode|Base64ToString|StringtoBase64|Do-Exfiltration|Parse_Keys|Add-Exfiltration|Add-Persistence|Remove-Persistence|Invoke-CreateCertificate|powercat|Find-PSServiceAccounts|Get-PSADForestKRBTGTInfo|Discover-PSMSSQLServers|Discover-PSMSExchangeServers|Get-PSADForestInfo|Get-KerberosPolicy|Discover-PSInterestingServices</match>
- <description>Possibly Dangerous Command Detected (https://gist.github.com/gfoss/2b39d680badd2cad9d82#file-powershell-command-line-logging)</description>
- </rule>
-
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/msauth_rules.xml, 2011/09/08 dcid Exp $
-
- - Example of Microsoft Windows (2000, XP, 2003) rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<var name="MS_FREQ">6</var>
-
-<group name="windows,">
- <rule id="18100" level="0">
- <category>windows</category>
- <description>Group of windows rules.</description>
- </rule>
-
- <rule id="18101" level="0">
- <if_sid>18100</if_sid>
- <status>^INFORMATION</status>
- <description>Windows informational event.</description>
- </rule>
-
- <rule id="18102" level="0">
- <if_sid>18100</if_sid>
- <status>^WARNING</status>
- <description>Windows warning event.</description>
- </rule>
-
- <rule id="18103" level="5">
- <if_sid>18100</if_sid>
- <status>^ERROR</status>
- <description>Windows error event.</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="18104" level="0">
- <if_sid>18100</if_sid>
- <status>^AUDIT_SUCCESS|^success</status>
- <description>Windows audit success event.</description>
- </rule>
-
- <rule id="18105" level="4">
- <if_sid>18100</if_sid>
- <status>^AUDIT_FAILURE|^failure</status>
- <description>Windows audit failure event.</description>
- </rule>
-
- <rule id="18106" level="5">
- <if_sid>18105</if_sid>
- <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
- <description>Windows Logon Failure.</description>
- <group>win_authentication_failed,</group>
- </rule>
-
- <rule id="18107" level="3">
- <if_sid>18104</if_sid>
- <id>^528$|^540$|^673$|^4624$|^4769$</id>
- <description>Windows Logon Success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="18108" level="4">
- <if_sid>18105</if_sid>
- <id>^577$|^4673$</id>
- <description>Failed attempt to perform a privileged </description>
- <description>operation.</description>
- </rule>
-
- <rule id="18109" level="3">
- <if_sid>18104</if_sid>
- <id>^682$|^683$|^4778$|^4779$</id>
- <description>Session reconnected/disconnected to winstation.</description>
- </rule>
-
- <rule id="18110" level="8">
- <if_sid>18104</if_sid>
- <id>^624$|^626$|^4720$|^4722$</id>
- <description>User account enabled or created.</description>
- <group>adduser,account_changed,</group>
- </rule>
-
- <rule id="18111" level="8">
- <if_sid>18104</if_sid>
- <id>^628$|^642$|^685$|^4738$|^4781$</id>
- <description>User account changed.</description>
- <group>account_changed,</group>
- </rule>
-
- <rule id="18112" level="8">
- <if_sid>18104</if_sid>
- <id>^630$|^629$|^4725$|^4726$</id>
- <description>User account disabled or deleted.</description>
- <group>adduser,account_changed,</group>
- </rule>
-
- <rule id="18113" level="8">
- <if_sid>18104</if_sid>
- <id>^612$|^643$|^4719$|^4907$|^4912$|^4719$</id>
- <description>Windows Audit Policy changed.</description>
- <group>policy_changed,</group>
- </rule>
-
- <rule id="18114" level="5">
- <if_sid>18104</if_sid>
- <id>^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$|</id>
- <id>^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$|</id>
- <id>^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$|</id>
- <id>^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$|</id>
- <id>^665$|^4761$|^666$|^4762$</id>
- <description>Group Account Changed</description>
- <group>group_changed,win_group_changed,</group>
- </rule>
-
- <rule id="18115" level="8">
- <if_sid>18104</if_sid>
- <id>^640$</id>
- <description>General account database changed.</description>
- <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=640</info>
- <group>adduser,account_changed,</group>
- </rule>
-
- <rule id="18116" level="9">
- <if_sid>18104</if_sid>
- <id>^644$|^4740$</id>
- <description>User account locked out (multiple login errors).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="18117" level="7">
- <if_sid>18104</if_sid>
- <id>^513$|^4609$</id>
- <description>Windows is shutting down.</description>
- <group>system_shutdown,</group>
- </rule>
-
- <rule id="18118" level="9">
- <if_sid>18104</if_sid>
- <id>^517$|^1102$</id>
- <description>Windows audit log was cleared.</description>
- <group>logs_cleared,</group>
- </rule>
-
- <rule id="18119" level="3">
- <if_sid>18107</if_sid>
- <options>alert_by_email</options>
- <if_fts />
- <description>First time this user logged in this system.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="18120" level="0">
- <if_sid>18105</if_sid>
- <id>^680$</id>
- <description>Windows login attempt (ignored). Duplicated.</description>
- </rule>
-
- <rule id="18125" level="5">
- <if_sid>18102, 18103</if_sid>
- <id>^20187$|^20014$|^20078$|^20050$|^20049$|^20189$</id>
- <description>Remote access login failure.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="18126" level="3">
- <if_sid>18101</if_sid>
- <id>^20158$</id>
- <description>Remote access login success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="18127" level="5">
- <if_sid>18104</if_sid>
- <id>^646$|^645$|^647$|^4741$|^4742$|^4743$</id>
- <description>Computer account added/changed/deleted.</description>
- <group>account_changed,</group>
- </rule>
-
- <rule id="18128" level="8">
- <!-- if_sid>18104</if_sid -->
- <id>^65xxx</id>
- <description>Group account added/changed/deleted.</description>
- <info>This rule has been deprecated</info>
- <group>account_changed,</group>
- </rule>
-
- <rule id="18129" level="8">
- <if_sid>18103</if_sid>
- <id>^13570$</id>
- <description>Windows file system full.</description>
- <group>low_diskspace,</group>
- </rule>
-
-
- <!-- Granular windows login rules -->
- <rule id="18130" level="5">
- <if_sid>18106</if_sid>
- <id>^529$|^4625$</id>
- <description>Logon Failure - Unknown user or bad password.</description>
- <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625</info>
- <group>win_authentication_failed,</group>
- </rule>
-
- <rule id="18131" level="5">
- <if_sid>18106</if_sid>
- <id>^530$</id>
- <description>Logon Failure - Account logon time restriction </description>
- <description>violation.</description>
- <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=530</info>
- <group>win_authentication_failed,login_denied,</group>
- </rule>
-
- <rule id="18132" level="5">
- <if_sid>18106</if_sid>
- <id>^531$</id>
- <description>Logon Failure - Account currently disabled.</description>
- <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=531</info>
- <group>win_authentication_failed,login_denied,</group>
- </rule>
-
- <rule id="18133" level="5">
- <if_sid>18106</if_sid>
- <id>^532$</id>
- <description>Logon Failure - Specified account expired.</description>
- <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=532</info>
- <group>win_authentication_failed,login_denied,</group>
- </rule>
-
- <rule id="18134" level="7">
- <if_sid>18106</if_sid>
- <id>^533$</id>
- <description>Logon Failure - User not allowed to login at </description>
- <description>this computer.</description>
- <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=533</info>
- <group>win_authentication_failed,login_denied,</group>
- </rule>
-
- <rule id="18135" level="5">
- <if_sid>18106</if_sid>
- <id>^534$</id>
- <description>Logon Failure - User not granted logon type.</description>
- <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=534</info>
- <group>win_authentication_failed,</group>
- </rule>
-
- <rule id="18136" level="5">
- <if_sid>18106</if_sid>
- <id>^535$</id>
- <description>Logon Failure - Account's password expired.</description>
- <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=535</info>
- <group>win_authentication_failed,</group>
- </rule>
-
- <rule id="18137" level="5">
- <if_sid>18106</if_sid>
- <id>^536$|^537$</id>
- <description>Logon Failure - Internal error.</description>
- <group>win_authentication_failed,</group>
- </rule>
-
- <rule id="18138" level="7">
- <if_sid>18106</if_sid>
- <id>^539$</id>
- <description>Logon Failure - Account locked out.</description>
- <group>win_authentication_failed,</group>
- </rule>
-
- <rule id="18139" level="5">
- <if_sid>18105</if_sid>
- <id>^673$|^675$|^681$|^4769$</id>
- <description>Windows DC Logon Failure.</description>
- <group>win_authentication_failed,</group>
- </rule>
-
- <rule id="18140" level="5">
- <if_sid>18104</if_sid>
- <id>^520$|^4616$</id>
- <description>System time changed.</description>
- <group>time_changed,</group>
- </rule>
-
- <rule id="18141" level="7">
- <if_sid>18102</if_sid>
- <id>^1076$</id>
- <match>unexpected shutdown</match>
- <group>system_error, system_shutdown,</group>
- <description>Unexpected Windows shutdown.</description>
- </rule>
-
- <rule id="18142" level="5">
- <if_sid>18104</if_sid>
- <id>^671$|^4767$</id>
- <description>User account unlocked.</description>
- <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767</info>
- <group>account_changed,</group>
- </rule>
-
- <rule id="18143" level="8">
- <if_sid>18114</if_sid>
- <id>^631$|^635$|^658$</id>
- <description>Security enabled group created.</description>
- <group>adduser,account_changed,</group>
- </rule>
-
- <rule id="18144" level="8">
- <if_sid>18114</if_sid>
- <id>^634$|^638$|^662$</id>
- <description>Security enabled group deleted.</description>
- <group>adduser,account_changed,</group>
- </rule>
-
- <!-- Some services change their startup type automatically -->
- <rule id="18145" level="3">
- <if_sid>18101</if_sid>
- <id>^7040$</id>
- <group>policy_changed,</group>
- <description>Service startup type was changed.</description>
- <info type="text">This does not appear to be logged on Windows 2000.</info>
- </rule>
-
- <rule id="18146" level="5">
- <if_sid>18101</if_sid>
- <id>^11724$</id>
- <options>alert_by_email</options>
- <description>Application Uninstalled.</description>
- </rule>
-
- <rule id="18147" level="5">
- <if_sid>18101</if_sid>
- <id>^11707$</id>
- <options>alert_by_email</options>
- <description>Application Installed.</description>
- </rule>
-
- <rule id="18148" level="3">
- <if_sid>18104</if_sid>
- <id>^4608$</id>
- <description>Windows is starting up.</description>
- </rule>
-
- <rule id="18149" level="3">
- <if_sid>18104</if_sid>
- <id>^538$|^551$|^4634$|^4647$</id>
- <description>Windows User Logoff.</description>
- </rule>
-
-<!-- Granular group rules -->
-
- <rule id="18200" level="5">
- <if_sid>18104</if_sid>
- <id>^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|</id>
- <id>^663$|^4759$</id>
- <description>Group Account Created</description>
- <group>group_created,win_group_created,</group>
- </rule>
-
- <rule id="18201" level="5">
- <if_sid>18104</if_sid>
- <id>^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|</id>
- <id>^667$|^4763$</id>
- <description>Group Account Deleted</description>
- <group>group_deleted,win_group_deleted,</group>
- </rule>
-
- <rule id="18202" level="5">
- <if_sid>18200</if_sid>
- <id>^631$|^4727$</id>
- <description>Security Enabled Global Group Created</description>
- <group>group_created,win_group_created,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631</info>
- </rule>
-
- <rule id="18203" level="5">
- <if_sid>18114</if_sid>
- <id>^632$|^4728$</id>
- <description>Security Enabled Global Group Member Added</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632</info>
- </rule>
-
- <rule id="18204" level="5">
- <if_sid>18114</if_sid>
- <id>^633$|^4729$</id>
- <description>Security Enabled Global Group Member Removed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633</info>
- </rule>
-
- <rule id="18205" level="5">
- <if_sid>18201</if_sid>
- <id>^634$|^4730$</id>
- <description>Security Enabled Global Group Deleted</description>
- <group>group_deleted,win_group_deleted,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634</info>
- </rule>
-
- <rule id="18206" level="5">
- <if_sid>18200</if_sid>
- <id>^635$|^4731$</id>
- <description>Security Enabled Local Group Created</description>
- <group>group_created,win_group_created,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635</info>
- </rule>
-
- <rule id="18207" level="5">
- <if_sid>18114</if_sid>
- <id>^636$|^4732$</id>
- <description>Security Enabled Local Group Member Added</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636</info>
- </rule>
-
- <rule id="18208" level="5">
- <if_sid>18114</if_sid>
- <id>^637$|^4733$</id>
- <description>Security Enabled Local Group Member Removed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637</info>
- </rule>
-
- <rule id="18209" level="5">
- <if_sid>18201</if_sid>
- <id>^638$|^4734$</id>
- <description>Security Enabled Local Group Deleted</description>
- <group>group_deleted,win_group_deleted,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638</info>
- </rule>
-
- <rule id="18210" level="5">
- <if_sid>18114</if_sid>
- <id>^639$|^4735$</id>
- <description>Security Enabled Local Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639</info>
- </rule>
-
- <rule id="18211" level="5">
- <if_sid>18114</if_sid>
- <id>^641$|^4737$</id>
- <description>Security Enabled Global Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641</info>
- </rule>
-
- <rule id="18212" level="5">
- <if_sid>18200</if_sid>
- <id>^658$|^4754$</id>
- <description>Security Enabled Universal Group Created</description>
- <group>group_created,win_group_created,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658</info>
- </rule>
-
- <rule id="18213" level="5">
- <if_sid>18114</if_sid>
- <id>^659$|^4755$</id>
- <description>Security Enabled Universal Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659</info>
- </rule>
-
- <rule id="18214" level="5">
- <if_sid>18114</if_sid>
- <id>^660$|^4756$</id>
- <description>Security Enabled Universal Group Member Added</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660</info>
- </rule>
-
- <rule id="18215" level="5">
- <if_sid>18114</if_sid>
- <id>^661$|^4757$</id>
- <description>Security Enabled Universal Group Member Removed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661</info>
- </rule>
-
- <rule id="18216" level="5">
- <if_sid>18201</if_sid>
- <id>^662$|^4758$</id>
- <description>Security Enabled Universal Group Deleted</description>
- <group>group_deleted,win_group_deleted,</group>
- <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662</info>
- </rule>
-
- <rule id="18217" level="12">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+\p*S-1-5-32-544</regex>
- <description>Administrators Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18218" level="5">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0</regex>
- <description>Everyone Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18219" level="12">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-9}| ID:\s+S-1-5-9</regex>
- <description>Enterprise Domain Controllers Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18220" level="5">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-11}| ID:\s+S-1-5-11</regex>
- <description>Authenticated Users Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18221" level="5">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-13}| ID:\s+S-1-5-13</regex>
- <description>Terminal Server Users Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18222" level="12">
- <if_sid>18203,18204</if_sid>
- <regex> ID:\s+%{S-1-5-21\S+-512}| ID:\s+S-1-5-21\S+-512</regex>
- <description>Domain Admins Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18223" level="5">
- <if_sid>18203,18204</if_sid>
- <regex> ID:\s+%{S-1-5-21\S+-513}| ID:\s+S-1-5-21\S+-513</regex>
- <description>Domain Users Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18224" level="0">
- <if_sid>18223,18203</if_sid>
- <match>Target Account Name: None</match>
- <description>Local User Group NONE</description>
- <info>Bogus group user added to upon creation</info>
- </rule>
-
- <rule id="18225" level="12">
- <if_sid>18203,18204</if_sid>
- <regex> ID:\s+%{S-1-5-21\S+-514}| ID:\s+S-1-5-21\S+-514</regex>
- <description>Domain Guests Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18226" level="5">
- <if_sid>18203,18204</if_sid>
- <regex> ID:\s+%{S-1-5-21\S+-515}| ID:\s+S-1-5-21\S+-515</regex>
- <description>Domain Computers Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18227" level="12">
- <if_sid>18203,18204</if_sid>
- <regex> ID:\s+%{S-1-5-21\S+-516}| ID:\s+S-1-5-21\S+-516</regex>
- <description>Domain Controllers Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18228" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-21\S+-517}| ID:\s+S-1-5-21\S+-517</regex>
- <description>Cert Publishers Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18229" level="12">
- <if_sid>18203,18204</if_sid>
- <regex> ID:\s+%{S-1-5-21\.+-518}| ID:\s+S-1-5-21\.+-518</regex>
- <description>Schema Admins Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18230" level="12">
- <if_sid>18203,18204</if_sid>
- <regex> ID:\s+%{S-1-5-21\S+-519}| ID:\s+S-1-5-21\S+-519</regex>
- <description>Enterprise Admins Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18231" level="10">
- <if_sid>18203,18204</if_sid>
- <regex> ID:\s+%{S-1-5-21\S+-520}| ID:\s+S-1-5-21\S+-520</regex>
- <description>Group Policy Creator Owners Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18232" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-21\S+-553}| ID:\s+S-1-5-21\S+-553</regex>
- <description>RAS and IAS Servers Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18233" level="5">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-545}| ID:\s+S-1-5-32-545</regex>
- <description>Users Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18234" level="12">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-546}| ID:\s+S-1-5-32-546</regex>
- <description>Guests Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18235" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-547}| ID:\s+S-1-5-32-547</regex>
- <description>Power Users Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18236" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-548}| ID:\s+S-1-5-32-548</regex>
- <description>Account Operators Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18237" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-549}| ID:\s+S-1-5-32-549</regex>
- <description>Server Operators Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18238" level="8">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-550}| ID:\s+S-1-5-32-550</regex>
- <description>Print Operators Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18239" level="12">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-551}| ID:\s+S-1-5-32-551</regex>
- <description>Backup Operators Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18240" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-552}| ID:\s+S-1-5-32-552</regex>
- <description>Replicators Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18241" level="8">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-554}| ID:\s+S-1-5-32-554</regex>
- <description>Pre-Windows 2000 Compatible Access Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18242" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-555}| ID:\s+S-1-5-32-555</regex>
- <description>Remote Desktop Users Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18243" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-556}| ID:\s+S-1-5-32-556</regex>
- <description>Network Configuration Operators Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18244" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-557}| ID:\s+S-1-5-32-557</regex>
- <description>Incoming Forest Trust Builders Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18245" level="8">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-558}| ID:\s+S-1-5-32-558</regex>
- <description>Performance Monitor Users Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18246" level="8">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-559}| ID:\s+S-1-5-32-559</regex>
- <description>Performance Log Users Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18247" level="8">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-560}| ID:\s+S-1-5-32-560</regex>
- <description>Windows Authorization Access Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18248" level="8">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-561}| ID:\s+S-1-5-32-561</regex>
- <description>Terminal Server License Servers Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18249" level="8">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-562}| ID:\s+S-1-5-32-562</regex>
- <description>Distributed COM Users Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18250" level="12">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-\s*21\.+\s*-498}| ID:\s+S-1-5-\s*21\.+\s*-498</regex>
- <description>Enterprise Read-only Domain Controllers Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18251" level="12">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-\s*21\.+\s*-529}| ID:\s+S-1-5-\s*21\.+\s*-529</regex>
- <description>Read-only Domain Controllers Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18252" level="12">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-569}| ID:\s+S-1-5-32-569</regex>
- <description>Cryptographic Operators Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18253" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-\s*21\.+\s*-571}| ID:\s+S-1-5-\s*21\.+\s*-571</regex>
- <description>Allowed RODC Password Replication Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18254" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-\s*21\.+\s*-572}| ID:\s+S-1-5-\s*21\.+\s*-572</regex>
- <description>Denied RODC Password Replication Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18255" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-573}| ID:\s+S-1-5-32-573</regex>
- <description>Event Log Readers Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18256" level="10">
- <if_sid>18207,18208</if_sid>
- <regex> ID:\s+%{S-1-5-32-574}| ID:\s+S-1-5-32-574</regex>
- <description>Certificate Service DCOM Access Group Changed</description>
- <group>group_changed,win_group_changed,</group>
- <info>http://support.microsoft.com/kb/243330</info>
- </rule>
-
- <rule id="18257" level="3">
- <if_sid>18101</if_sid>
- <id>^200$|^300$|^302$</id>
- <description>TS Gateway login success.</description>
- <group>authentication_success,</group>
- <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info>
- </rule>
-
- <rule id="18258" level="5">
- <if_sid>18102, 18103</if_sid>
- <id>^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$</id>
- <description>TS Gateway login failure.</description>
- <group>authentication_failed,</group>
- <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info>
- </rule>
-
- <rule id="18259" level="3">
- <if_sid>18101</if_sid>
- <id>^202$|^303$</id>
- <description>TS Gateway user disconnected.</description>
- <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info>
- </rule>
-
- <!-- Ignore Login events, type 5, from Advapi for:
- - LOCAL SERVICE and NETWORK SERVICE.
- -->
- <rule id="18121" level="0">
- <if_sid>18107,18149</if_sid>
- <id>^528$|^538$|^540$|^4624$</id>
- <user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
- <description>Windows Logon Success (ignored).</description>
- </rule>
-
-
- <!-- Kerberos failures that may indicate an attack -->
- <rule id="18170" level="10">
- <if_sid>18139</if_sid>
- <match>Failure Code: 0x1F</match>
- <description>Windows DC integrity check on decrypted </description>
- <description>field failed.</description>
- <!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
- <group>win_authentication_failed,attacks,</group>
- </rule>
-
- <rule id="18171" level="10">
- <if_sid>18139</if_sid>
- <match>Failure Code: 0x22</match>
- <description>Windows DC - Possible replay attack.</description>
- <!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
- <group>win_authentication_failed,attacks,</group>
- </rule>
-
- <rule id="18172" level="7">
- <if_sid>18139</if_sid>
- <match>Failure Code: 0x25</match>
- <description>Windows DC - Clock skew too great.</description>
- <!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
- <group>win_authentication_failed,attacks,</group>
- </rule>
-
-
- <!-- MS SQL rules -->
- <rule id="18180" level="5">
- <if_sid>18105</if_sid>
- <id>^18456$</id>
- <group>win_authentication_failed,</group>
- <description>MS SQL Server Logon Failure.</description>
- </rule>
-
- <rule id="18181" level="3">
- <if_sid>18104</if_sid>
- <id>^18454$|^18453$</id>
- <description>MS SQL Server Logon Success.</description>
- <group>authentication_success,</group>
- </rule>
-
-<!-- Detail logon rules -->
- <rule id="18260" level="3">
- <if_sid>18107</if_sid>
- <id>^4624$</id>
- <match>Logon Type: 8</match>
- <description>MS Exchange Logon Success.</description>
- </rule>
-
- <rule id="18261" level="0">
- <if_sid>18149</if_sid>
- <id>^4634$</id>
- <match>Logon Type: 8</match>
- <description>User Logoff Exchange.</description>
- </rule>
-
-
- <!-- Composite rules -->
- <rule id="18151" level="10" frequency="$MS_FREQ" timeframe="240">
- <if_matched_sid>18108</if_matched_sid>
- <same_user />
- <description>Multiple failed attempts to perform a </description>
- <description>privileged operation by the same user.</description>
- </rule>
-
- <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
- <if_matched_group>win_authentication_failed</if_matched_group>
- <description>Multiple Windows Logon Failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
- <if_matched_sid>18105</if_matched_sid>
- <description>Multiple Windows audit failure events.</description>
- </rule>
-
- <rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240">
- <if_matched_sid>18103</if_matched_sid>
- <description>Multiple Windows error events.</description>
- </rule>
-
- <rule id="18155" level="10" frequency="$MS_FREQ" timeframe="120">
- <if_matched_sid>18102</if_matched_sid>
- <description>Multiple Windows warning events.</description>
- </rule>
-
- <rule id="18156" level="10" frequency="$MS_FREQ" timeframe="240">
- <if_matched_sid>18125</if_matched_sid>
- <description>Multiple remote access login failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="18157" level="10" frequency="$MS_FREQ" timeframe="240">
- <if_matched_sid>18258</if_matched_sid>
- <description>Multiple TS Gateway login failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <!--
- Chrome Remote Desktop
- Created by Kevin Branch
- Updated by Wazuh
- -->
- <rule id="18158" level="5">
- <if_sid>18103</if_sid>
- <match>chromoting</match>
- <regex>: chromoting: \.* Access denied for client: </regex>
- <description>Chrome Remote Desktop attempt - access denied</description>
- </rule>
-
- <rule id="18159" level="5">
- <if_sid>18101</if_sid>
- <match>chromoting</match>
- <regex>: chromoting: \.* Client connected:</regex>
- <description>Chrome Remote Desktop attempt - connected</description>
- </rule>
-
- <rule id="18160" level="5">
- <if_sid>18101</if_sid>
- <match>chromoting</match>
- <regex>: chromoting: \.* Client disconnected:</regex>
- <description>Chrome Remote Desktop attempt - disconnected</description>
- </rule>
-
-</group>
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/mysql_rules.xml, 2011/09/08 dcid Exp $
-
- - Official MySQL rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- MYSQL Log messages -->
-<group name="mysql_log,">
- <rule id="50100" level="0">
- <decoded_as>mysql_log</decoded_as>
- <description>MySQL messages grouped.</description>
- </rule>
-
- <rule id="50105" level="3">
- <if_sid>50100</if_sid>
- <regex>^MySQL log: \d+ \S+ \d+ Connect</regex>
- <description>Database authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="50106" level="9">
- <if_sid>50105</if_sid>
- <match>Access denied for user</match>
- <description>Database authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="50107" level="0">
- <if_sid>50100</if_sid>
- <regex>^MySQL log: \d+ \S+ \d+ Query</regex>
- <description>Database query.</description>
- </rule>
-
- <rule id="50108" level="3">
- <if_sid>50100</if_sid>
- <regex>^MySQL log: \d+ \S+ \d+ Quit</regex>
- <description>User disconnected from database.</description>
- </rule>
-
- <rule id="50120" level="12">
- <if_sid>50100</if_sid>
- <match>mysqld ended|Shutdown complete</match>
- <description>Database shutdown message.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="50121" level="3">
- <if_sid>50100</if_sid>
- <match>mysqld started|mysqld restarted</match>
- <description>Database startup message.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="50125" level="5">
- <if_sid>50100</if_sid>
- <regex>^MySQL log: \d+ \S+ \d+ [ERROR]</regex>
- <description>Database error.</description>
- </rule>
-
- <rule id="50126" level="12">
- <if_sid>50125</if_sid>
- <match>Fatal error:</match>
- <description>Database fatal error.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="50180" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>50125</if_matched_sid>
- <description>Multiple database errors.</description>
- <group>service_availability,</group>
- </rule>
-
-</group> <!-- MYSQL -->
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/named_rules.xml, 2011/09/08 dcid Exp $
-
- - Example of Named rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,named,">
- <rule id="12100" level="0">
- <decoded_as>named</decoded_as>
- <description>Grouping of the named rules</description>
- </rule>
-
- <rule id="12101" level="12">
- <if_sid>12100</if_sid>
- <match>dropping source port zero packet from</match>
- <description>Invalid DNS packet. Possibility of attack.</description>
- <group>invalid_access,</group>
- </rule>
-
- <rule id="12102" level="9">
- <if_sid>12100</if_sid>
- <match>denied AXFR from</match>
- <description>Failed attempt to perform a zone transfer.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="12103" level="4">
- <if_sid>12100</if_sid>
- <match>denied update from|unapproved update from</match>
- <description>DNS update denied. </description>
- <description>Generally mis-configuration.</description>
- <info type="link">http://seclists.org/incidents/2000/May/217</info>
- <group>client_misconfig,</group>
- </rule>
-
- <rule id="12104" level="4">
- <if_sid>12100</if_sid>
- <match>unable to rename log file</match>
- <description>Log permission misconfiguration in Named.</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="12105" level="4">
- <if_sid>12100</if_sid>
- <match>unexpected RCODE </match>
- <description>Unexpected error while resolving domain.</description>
- </rule>
-
- <rule id="12106" level="4">
- <if_sid>12100</if_sid>
- <match>refused notify from non-master</match>
- <description>DNS configuration error.</description>
- </rule>
-
- <rule id="12107" level="0">
- <if_sid>12100</if_sid>
- <regex>update \S+ denied</regex>
- <description>DNS update using RFC2136 Dynamic protocol.</description>
- </rule>
-
- <rule id="12108" level="5">
- <if_sid>12100</if_sid>
- <match>query (cache) denied|: query (cache)</match>
- <description>Query cache denied (probably config error).</description>
- <info type="link">http://www.reedmedia.net/misc/dns/errors.html</info>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="12109" level="12">
- <if_sid>12100</if_sid>
- <match>exiting (due to fatal error)</match>
- <description>Named fatal error. DNS service going down.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="12110" level="8">
- <regex>^zone \S+ serial number \S+ received from master </regex>
- <regex>\S+ \S ours (\S+)</regex>
- <description>Serial number from master is lower </description>
- <description>than stored.</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="12111" level="8">
- <regex>^transfer of \S+ from \S+ failed while receiving \S+ REFUSED</regex>
- <description>Unable to perform zone transfer.</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="12112" level="4">
- <regex>^zone \S+: expired</regex>
- <description>Zone transfer error.</description>
- </rule>
-
- <rule id="12113" level="0">
- <if_sid>12100</if_sid>
- <match>zone transfer deferred due to quota</match>
- <description>Zone transfer deferred.</description>
- </rule>
-
- <rule id="12114" level="1">
- <if_sid>12100</if_sid>
- <match>bad owner name (check-names)</match>
- <description>Hostname contains characters that check-names does not like.</description>
- </rule>
-
- <rule id="12115" level="0">
- <if_sid>12100</if_sid>
- <match>loaded serial|transferred serial</match>
- <description>Zone transfer.</description>
- </rule>
-
- <rule id="12116" level="1">
- <if_sid>12100</if_sid>
- <match>syntax error near|</match>
- <match>reloading configuration failed: unexpected token</match>
- <description>Syntax error in a named configuration file.</description>
- </rule>
-
-
- <rule id="12117" level="1">
- <if_sid>12100</if_sid>
- <regex>refresh: retry limit for master \S+ exceeded</regex>
- <description>Zone transfer rety limit exceeded</description>
- </rule>
-
- <rule id="12118" level="1">
- <if_sid>12100</if_sid>
- <match>already exists previous definition</match>
- <description>Zone has been duplicated.</description>
- </rule>
-
- <rule id="12119" level="3">
- <if_sid>12100</if_sid>
- <match>starting BIND</match>
- <description>BIND has been started</description>
- </rule>
-
- <rule id="12120" level="1">
- <if_sid>12100</if_sid>
- <match>has no address records</match>
- <description>Missing A or AAAA record</description>
- </rule>
-
- <rule id="12121" level="1">
- <if_sid>12100</if_sid>
- <regex>zone \S+: \(master\) removed</regex>
- <description>Zone has been removed from a master server</description>
- </rule>
-
- <rule id="12122" level="1">
- <if_sid>12100</if_sid>
- <regex>loading from master file \S+ failed: not at top of zone$</regex>
- <description>Origin of zone and owner name of SOA do not match.</description>
- </rule>
-
- <rule id="12123" level="0">
- <if_sid>12100</if_sid>
- <match>already exists previous definition</match>
- <description>Zone has been duplicated</description>
- </rule>
-
- <rule id="12125" level="3">
- <if_sid>12100</if_sid>
- <match>reloading configuration failed: unexpected end of input</match>
- <description>BIND Configuration error.</description>
- </rule>
-
- <rule id="12126" level="0">
- <if_sid>12100</if_sid>
- <regex>zone \S+: \(master\) removed</regex>
- <description>Zone has been removed from a master server</description>
- </rule>
-
- <rule id="12127" level="1">
- <if_sid>12100</if_sid>
- <regex>loading from master file \S+ failed: not at top of zone$</regex>
- <description>Origin of zone and owner name of SOA do not match.</description>
- </rule>
-
- <rule id="12128" level="1">
- <if_sid>12100</if_sid>
- <match>^transfer of|</match>
- <match>AXFR started$</match>
- <description>Zone transfer.</description>
- </rule>
-
- <rule id="12129" level="4">
- <if_sid>12128</if_sid>
- <match>failed to connect: connection refused</match>
- <description>Zone transfer failed, unable to connect to master.</description>
- </rule>
-
- <rule id="12130" level="2">
- <if_sid>12100</if_sid>
- <match>IPv6 interfaces failed</match>
- <description>Could not listen on IPv6 interface.</description>
- </rule>
-
- <rule id="12131" level="2">
- <if_sid>12100</if_sid>
- <match>failed; interface ignored</match>
- <description>Could not bind to an interface.</description>
- </rule>
-
- <rule id="12132" level="0">
- <if_sid>12128</if_sid>
- <match>failed while receiving responses: not authoritative</match>
- <description>Master is not authoritative for zone.</description>
- </rule>
-
- <rule id="12133" level="4">
- <if_sid>12100</if_sid>
- <regex>open: \S+: permission denied$</regex>
- <description>Could not open configuration file, permission denied.</description>
- </rule>
-
- <rule id="12134" level="4">
- <if_sid>12100</if_sid>
- <match>loading configuration: permission denied</match>
- <description>Could not open configuration file, permission denied.</description>
- </rule>
-
- <rule id="12135" level="0">
- <if_sid>12100</if_sid>
- <match>IN SOA -E</match>
- <description>Domain in SOA -E.</description>
- </rule>
-
- <rule id="12136" level="4">
- <if_sid>12128</if_sid>
- <match>failed to connect: host unreachable</match>
- <description>Master appears to be down.</description>
- </rule>
-
- <rule id="12137" level="0">
- <if_sid>12100</if_sid>
- <match>IN AXFR -</match>
- <description>Domain is queried for a zone transferred.</description>
- </rule>
-
- <rule id="12138" level="0">
- <if_sid>12100</if_sid>
- <match> IN A +</match>
- <description>Domain A record found.</description>
- </rule>
-
- <rule id="12139" level="3">
- <if_sid>12100</if_sid>
- <regex>client \S+: bad zone transfer request: \S+: non-authoritative zone \(NOTAUTH\)</regex>
- <description>Bad zone transfer request.</description>
- </rule>
-
- <rule id="12140" level="2">
- <if_sid>12100</if_sid>
- <match>refresh: failure trying master</match>
- <description>Cannot refresh a domain from the master server.</description>
- </rule>
-
- <rule id="12141" level="1">
- <if_sid>12100</if_sid>
- <match>SOA record not at top of zone</match>
- <description>Origin of zone and owner name of SOA do not match.</description>
- </rule>
-
- <rule id="12142" level="0">
- <if_sid>12100</if_sid>
- <match>command channel listening on</match>
- <description>named command channel is listening.</description>
- </rule>
-
- <rule id="12143" level="0">
- <if_sid>12100</if_sid>
- <match>automatic empty zone</match>
- <description>named has created an automatic empty zone.</description>
- </rule>
-
- <rule id="12144" level="9">
- <if_sid>12100</if_sid>
- <match>reloading configuration failed: out of memory</match>
- <description>Server does not have enough memory to reload the configuration.</description>
- </rule>
-
- <rule id="12145" level="1">
- <if_sid>12100</if_sid>
- <regex>zone transfer \S+ denied</regex>
- <description>zone transfer denied</description>
- </rule>
-
- <rule id="12146" level="0">
- <if_sid>12100</if_sid>
- <match>error sending response: host unreachable$</match>
- <description>Cannot send a DNS response.</description>
- </rule>
-
- <rule id="12147" level="0">
- <if_sid>12100</if_sid>
- <regex>update forwarding \.+ denied$</regex>
- <description>Cannot update forwarding domain.</description>
- </rule>
-
- <rule id="12148" level="0">
- <if_sid>12100</if_sid>
- <match>: parsing failed$</match>
- <description>Parsing of a configuration file has failed.</description>
- </rule>
-
- <rule id="12149" level="10" frequency="6" timeframe="120">
- <if_matched_sid>12108</if_matched_sid>
- <same_source_ip />
- <description> Multiple query (cache) failures.</description>
- <group>connection_attempt,</group>
-</rule>
-
-</group> <!-- SYSLOG,NAMED -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/netscreenfw_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Netscreen Firewall rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="netscreenfw,">
- <rule id="4500" level="0">
- <decoded_as>netscreenfw</decoded_as>
- <description>Grouping for the Netscreen Firewall rules</description>
- </rule>
-
- <rule id="4501" level="3">
- <if_sid>4500</if_sid>
- <action>notification</action>
- <description>Netscreen notification message.</description>
- </rule>
-
- <rule id="4502" level="4">
- <if_sid>4500</if_sid>
- <action>warning</action>
- <description>Netscreen warning message.</description>
- </rule>
-
- <rule id="4503" level="5">
- <if_sid>4500</if_sid>
- <action>critical</action>
- <description>Netscreen critical/alert message.</description>
- </rule>
-
- <rule id="4513" level="5">
- <if_sid>4500</if_sid>
- <action>alert</action>
- <description>Netscreen critical/alert message.</description>
- </rule>
-
- <rule id="4504" level="5">
- <if_sid>4500</if_sid>
- <action>information</action>
- <description>Netscreen informational message.</description>
- </rule>
-
- <!-- ns204: NetScreen device_id=ns204 [Root]system-critical-00027:
- - Configuration Erase sequence accepted -->
- <rule id="4505" level="11">
- <if_sid>4503</if_sid>
- <id>^00027</id>
- <description>Netscreen Erase sequence started.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="4506" level="8">
- <if_sid>4501</if_sid>
- <id>^00002</id>
- <description>Successfull admin login to the Netscreen firewall</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="4507" level="8">
- <if_sid>4502</if_sid>
- <id>^00515</id>
- <description>Successfull admin login to the Netscreen firewall</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="4508" level="8">
- <if_sid>4501</if_sid>
- <id>^00018</id>
- <description>Firewall policy changed.</description>
- <group>config_changed,</group>
- </rule>
-
- <rule id="4509" level="8">
- <if_sid>4504</if_sid>
- <id>^00767</id>
- <description>Firewall configuration changed.</description>
- <group>config_changed,</group>
- </rule>
-
- <rule id="4550" level="10" frequency="4" timeframe="180" ignore="60">
- <if_matched_sid>4503</if_matched_sid>
- <same_source_ip />
- <description>Multiple Netscreen critical messages from </description>
- <description>same source IP.</description>
- </rule>
-
- <rule id="4551" level="10" frequency="6" timeframe="180" ignore="60">
- <if_matched_sid>4503</if_matched_sid>
- <description>Multiple Netscreen critical messages.</description>
- </rule>
-
- <rule id="4552" level="10" frequency="4" timeframe="180" ignore="60">
- <if_matched_sid>4513</if_matched_sid>
- <same_source_ip />
- <description>Multiple Netscreen alert messages from </description>
- <description>same source IP.</description>
- </rule>
-
- <rule id="4553" level="10" frequency="8" timeframe="100" ignore="60">
- <if_matched_sid>4513</if_matched_sid>
- <description>Multiple Netscreen alert messages.</description>
- </rule>
-
- <rule id="4560" level="3">
- <if_sid>4500</if_sid>
- <match>SYN flood! </match>
- <description>netscreen detected a SYN flood.</description>
- </rule>
-
-
-
-</group> <!-- SYSLOG,NETSCREENFW -->
-
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/nginx_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Nginx rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="apache,">
- <rule id="31300" level="0">
- <decoded_as>nginx-errorlog</decoded_as>
- <description>Nginx messages grouped.</description>
- </rule>
-
- <rule id="31301" level="3">
- <if_sid>31300</if_sid>
- <regex>^\S+ \S+ [error] </regex>
- <description>Nginx error message.</description>
- </rule>
-
- <rule id="31302" level="3">
- <if_sid>31300</if_sid>
- <regex>^\S+ \S+ [warn] </regex>
- <description>Nginx warning message.</description>
- </rule>
-
- <rule id="31303" level="5">
- <if_sid>31300</if_sid>
- <regex>^\S+ \S+ [crit] </regex>
- <description>Nginx critical message.</description>
- </rule>
-
- <rule id="31310" level="0">
- <if_sid>31301</if_sid>
- <match>failed (2: No such file or directory)|is not found (2: No such file or directory)</match>
- <description>Server returned 404 (reported in the access.log).</description>
- </rule>
-
- <rule id="31311" level="0">
- <if_sid>31301</if_sid>
- <match>accept() failed (53: Software caused connection abort)</match>
- <description>Incomplete client request.</description>
- </rule>
-
- <rule id="31312" level="0">
- <if_sid>31301</if_sid>
- <match>no user/password was provided for basic authentication</match>
- <description>Initial 401 authentication request.</description>
- </rule>
-
- <rule id="31315" level="5">
- <if_sid>31301</if_sid>
- <match> password mismatch, client| was not found in </match>
- <description>Web authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="31316" level="10" frequency="6" timeframe="240">
- <if_matched_sid>31315</if_matched_sid>
- <same_source_ip />
- <description>Multiple web authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="31317" level="0">
- <if_sid>31303</if_sid>
- <match>failed (2: No such file or directory</match>
- <description>Common cache error when files were removed.</description>
- </rule>
-
- <rule id="31320" level="10">
- <if_sid>31301</if_sid>
- <match>failed (36: File name too long)</match>
- <description>Invalid URI, file name too long.</description>
- <group>invalid_request,</group>
- </rule>
-</group> <!-- ERROR_LOG,NGINX -->
-
-<!-- EOF -->
-
+++ /dev/null
-<!--
-Aug 11 13:21:46 ix nsd[16565]: server initialization failed, nsd could not be started
-Aug 11 13:22:14 ix nsd[13816]: blocked.hosts:2: syntax error
-Aug 11 13:22:14 ix nsd[13816]: blocked.hosts:2: unrecognized RR type 'name:'
-Aug 12 09:01:00 junction.example.com nsd[7405]: NSTATS 1439384460 1439314258 A=1 AAAA=1
-Aug 12 09:01:00 junction.example.com nsd[7405]: XSTATS 1439384460 1439314258 RR=0 RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=0 SAns=2 SFwdQ=0 SDupQ=0 SErr=0 RQ=2 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=0 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
-Dec 16 12:51:17 pine nsd[90235]: xfrd: zone example.com received error code NOT IMPL from 192.168.17.9@153
-
--->
-
-<group name="syslog,dns,nsd,">
- <rule id="53200" level="0">
- <decoded_as>nsd</decoded_as>
- <description>NSD grouping.</description>
- </rule>
-
- <rule id="53201" level="1">
- <if_sid>53200</if_sid>
- <match>unrecognized RR type</match>
- <description>Syntax error in nsd configuration.</description>
- </rule>
-
- <rule id="53202" level="1">
- <decoded_as>nsd</decoded_as>
- <if_sid>53200</if_sid>
- <match>server initialization failed|syntax error$</match>
- <description>Syntax error in nsd configuration.</description>
- </rule>
-
- <rule id="53203" level="0">
- <if_sid>53200</if_sid>
- <match>^NSTATS|^XSTATS</match>
- <description>nsd statistics</description>
- </rule>
-
- <rule id="53204" level="2">
- <decoded_as>nsd</decoded_as>
- <match>Can't bind </match>
- <description>Cannot bind to a socket.</description>
- </rule>
-
- <rule id="53205" level="2">
- <decoded_as>nsd</decoded_as>
- <match>nsd is already running</match>
- <description>nsd is already running.</description>
- </rule>
-
- <rule id="53206" level="1">
- <decoded_as>nsd</decoded_as>
- <if_sid>53200</if_sid>
- <match>received notify response error NOT IMPL</match>
- <description>Notify is not implemented.</description>
- </rule>
-
- <rule id="53207" level="1">
- <decoded_as>nsd</decoded_as>
- <if_sid>53200</if_sid>
- <regex>read with \d+ errors$</regex>
- <description>Zone file read with errors.</description>
- </rule>
-
- <rule id="53208" level="0">
- <decoded_as>nsd</decoded_as>
- <if_sid>53200</if_sid>
- <match>received error code </match>
- <description>Error grouping.</description>
- </rule>
-
- <rule id="53209" level="1">
- <decoded_as>nsd</decoded_as>
- <if_sid>53208</if_sid>
- <match>NOT IMPL </match>
- <description>Zone xfer not implemented.</description>
- </rule>
-
- <rule id="53210" level="1">
- <if_sid>53200</if_sid>
- <match>tcp: Connection reset by peer$</match>
- <description>tcp connection reset.</description>
- </rule>
-
- <rule id="53211" level="1">
- <if_sid>53200</if_sid>
- <match>received error code NOT IMPL</match>
- <description>Attempted zone transfer not configured.</description>
- </rule>
-
- <rule id="53212" level="1">
- <if_sid>53208</if_sid>
- <match>received error code SERVER NOT AUTHORITATIVE FOR ZONE</match>
- <description>Server not authoritative for zone transfer.</description>
- </rule>
-
-
-</group>
-
-
+++ /dev/null
-<!-- OpenBSD dhcpd -->
-<!--
-Aug 10 09:45:28 junction dhcpd[2042]: DHCPREQUEST for 192.168.17.154 from b4:b5:2f:15:4c:ec via sk0
-Aug 10 09:45:28 junction dhcpd[2042]: DHCPACK on 192.168.17.154 to b4:b5:2f:15:4c:ec via sk0
--->
-
-<group name="syslog,dhcpd,">
- <rule id="53000" level="0">
- <decoded_as>dhcpd</decoded_as>
- <description>dhcpd grouping.</description>
- </rule>
-
- <rule id="53001" level="1">
- <if_sid>53000</if_sid>
- <match>^DHCPREQUEST|^DHCPOFFER |^DHCPDISCOVER|^DHCPACK</match>
- <description>Normal dhcp.</description>
- </rule>
-
- <rule id="53003" level="5">
- <if_sid>53000</if_sid>
- <match>answers a ping after sending a release|Possible release spoof</match>
- <description>A host issued a release but is responding to pings.</description>
- </rule>
-
- <rule id="53004" level="1">
- <if_sid>53000</if_sid>
- <match>expecting left brace.$|</match>
- <match>fixed-address parameter not allowed here.$|</match>
- <match>parameters not allowed after first declaration.$|</match>
- <match>Configuration file errors encountered</match>
- <description>Configuration errors.</description>
- </rule>
-
- <rule id="53005" level="3">
- <if_sid>53000</if_sid>
- <match>exiting.$</match>
- <description>dhcpd is exiting.</description>
- </rule>
-
- <rule id="53006" level="1">
- <if_sid>53000</if_sid>
- <match>Can't listen on </match>
- <description>dhcpd cannot listen to an interface.</description>
- </rule>
-
- <rule id="53007" level="1">
- <if_sid>53006</if_sid>
- <match>has no subnet declaration for</match>
- <description>dhcpd is not configured to listen to an interface.</description>
- </rule>
-
- <rule id="53008" level="1">
- <if_sid>53000</if_sid>
- <match>Listening on </match>
- <description>dhcpd has been started.</description>
- </rule>
-
- <rule id="53009" level="0">
- <if_sid>53000</if_sid>
- <match>^Address range </match>
- <description>Message with address range.</description>
- </rule>
-
- <rule id="53010" level="2">
- <if_sid>53009</if_sid>
- <match> not on net </match>
- <description>Defined address range is not on the configured network.</description>
- </rule>
-
- <rule id="53011" level="7">
- <if_sid>53000</if_sid>
- <match>^no free leases</match>
- <description>DHCP server has run out of leases.</description>
- </rule>
-
- <rule id="53013" level="2">
- <if_sid>53000</if_sid>
- <match>^already acking lease </match>
- <description>Multiple acks.</description>
- </rule>
-
-
-</group>
-
+++ /dev/null
- <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
- -->
-
-
-
- <!-- Modify it at your will. -->
-
-<group name="local,syslog,openbsd">
-
- <rule id="51500" level="0" noalert="1">
- <decoded_as>bsd_kernel</decoded_as>
- <description>Grouping of bsd_kernel alerts</description>
- </rule>
-
- <rule id="51501" level="1">
- <if_sid>51500</if_sid>
- <match>ichiic0: abort failed, status 0x40</match>
- <description>A timeout occurred waiting for a transfer.</description>
- </rule>
-
- <rule id="51502" level="0">
- <if_sid>51500</if_sid>
- <match>Check Condition (error 0x70) on opcode 0x0</match>
- <description>Check media in optical drive.</description>
- </rule>
-
- <rule id="51503" level="1">
- <if_sid>51500</if_sid>
- <match>BBB bulk-in clear stall failed</match>
- <description>A disk has timed out.</description>
- </rule>
-
- <rule id="51504" level="1">
- <if_sid>51500</if_sid>
- <match>arp info overwritten for</match>
- <description>arp info has been overwritten for a host</description>
- </rule>
-
- <rule id="51505" level="5">
- <if_sid>51500</if_sid>
- <match>was not properly unmounted</match>
- <description>A filesystem was not properly unmounted, likely system crash</description>
- </rule>
-
- <rule id="51506" level="1">
- <if_sid>51500</if_sid>
- <match>UKC> quit</match>
- <description>UKC was used, possibly modifying a kernel at boot time.</description>
- </rule>
-
- <rule id="51507" level="1">
- <if_sid>51500</if_sid>
- <match>Michael MIC failure</match>
- <description>Michael MIC failure: Checksum failure in the tkip protocol.</description>
- </rule>
-
- <rule id="51508" level="2">
- <if_sid>51500</if_sid>
- <match>soft error (corrected)</match>
- <description>A soft error has been corrected on a hard drive, </description>
- <description>this is a possible early sign of failure.</description>
- </rule>
-
- <rule id="51509" level="1">
- <if_sid>51500</if_sid>
- <regex>acpithinkpad\d:</regex>
- <match>unknown event</match>
- <description>Unknown acpithinkpad event</description>
- </rule>
-
- <rule id="51510" level="5">
- <if_sid>51500</if_sid>
- <match>Critical temperature, shutting down</match>
- <description>System shutdown due to temperature</description>
- </rule>
-
- <rule id="51511" level="1">
- <if_sid>51500</if_sid>
- <match>_AL0[0] _PR0 failed</match>
- <description>Unknown ACPI event (bug 6299 in OpenBSD bug tracking system).</description>
- </rule>
-
- <rule id="51512" level="1">
- <if_sid>51500</if_sid>
- <match>ehci_freex: xfer=0xffff8000003ef800 not busy, 0x4f4e5155</match>
- <description>USB diagnostic message.</description>
- </rule>
-
- <rule id="51513" level="1">
- <if_sid>51500</if_sid>
- <match>ichiic0: abort failed, status 0x0</match>
- <description>Possible APM or ACPI event.</description>
- </rule>
-
- <rule id="51514" level="3">
- <if_sid>51500</if_sid>
- <match>Filesystem is not clean - run fsck</match>
- <description>Unclean filesystem, run fsck.</description>
- </rule>
-
- <rule id="51515" level="0">
- <if_sid>51500</if_sid>
- <match>atascsi_passthru_done, timeout</match>
- <description>Timeout in atascsi_passthru_done.</description>
- </rule>
-
- <rule id="51516" level="0">
- <if_sid>51500</if_sid>
- <regex>RTC BIOS diagnostic error 80\pclock_battery\p</regex>
- <description>Clock battery error 80</description>
- </rule>
-
- <rule id="51518" level="3">
- <if_sid>51500</if_sid>
- <match>i/o error on block</match>
- <description>I/O error on a storage device</description>
- </rule>
-
- <rule id="51519" level="1">
- <if_sid>51500</if_sid>
- <match>kbc: cmd word write error</match>
- <description>kbc error.</description>
- </rule>
-
- <rule id="51520" level="1">
- <if_sid>51500</if_sid>
- <match>BBB reset failed, IOERROR</match>
- <description>USB reset failed, IOERROR.</description>
- </rule>
-
- <rule id="51521" level="0" noalert="1">
- <decoded_as>groupdel</decoded_as>
- <description>Grouping for groupdel rules.</description>
- <group>groupdel,</group>
- </rule>
-
- <rule id="51522" level="2">
- <if_sid>51521</if_sid>
- <match>group deleted</match>
- <description>Group deleted.</description>
- <group>groupdel,</group>
- </rule>
-
- <rule id="51523" level="0">
- <program_name>savecore</program_name>
- <match>no core dump</match>
- <description>No core dumps.</description>
- </rule>
-
- <rule id="51524" level="4">
- <program_name>reboot</program_name>
- <match>rebooted by</match>
- <description>System was rebooted.</description>
- </rule>
-
- <rule id="51525" level="0">
- <program_name>^ftp-proxy</program_name>
- <match>proxy cannot connect to server</match>
- <description>ftp-proxy cannot connect to a server.</description>
- </rule>
-
- <rule id="51526" level="0">
- <decoded_as>bsd_kernel</decoded_as>
- <match>uncorrectable data error reading fsbn</match>
- <description>Hard drive is dying.</description>
- </rule>
-
- <rule id="51527" level="0">
- <decoded_as>bsd_kernel</decoded_as>
- <match>^carp</match>
- <action>state transition</action>
- <status>MASTER -> BACKUP</status>
- <description>CARP master to backup.</description>
- </rule>
-
- <rule id="51528" level="0">
- <decoded_as>bsd_kernel</decoded_as>
- <match>duplicate IP6 address</match>
- <description>Duplicate IPv6 address.</description>
- </rule>
-
- <rule id="51529" level="0">
- <decoded_as>bsd_kernel</decoded_as>
- <match>failed loadfirmware of file</match>
- <description>Could not load a firmware.</description>
- </rule>
-
- <rule id="51530" level="0">
- <program_name>^hotplugd</program_name>
- <match>Permission denied$</match>
- <description>hotplugd could not open a file.</description>
- </rule>
-
- <rule id="51531" level="3">
- <decoded_as>open-userdel</decoded_as>
- <match>user removed: name=</match>
- <description>User account deleted.</description>
- <group>account_changed,</group>
- </rule>
-
- <rule id="51532" level="0">
- <decoded_as>ntpd</decoded_as>
- <match>bad peer from </match>
- <description>Bad ntp peer.</description>
- </rule>
-
- <rule id="51533" level="1">
- <program_name>^dhclient$</program_name>
- <if_sid>1002</if_sid>
- <match>receive_packet failed on </match>
- <description>dhclient receive_packet failed.</description>
- </rule>
-
- <rule id="51534" level="1">
- <if_sid>51533</if_sid>
- <match>Input/output error$</match>
- <description>dhclient receive_packet failed due to I/O error.</description>
- </rule>
-
- <rule id="51535" level="1">
- <program_name>^dhclient$</program_name>
- <if_sid>1002</if_sid>
- <match>SIOCDIFADDR failed </match>
- <description>SIOCDIFADDR failed</description>
- </rule>
-
- <rule id="51536" level="1">
- <if_sid>51535</if_sid>
- <match> Device not configured$</match>
- <description>dhclient: device not configured.</description>
- </rule>
-
-</group>
-
-<group name="local,syslog,openbsd,doas">
-
- <rule id="51550" level="0">
- <decoded_as>doas</decoded_as>
- <description>doas grouping</description>
- </rule>
-
- <rule id="51551" level="1">
- <if_sid>51550</if_sid>
- <match>cannot stat</match>
- <description>doas cannot stat a file.</description>
- </rule>
-
- <rule id="51552" level="2">
- <if_sid>51551</if_sid>
- <match>: Permission denied$</match>
- <description>doas cannot stat a file due to permissions.</description>
- </rule>
-
- <rule id="51553" level="5">
- <if_sid>51550</if_sid>
- <match>path not secure$</match>
- <description>A critical path for doas does not have secure permissions.</description>
- </rule>
-
- <rule id="51554" level="5">
- <if_sid>51550</if_sid>
- <match>failed command for </match>
- <description>Failed doas command.</description>
- </rule>
-
- <rule id="51555" level="1">
- <if_sid>51550</if_sid>
- <match>ran command</match>
- <description>A command was run using doas.</description>
- </rule>
-
- <rule id="51556" level="2">
- <if_sid>51555</if_sid>
- <match> as root </match>
- <description>A doas command was run as root.</description>
- </rule>
-
- <rule id="51557" level="5">
- <if_sid>51550</if_sid>
- <match>failed auth for</match>
- <description>doas authentication failed.</description>
- </rule>
-
- <rule id="51558" level="4">
- <program_name>sendsyslog</program_name>
- <match>^dropped </match>
- <description>sendsyslog dropped log messages.</description>
- </rule>
-
-</group> <!-- SYSLOG,LOCAL -->
-
-
- <!-- EOF -->
+++ /dev/null
-<!--
-Aug 14 10:15:25 junction.example.com smtpd[28882]: smtp-in: Failed command on session 1f55bdcdf16e28a3: "MAIL FROM:<root@junction.example.com> " => 421 4.3.0: Temporar
-y Error
--->
-
-<group name="syslog,smtpd,">
-
- <rule id="53500" level="0">
- <decoded_as>smtpd</decoded_as>
- <description>OpenSMTPd grouping.</description>
- </rule>
-
- <rule id="53501" level="3">
- <decoded_as>smtpd</decoded_as>
- <if_sid>53500</if_sid>
- <status>Failed</status>
- <description>Message failed.</description>
- </rule>
-
- <rule id="53502" level="0">
- <decoded_as>smtpd</decoded_as>
- <if_sid>53500</if_sid>
- <match> New session</match>
- <description>New session created.</description>
- </rule>
-
- <rule id="53503" level="0">
- <decoded_as>smtpd</decoded_as>
- <if_sid>53500</if_sid>
- <match> Closing session</match>
- <description>Session closed.</description>
- </rule>
-
- <rule id="53504" level="0">
- <decoded_as>smtpd</decoded_as>
- <if_sid>53500</if_sid>
- <status>Accepted</status>
- <description>Message accepted.</description>
- </rule>
-
- <rule id="53505" level="0">
- <decoded_as>smtpd</decoded_as>
- <if_sid>53500</if_sid>
- <match>delivery: Ok</match>
- <description>Email delivered.</description>
- </rule>
-
- <rule id="53506" level="2">
- <if_sid>53501</if_sid>
- <match>Command not supported$</match>
- <description>SMTP command not supported.</description>
- </rule>
-
- <rule id="53507" level="2">
- <decoded_as>smtpd</decoded_as>
- <if_sid>53500</if_sid>
- <match>IO error: No SSL error$</match>
- <description>OpenSMTPd: no SSL</description>
- </rule>
-
- <rule id="53508" level="5">
- <decoded_as>smtpd</decoded_as>
- <if_sid>53500</if_sid>
- <match>Server certificate verification failed</match>
- <description>Server TLS certificate verification failed.</description>
- </rule>
-
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/ossec_rules.xml, 2012/03/30 dcid Exp $
-
- - Official ossec rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-
-<group name="ossec,">
- <rule id="500" level="0">
- <category>ossec</category>
- <decoded_as>ossec</decoded_as>
- <description>Grouping of ossec rules.</description>
- </rule>
-
- <rule id="501" level="3">
- <if_sid>500</if_sid>
- <if_fts />
- <options>alert_by_email</options>
- <match>Agent started</match>
- <description>New ossec agent connected.</description>
- </rule>
-
- <rule id="502" level="3">
- <if_sid>500</if_sid>
- <options>alert_by_email</options>
- <match>Ossec started</match>
- <description>Ossec server started.</description>
- </rule>
-
- <rule id="503" level="3">
- <if_sid>500</if_sid>
- <options>alert_by_email</options>
- <match>Agent started</match>
- <description>Ossec agent started.</description>
- </rule>
-
- <rule id="504" level="3">
- <if_sid>500</if_sid>
- <options>alert_by_email</options>
- <match>Agent disconnected</match>
- <description>Ossec agent disconnected.</description>
- </rule>
-
- <rule id="509" level="0">
- <category>ossec</category>
- <decoded_as>rootcheck</decoded_as>
- <description>Rootcheck event.</description>
- <group>rootcheck,</group>
- </rule>
-
- <rule id="510" level="7">
- <if_sid>509</if_sid>
- <description>Host-based anomaly detection event (rootcheck).</description>
- <group>rootcheck,</group>
- <if_fts />
- </rule>
-
- <rule id="511" level="0">
- <if_sid>510</if_sid>
- <match>^NTFS Alternate data stream found</match>
- <regex>Thumbs.db:encryptable'.|:Zone.Identifier'.|</regex>
- <regex>Exchsrvr/Mailroot/vsi</regex>
- <description>Ignored common NTFS ADS entries.</description>
- <group>rootcheck,</group>
- </rule>
-
- <rule id="512" level="3">
- <if_sid>510</if_sid>
- <match>^Windows Audit</match>
- <description>Windows Audit event.</description>
- <group>rootcheck,</group>
- </rule>
-
- <rule id="513" level="9">
- <if_sid>510</if_sid>
- <match>^Windows Malware</match>
- <description>Windows malware detected.</description>
- <group>rootcheck,</group>
- </rule>
-
- <rule id="514" level="2">
- <if_sid>510</if_sid>
- <match>^Application Found</match>
- <description>Windows application monitor event.</description>
- <group>rootcheck,</group>
- </rule>
-
- <rule id="515" level="0">
- <if_sid>510</if_sid>
- <match>^Starting rootcheck scan|^Ending rootcheck scan.|</match>
- <match>^Starting syscheck scan|^Ending syscheck scan.</match>
- <description>Ignoring rootcheck/syscheck scan messages.</description>
- <group>rootcheck,syscheck</group>
- </rule>
-
- <rule id="516" level="3">
- <if_sid>510</if_sid>
- <match>^System Audit</match>
- <description>System Audit event.</description>
- <group>rootcheck,</group>
- </rule>
-
- <rule id="518" level="9">
- <if_sid>514</if_sid>
- <match>Adware|Spyware</match>
- <description>Windows Adware/Spyware application found.</description>
- <group>rootcheck,</group>
- </rule>
-
- <rule id="519" level="7">
- <if_sid>516</if_sid>
- <match>^System Audit: Web vulnerability</match>
- <description>System Audit: Vulnerable web application found.</description>
- <group>rootcheck,</group>
- </rule>
-
- <!-- Process monitoring rules -->
- <rule id="530" level="0">
- <if_sid>500</if_sid>
- <match>^ossec: output: </match>
- <description>OSSEC process monitoring rules.</description>
- <group>process_monitor,</group>
- </rule>
-
- <rule id="531" level="7" ignore="7200">
- <if_sid>530</if_sid>
- <match>ossec: output: 'df -P': /dev/</match>
- <regex>100%</regex>
- <description>Partition usage reached 100% (disk space monitor).</description>
- <group>low_diskspace,</group>
- </rule>
-
- <rule id="532" level="0">
- <if_sid>531</if_sid>
- <match>cdrom|/media|usb|/mount|floppy|dvd</match>
- <description>Ignoring external medias.</description>
- </rule>
-
- <rule id="533" level="7">
- <if_sid>530</if_sid>
- <match>ossec: output: 'netstat -tan</match>
- <check_diff />
- <description>Listened ports status (netstat) changed (new port opened or closed).</description>
- </rule>
-
- <rule id="534" level="1">
- <if_sid>530</if_sid>
- <match>ossec: output: 'w'</match>
- <check_diff />
- <options>no_log</options>
- <description>List of logged in users. It will not be alerted by default.</description>
- </rule>
-
- <rule id="535" level="1">
- <if_sid>530</if_sid>
- <match>ossec: output: 'last -n </match>
- <check_diff />
- <options>no_log</options>
- <description>List of the last logged in users.</description>
- </rule>
-
- <rule id="550" level="7">
- <category>ossec</category>
- <decoded_as>syscheck_integrity_changed</decoded_as>
- <description>Integrity checksum changed.</description>
- <group>syscheck,</group>
- </rule>
-
- <rule id="551" level="7">
- <category>ossec</category>
- <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
- <description>Integrity checksum changed again (2nd time).</description>
- <group>syscheck,</group>
- </rule>
-
- <rule id="552" level="7">
- <category>ossec</category>
- <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
- <description>Integrity checksum changed again (3rd time).</description>
- <group>syscheck,</group>
- </rule>
-
- <rule id="553" level="7">
- <category>ossec</category>
- <decoded_as>syscheck_deleted</decoded_as>
- <description>File deleted. Unable to retrieve checksum.</description>
- <group>syscheck,</group>
- </rule>
-
- <rule id="554" level="5">
- <category>ossec</category>
- <decoded_as>syscheck_new_entry</decoded_as>
- <description>File added to the system.</description>
- <group>syscheck,</group>
- </rule>
-
- <rule id="555" level="7">
- <if_sid>500</if_sid>
- <match>^ossec: agentless: </match>
- <description>Integrity checksum for agentless device changed.</description>
- <group>syscheck,agentless</group>
- </rule>
-
- <!-- Hostinfo rules -->
- <rule id="580" level="8">
- <category>ossec</category>
- <decoded_as>hostinfo_modified</decoded_as>
- <description>Host information changed.</description>
- <group>hostinfo,</group>
- </rule>
-
- <rule id="581" level="8">
- <category>ossec</category>
- <decoded_as>hostinfo_new</decoded_as>
- <description>Host information added.</description>
- <group>hostinfo,</group>
- </rule>
-
-
- <!-- File rotation/reducded rules -->
- <rule id="591" level="3">
- <if_sid>500</if_sid>
- <match>^ossec: File rotated </match>
- <description>Log file rotated.</description>
- </rule>
-
- <rule id="592" level="8">
- <if_sid>500</if_sid>
- <match>^ossec: File size reduced</match>
- <description>Log file size reduced.</description>
- <group>attacks,</group>
- </rule>
-
- <rule id="593" level="9">
- <if_sid>500</if_sid>
- <match>^ossec: Event log cleared</match>
- <description>Microsoft Event log cleared.</description>
- <group>logs_cleared,</group>
- </rule>
-
- <rule id="594" level="5">
- <category>ossec</category>
- <if_sid>550</if_sid>
- <hostname>syscheck-registry</hostname>
- <group>syscheck,</group>
- <description>Registry Integrity Checksum Changed</description>
- </rule>
-
- <rule id="595" level="5">
- <category>ossec</category>
- <if_sid>551</if_sid>
- <hostname>syscheck-registry</hostname>
- <group>syscheck,</group>
- <description>Registry Integrity Checksum Changed Again (2nd time)</description>
- </rule>
-
- <rule id="596" level="5">
- <category>ossec</category>
- <if_sid>552</if_sid>
- <hostname>syscheck-registry</hostname>
- <group>syscheck,</group>
- <description>Registry Integrity Checksum Changed Again (3rd time)</description>
- </rule>
-
- <rule id="597" level="5">
- <category>ossec</category>
- <if_sid>553</if_sid>
- <hostname>syscheck-registry</hostname>
- <group>syscheck,</group>
- <description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
- </rule>
-
- <rule id="598" level="5">
- <category>ossec</category>
- <if_sid>554</if_sid>
- <hostname>syscheck-registry</hostname>
- <group>syscheck,</group>
- <description>Registry Entry Added to the System</description>
- </rule>
-
-<!-- active response rules
-Example:
-Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
--->
-
- <rule id="600" level="0">
- <decoded_as>ar_log</decoded_as>
- <description>Active Response Messages Grouped</description>
- <group>active_response,</group>
- </rule>
-
- <rule id="601" level="3">
- <if_sid>600</if_sid>
- <action>firewall-drop.sh</action>
- <status>add</status>
- <description>Host Blocked by firewall-drop.sh Active Response</description>
- <group>active_response,</group>
- </rule>
-
- <rule id="602" level="3">
- <if_sid>600</if_sid>
- <action>firewall-drop.sh</action>
- <status>delete</status>
- <description>Host Unblocked by firewall-drop.sh Active Response</description>
- <group>active_response,</group>
- </rule>
-
- <rule id="603" level="3">
- <if_sid>600</if_sid>
- <action>host-deny.sh</action>
- <status>add</status>
- <description>Host Blocked by host-deny.sh Active Response</description>
- <group>active_response,</group>
- </rule>
-
- <rule id="604" level="3">
- <if_sid>600</if_sid>
- <action>host-deny.sh</action>
- <status>delete</status>
- <description>Host Unblocked by host-deny.sh Active Response</description>
- <group>active_response,</group>
- </rule>
-
- <rule id="605" level="3">
- <if_sid>600</if_sid>
- <action>route-null.sh</action>
- <status>add</status>
- <description>Host Blocked by route-null.sh Active Response</description>
- <group>active_response,</group>
- </rule>
-
- <rule id="606" level="3">
- <if_sid>600</if_sid>
- <action>route-null.sh</action>
- <status>delete</status>
- <description>Host Unblocked by route-null.sh Active Response</description>
- <group>active_response,</group>
- </rule>
-
- <rule id="700" level="0">
- <category>ossec</category>
- <decoded_as>ossec-logcollector</decoded_as>
- <description>Logcollector Messages Grouped</description>
- </rule>
-
- <rule id="701" level="0">
- <if_sid>700</if_sid>
- <match>INFO: </match>
- <description>Ignore informational messages (usually at startup)</description>
- </rule>
-
-</group> <!-- OSSEC -->
+++ /dev/null
-<group name="syslog,owncloud,">
- <rule id="53300" level="0">
- <decoded_as>owncloud</decoded_as>
- <description>ownCloud messages grouped.</description>
- </rule>
-
- <rule id="53301" level="6">
- <if_sid>53300</if_sid>
- <match>Login failed: </match>
- <description>ownCloud authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="53302" level="10" frequency="6" timeframe="120">
- <if_matched_sid>53301</if_matched_sid>
- <same_source_ip />
- <description>ownCloud brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="53303" level="6">
- <if_sid>53300</if_sid>
- <match>Passed filename is not valid, might be malicious </match>
- <description>ownCloud possible malicious request.</description>
- <group>web,appsec,attack,</group>
- </rule>
-
- <rule id="53304" level="8">
- <if_sid>53300</if_sid>
- <status>^4$</status>
- <description>ownCloud FATAL message.</description>
- </rule>
-
- <rule id="53305" level="4">
- <if_sid>53300</if_sid>
- <status>^3$</status>
- <description>ownCloud ERROR message.</description>
- </rule>
-
- <rule id="53306" level="3">
- <if_sid>53300</if_sid>
- <status>^2$</status>
- <description>ownCloud WARN message.</description>
- </rule>
-
- <rule id="53307" level="0">
- <if_sid>53300</if_sid>
- <status>^1$</status>
- <description>ownCloud INFO message.</description>
- </rule>
-
- <rule id="53308" level="0">
- <if_sid>53300</if_sid>
- <status>^0$</status>
- <description>ownCloud DEBUG message.</description>
- </rule>
-
-</group>
\ No newline at end of file
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/pam_rules.xml, 2012/07/23 dcid Exp $
-
- - Official Unix Pam rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="pam,syslog,">
- <rule id="5500" level="0" noalert="1">
- <decoded_as>pam</decoded_as>
- <description>Grouping of the pam_unix rules.</description>
- </rule>
-
- <rule id="5501" level="3">
- <if_sid>5500</if_sid>
- <match>session opened for user </match>
- <description>Login session opened.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="5502" level="3">
- <if_sid>5500</if_sid>
- <match>session closed for user </match>
- <description>Login session closed.</description>
- </rule>
-
- <rule id="5503" level="5">
- <if_sid>5500</if_sid>
- <match>authentication failure; logname=</match>
- <description>User login failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="5504" level="5">
- <if_sid>5500</if_sid>
- <match>check pass; user unknown|error retrieving information about user</match>
- <description>Attempt to login with an invalid user.</description>
- <group>invalid_login</group>
- </rule>
-
- <!-- Ignoring Annoying Ubuntu/debian cron login events. -->
- <rule id="5521" level="0">
- <if_sid>5501</if_sid>
- <program_name>^CRON$</program_name>
- <match>^pam_unix(cron:session): session opened for user </match>
- <description>Ignoring Annoying Ubuntu/debian cron login events.</description>
- </rule>
-
- <rule id="5522" level="0">
- <if_sid>5502</if_sid>
- <program_name>^CRON$</program_name>
- <match>^pam_unix(cron:session): session closed for user </match>
- <description>Ignoring Annoying Ubuntu/debian cron login events.</description>
- </rule>
-
- <rule id="5523" level="0">
- <if_sid>5504</if_sid>
- <regex>^pam_unix\S+: check pass; user unknown$</regex>
- <description>Ignoring events with a user or a password.</description>
- </rule>
-
- <rule id="5551" level="10" frequency="6" timeframe="180">
- <if_matched_sid>5503</if_matched_sid>
- <same_source_ip />
- <description>Multiple failed logins in a small period of time.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="5552" level="0">
- <if_sid>5500</if_sid>
- <match>gdm:auth): conversation failed</match>
- <description>PAM and gdm are not playing nicely.</description>
- </rule>
-
- <rule id="5553" level="4">
- <program_name>login</program_name>
- <match>cannot open shared object file: No such file or directory</match>
- <description>PAM misconfiguration.</description>
- </rule>
-
- <rule id="5554" level="4">
- <program_name>login</program_name>
- <match>illegal module type: </match>
- <description>PAM misconfiguration.</description>
- </rule>
-
- <rule id="5555" level="3">
- <match>: password changed for</match>
- <description>User changed password.</description>
- </rule>
-
- <rule id="5556" level="0">
- <decoded_as>unix_chkpwd</decoded_as>
- <description>unix_chkpwd grouping.</description>
- </rule>
-
- <rule id="5557" level="5">
- <if_sid>5556</if_sid>
- <match>password check failed </match>
- <description>Password check failed.</description>
- <group>authentication_failure</group>
- </rule>
-
-
-</group> <!-- SYSLOG,pam -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/php_rules.xml, 2012/05/09 dcid Exp $
-
- - Official PHP rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="apache,">
- <rule id="31401" level="0">
- <if_sid>31301, 30101</if_sid>
- <match>PHP Warning: </match>
- <description>PHP Warning message.</description>
- </rule>
-
- <rule id="31402" level="0">
- <if_sid>31301, 30101</if_sid>
- <match>PHP Fatal error: </match>
- <description>PHP Fatal error.</description>
- </rule>
-
- <rule id="31403" level="0">
- <if_sid>31301, 30101</if_sid>
- <match>PHP Parse error:</match>
- <description>PHP Parse error.</description>
- </rule>
-
- <rule id="31404" level="0">
- <match>^PHP Warning: </match>
- <description>PHP Warning message.</description>
- </rule>
-
- <rule id="31405" level="0">
- <match>^PHP Fatal error: </match>
- <description>PHP Fatal error.</description>
- </rule>
-
- <rule id="31406" level="0">
- <match>^PHP Parse error: </match>
- <description>PHP Parse error.</description>
- </rule>
-
-
- <!-- PHP Warnings
- - PHP Warning: urlencode() expects parameter 1 to be string, array given in
- -->
- <rule id="31410" level="3">
- <if_sid>31401, 31404</if_sid>
- <description>PHP Warning message.</description>
- </rule>
-
- <rule id="31411" level="6">
- <if_sid>31410</if_sid>
- <match> expects parameter 1 to be string, array given in</match>
- <group>attack,</group>
- <description>PHP web attack.</description>
- </rule>
-
- <rule id="31412" level="5">
- <if_sid>31410</if_sid>
- <match>Failed opening|failed to open stream</match>
- <description>PHP internal error (missing file).</description>
- <options>alert_by_email</options>
- </rule>
-
- <rule id="31413" level="5" ignore="1200">
- <if_sid>31410</if_sid>
- <match>bytes written, possibly out of free disk space in</match>
- <description>PHP internal error (server out of space).</description>
- <options>alert_by_email</options>
- <group>low_diskspace,</group>
- </rule>
-
-
- <!-- PHP Fatal errors
- - PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening require
-d 'includes/SkinTemplate.php'
- -->
- <rule id="31420" level="5">
- <if_sid>31402, 31405</if_sid>
- <description>PHP Fatal error.</description>
- </rule>
-
- <rule id="31421" level="5">
- <if_sid>31420</if_sid>
- <match>Failed opening required |Call to undefined function </match>
- <description>PHP internal error (missing file or function).</description>
- <options>alert_by_email</options>
- </rule>
-
-
-
- <!-- PHP Parse error -->
- <rule id="31430" level="5">
- <if_sid>31403, 31406</if_sid>
- <description>PHP Parse error.</description>
- <options>alert_by_email</options>
- </rule>
-
-</group> <!-- ERROR_LOG, PHP -->
-
-<!-- EOF -->
-
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/pix_rules.xml, 2011/11/01 dcid Exp $
-
- - Official PIX rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- For more info:
- - http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/syslog/logsev.htm
- - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_61/config/sysmgmt.htm
- -->
-
-
-<group name="syslog,pix,">
- <rule id="4300" level="0">
- <decoded_as>pix</decoded_as>
- <description>Grouping of PIX rules</description>
- </rule>
-
- <rule id="4310" level="5">
- <if_sid>4300</if_sid>
- <id>^1-</id>
- <description>PIX alert message.</description>
- </rule>
-
- <rule id="4311" level="5">
- <if_sid>4300</if_sid>
- <id>^2-</id>
- <description>PIX critical message.</description>
- </rule>
-
- <rule id="4312" level="4">
- <if_sid>4300</if_sid>
- <id>^3-</id>
- <description>PIX error message.</description>
- </rule>
-
- <rule id="4313" level="4">
- <if_sid>4300</if_sid>
- <id>^4-</id>
- <description>PIX warning message.</description>
- </rule>
-
- <rule id="4314" level="0">
- <if_sid>4300</if_sid>
- <id>^5-|^6-</id>
- <description>PIX notification/informational message.</description>
- </rule>
-
- <rule id="4315" level="0">
- <if_sid>4300</if_sid>
- <id>^7-</id>
- <description>PIX debug message.</description>
- </rule>
-
- <rule id="4321" level="9">
- <if_sid>4314</if_sid>
- <id>^6-605004</id>
- <description>Failed login attempt at the PIX firewall.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="4322" level="3">
- <if_sid>4314</if_sid>
- <id>^5-502103</id>
- <description>Privilege changed in the PIX firewall.</description>
- </rule>
-
- <rule id="4323" level="3">
- <if_sid>4314</if_sid>
- <id>^6-605005</id>
- <description>Successful login to the PIX firewall.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="4324" level="9">
- <if_sid>4314</if_sid>
- <id>^6-308001</id>
- <description>Password mismatch while running 'enable' </description>
- <description>on the PIX.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="4325" level="8">
- <if_sid>4313</if_sid>
- <id>^4-405001</id>
- <description>ARP collision detected by the PIX.</description>
- </rule>
-
- <rule id="4326" level="8">
- <if_sid>4313</if_sid>
- <id>^4-401004</id>
- <description>Attempt to connect from a blocked (shunned) IP.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="4327" level="8">
- <if_sid>4313</if_sid>
- <id>^4-710004</id>
- <description>Connection limit exceeded.</description>
- </rule>
-
- <rule id="4330" level="8">
- <if_sid>4310</if_sid>
- <id>^1-106021|^1-106022</id>
- <description>Attack in progress detected by the PIX.</description>
- </rule>
-
- <rule id="4331" level="8">
- <if_sid>4311</if_sid>
- <id>^2-106012|^2-106017|^2-106020</id>
- <description>Attack in progress detected by the PIX.</description>
- </rule>
-
- <rule id="4332" level="8">
- <if_sid>4313</if_sid>
- <id>^4-4000</id>
- <description>Attack in progress detected by the PIX.</description>
- </rule>
-
- <!-- Grouping of attack in progress messages. The three above
- - will never be alerted, but this one instead.
- -->
- <rule id="4333" level="8">
- <if_sid>4330, 4331, 4332</if_sid>
- <description>Attack in progress detected by the PIX.</description>
- <group>ids,</group>
- </rule>
-
- <rule id="4334" level="5">
- <if_sid>4314</if_sid>
- <id>^6-113005</id>
- <description>AAA (VPN) authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="4335" level="3">
- <if_sid>4314</if_sid>
- <id>^6-113004</id>
- <description>AAA (VPN) authentication successful.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="4336" level="8">
- <if_sid>4314</if_sid>
- <id>^6-113006</id>
- <description>AAA (VPN) user locked out.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="4337" level="8">
- <if_sid>4312</if_sid>
- <id>^3-201008</id>
- <description>The PIX is disallowing new connections.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="4338" level="8">
- <if_sid>4310</if_sid>
- <id>^1-105005|^1-105009|^1-105043</id>
- <match>Failed|Lost Failover</match>
- <description>Firewall failover pair communication problem.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="4339" level="8">
- <if_sid>4314</if_sid>
- <id>^5-111003</id>
- <description>Firewall configuration deleted.</description>
- <group>config_changed,</group>
- </rule>
-
- <rule id="4340" level="8">
- <if_sid>4314</if_sid>
- <id>^5-111005|^5-111004|^5-111002|^5-111007</id>
- <description>Firewall configuration changed.</description>
- <group>config_changed,</group>
- </rule>
-
- <rule id="4341" level="3">
- <if_sid>4314</if_sid>
- <id>^5-111008|^7-111009</id>
- <description>Firewall command executed (for accounting only).</description>
- </rule>
-
- <rule id="4342" level="8">
- <if_sid>4314</if_sid>
- <id>^5-502101|^5-502102</id>
- <description>User created or modified on the Firewall.</description>
- <group>adduser,account_changed,</group>
- </rule>
-
- <rule id="4380" level="10" frequency="6" timeframe="360">
- <if_matched_sid>4310</if_matched_sid>
- <description>Multiple PIX alert messages.</description>
- </rule>
-
- <rule id="4381" level="10" frequency="6" timeframe="360">
- <if_matched_sid>4311</if_matched_sid>
- <description>Multiple PIX critical messages.</description>
- </rule>
-
- <rule id="4382" level="10" frequency="8" timeframe="120">
- <if_matched_sid>4312</if_matched_sid>
- <description>Multiple PIX error messages.</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="4383" level="10" frequency="8" timeframe="120">
- <if_matched_sid>4313</if_matched_sid>
- <description>Multiple PIX warning messages.</description>
- </rule>
-
- <rule id="4385" level="10" frequency="8" timeframe="240" ignore="90">
- <if_matched_sid>4333</if_matched_sid>
- <same_source_ip />
- <description>Multiple attack in progress messages.</description>
- </rule>
-
- <rule id="4386" level="10" frequency="8" timeframe="240">
- <if_matched_sid>4334</if_matched_sid>
- <description>Multiple AAA (VPN) authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-</group> <!-- SYSLOG,PIX -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/policy_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Policy rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="policy_violation,">
- <rule id="17101" level="9">
- <if_group>authentication_success</if_group>
- <time>6 pm - 8:30 am</time>
- <description>Successful login during non-business hours.</description>
- <group>login_time,</group>
- </rule>
-
- <rule id="17102" level="9">
- <if_group>authentication_success</if_group>
- <weekday>weekends</weekday>
- <description>Successful login during weekend.</description>
- <group>login_day,</group>
- </rule>
-</group> <!-- POLICY_RULES -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/postfix_rules.xml, 2011/09/08 dcid Exp $
-
- - Official postfix rules for OSSEC.
- - Author: Ahmet Ozturk
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-<var name="POSTFIX_FREQ">6</var>
-
-<group name="syslog,postfix,">
- <rule id="3300" level="0">
- <decoded_as>postfix-reject</decoded_as>
- <description>Grouping of the postfix reject rules.</description>
- </rule>
-
- <rule id="3301" level="6">
- <if_sid>3300</if_sid>
- <id>^554$</id>
- <description>Attempt to use mail server as relay </description>
- <description>(client host rejected).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3302" level="6">
- <if_sid>3300</if_sid>
- <id>^550$</id>
- <description>Rejected by access list </description>
- <description>(Requested action not taken).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3303" level="5">
- <if_sid>3300</if_sid>
- <id>^450$</id>
- <description>Sender domain is not found </description>
- <description>(450: Requested mail action not taken).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3304" level="5">
- <if_sid>3300</if_sid>
- <id>^503$</id>
- <description>Improper use of SMTP command pipelining </description>
- <description>(503: Bad sequence of commands).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3305" level="5">
- <if_sid>3300</if_sid>
- <id>^504$</id>
- <description>Recipient address must contain FQDN </description>
- <description>(504: Command parameter not implemented).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3306" level="6">
- <if_sid>3301, 3302</if_sid>
- <match> blocked using </match>
- <description>IP Address deny-listed by anti-spam (blocked).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3320" level="0">
- <decoded_as>postfix</decoded_as>
- <description>Grouping of the postfix rules.</description>
- </rule>
-
- <rule id="3330" level="10" ignore="240">
- <if_sid>3320</if_sid>
- <match>defer service failure|Resource temporarily unavailable|</match>
- <match>^fatal: the Postfix mail system is not running</match>
- <description>Postfix process error.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="3332" level="5">
- <if_sid>3320</if_sid>
- <match> authentication failed</match>
- <description>Postfix SASL authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="3331" level="10" ignore="120">
- <if_sid>3300</if_sid>
- <id>^452</id>
- <description>Postfix insufficient disk space error.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="3334" level="3">
- <if_sid>3320</if_sid>
- <match>^daemon started </match>
- <description>Postfix started.</description>
- </rule>
-
- <rule id="3333" level="7">
- <if_sid>3320</if_sid>
- <match>^terminating on signal</match>
- <description>Postfix stopped.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="3351" level="6" frequency="$POSTFIX_FREQ" timeframe="90">
- <if_matched_sid>3301</if_matched_sid>
- <same_source_ip />
- <description>Multiple relaying attempts of spam.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3352" level="6" frequency="$POSTFIX_FREQ" timeframe="120">
- <if_matched_sid>3302</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail from a </description>
- <description>rejected sender IP (access).</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3353" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
- <if_matched_sid>3303</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail from </description>
- <description>invalid/unknown sender domain.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3354" level="12" frequency="$POSTFIX_FREQ" timeframe="120">
- <if_matched_sid>3304</if_matched_sid>
- <same_source_ip />
- <description>Multiple misuse of SMTP service </description>
- <description>(bad sequence of commands).</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3355" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
- <if_matched_sid>3305</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail to </description>
- <description>invalid recipient or from unknown sender domain.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3356" level="10" frequency="$POSTFIX_FREQ" timeframe="120" ignore="30">
- <if_matched_sid>3306</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail from </description>
- <description>deny-listed IP address (blocked).</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3357" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>3332</if_matched_sid>
- <same_source_ip />
- <description>Multiple SASL authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="3390" level="0">
- <match>^clamsmtpd: </match>
- <description>Grouping of the clamsmtpd rules.</description>
- </rule>
-</group> <!-- SYSLOG,POSTFIX -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/postgresql_rules.xml, 2011/09/08 dcid Exp $
-
- - Official PostgreSQL rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- PostgreSQL Log messages -->
-<group name="postgresql_log,">
- <rule id="50500" level="0">
- <decoded_as>postgresql_log</decoded_as>
- <description>PostgreSQL messages grouped.</description>
- </rule>
-
- <rule id="50501" level="0">
- <if_sid>50500</if_sid>
- <status>^LOG</status>
- <description>PostgreSQL log message.</description>
- </rule>
-
- <rule id="50502" level="0">
- <if_sid>50500</if_sid>
- <status>^NOTICE|INFO</status>
- <description>PostgreSQL informational message.</description>
- </rule>
-
- <rule id="50503" level="4">
- <if_sid>50500</if_sid>
- <status>^ERROR</status>
- <description>PostgreSQL error message.</description>
- </rule>
-
- <rule id="50504" level="5">
- <if_sid>50500</if_sid>
- <status>^FATAL</status>
- <description>PostgreSQL error message.</description>
- </rule>
-
- <rule id="50505" level="0">
- <if_sid>50500</if_sid>
- <status>^DEBUG</status>
- <description>PostgreSQL debug message.</description>
- </rule>
-
- <rule id="50510" level="0">
- <if_sid>50501</if_sid>
- <match> duration: | statement: </match>
- <description>Database query.</description>
- </rule>
-
- <rule id="50511" level="3">
- <if_sid>50501</if_sid>
- <match>connection authorized</match>
- <description>Database authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="50512" level="9">
- <if_sid>50504</if_sid>
- <match>authentication failed</match>
- <description>Database authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="50520" level="12">
- <if_sid>50504</if_sid>
- <match>terminating connection due</match>
- <description>Database shutdown message.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="50521" level="12">
- <if_sid>50501</if_sid>
- <match>aborting any active transactions|shutting down</match>
- <description>Database shutdown message.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="50580" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>50504</if_matched_sid>
- <description>Multiple database errors.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="50581" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>50503</if_matched_sid>
- <description>Multiple database errors.</description>
- <group>service_availability,</group>
- </rule>
-
-</group> <!-- POSTGRESQL -->
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/proftpd_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Proftpd rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-
-<group name="syslog,proftpd,">
- <rule id="11200" level="0" noalert="1">
- <decoded_as>proftpd</decoded_as>
- <description>Grouping for the proftpd rules.</description>
- </rule>
-
- <rule id="11201" level="3">
- <if_sid>11200</if_sid>
- <match>FTP session opened.$</match>
- <description>FTP session opened.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11202" level="0">
- <if_sid>11200</if_sid>
- <match>FTP session closed.$</match>
- <description>FTP session closed.</description>
- </rule>
-
- <rule id="11203" level="5">
- <if_sid>11200</if_sid>
- <match> no such user </match>
- <description>Attempt to login using a non-existent user.</description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="11204" level="5">
- <if_sid>11200</if_sid>
- <match>Incorrect password.$|Login failed</match>
- <description>Login failed accessing the FTP server</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11205" level="3">
- <if_sid>11200</if_sid>
- <match>Login successful</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="11206" level="5">
- <if_sid>11200</if_sid>
- <regex>Connection from \S+ [\S+] denied</regex>
- <description>Connection denied by ProFTPD configuration.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="11207" level="5">
- <if_sid>11200</if_sid>
- <match>refused connect from</match>
- <description>Connection refused by TCP Wrappers.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="11208" level="4">
- <if_sid>11200</if_sid>
- <match>unable to find open port in PassivePorts range</match>
- <description>Small PassivePorts range in config file. </description>
- <description>Server misconfiguration.</description>
- </rule>
-
- <rule id="11209" level="14">
- <if_sid>11200</if_sid>
- <match>Refused PORT </match>
- <description>Attempt to bypass firewall that can't adequately</description>
- <description> keep state of FTP traffic.</description>
- <info type="link">http://www.kb.cert.org/vuls/id/328867</info>
- <info type="text">US-Cert Note VU#328867: Multiple vendors' firewalls do not adequately keep state of FTP traffic</info>
- </rule>
-
- <rule id="11210" level="10">
- <if_sid>11200</if_sid>
- <match>Maximum login attempts </match>
- <description>Multiple failed login attempts.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11211" level="4">
- <if_sid>11200</if_sid>
- <match>host name/name mismatch|host name/address mismatch</match>
- <description>Mismatch in server's hostname.</description>
- </rule>
-
- <rule id="11212" level="5">
- <if_sid>11200</if_sid>
- <match>warning: can't verify hostname: </match>
- <description>Reverse lookup error (bad ISP config).</description>
- </rule>
-
- <rule id="11213" level="3">
- <if_sid>11200</if_sid>
- <match>connect from </match>
- <description>Remote host connected to FTP server.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11214" level="3">
- <if_sid>11200</if_sid>
- <match>FTP no transfer timeout, disconnected</match>
- <description>Remote host disconnected due to inactivity.</description>
- </rule>
-
- <rule id="11215" level="3">
- <if_sid>11200</if_sid>
- <match>FTP login timed out, disconnected</match>
- <description>Remote host disconnected due to login time out.</description>
- </rule>
-
- <rule id="11216" level="3">
- <if_sid>11200</if_sid>
- <match>FTP session idle timeout, disconnected</match>
- <description>Remote host disconnected due to time out.</description>
- </rule>
-
- <rule id="11217" level="3">
- <if_sid>11200</if_sid>
- <match>Data transfer stall timeout:</match>
- <description>Data transfer stalled.</description>
- </rule>
-
- <rule id="11218" level="12">
- <if_sid>11200</if_sid>
- <match>ProFTPD terminating (signal 11)</match>
- <description>FTP process crashed.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="11219" level="12">
- <if_sid>11200</if_sid>
- <match>Reallocating sreaddir buffer</match>
- <description>FTP server Buffer overflow attempt.</description>
- </rule>
-
- <rule id="11220" level="4">
- <if_sid>11200</if_sid>
- <match>listen() failed in</match>
- <description>Unable to bind to adress.</description>
- </rule>
-
- <rule id="11221" level="0">
- <if_sid>11200</if_sid>
- <match>error setting IPV6_V6ONLY: Protocol not available|</match>
- <match> - mod_delay/|PAM(setcred): System error|</match>
- <match>PAM(close_session): System error|cap_set_proc failed|reverting to normal operation|error retrieving information about user</match>
- <description>IPv6 error and mod-delay info (ignored).</description>
- </rule>
-
- <rule id="11222" level="4">
- <if_sid>11200</if_sid>
- <match>unable to open incoming connection</match>
- <description>Couldn't open the incoming connection. </description>
- <description>Check log message for reason.</description>
- </rule>
-
- <rule id="11251" level="10" frequency="6" timeframe="120">
- <if_matched_sid>11204</if_matched_sid>
- <same_source_ip />
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11252" level="10" frequency="10" timeframe="60">
- <if_matched_sid>11201</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11253" level="10" frequency="10" timeframe="120">
- <if_matched_sid>11215</if_matched_sid>
- <same_source_ip />
- <description>Multiple timed out logins from same source.</description>
- </rule>
-
-</group> <!-- SYSLOG,PROFTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<group name="syslog,proxmox-ve,">
- <rule id="53400" level="0">
- <decoded_as>pvedaemon</decoded_as>
- <description>pvedaemon messages grouped.</description>
- </rule>
-
- <rule id="53401" level="6">
- <if_sid>53400</if_sid>
- <match>authentication failure; </match>
- <description>Proxmox VE authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="53402" level="10" frequency="6" timeframe="120">
- <if_matched_sid>53401</if_matched_sid>
- <same_source_ip />
- <description>Proxmox VE brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="53403" level="3">
- <if_sid>53400</if_sid>
- <match> successful auth for user </match>
- <description>Proxmox VE authentication succeeded.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group>
\ No newline at end of file
+++ /dev/null
-<group name="syslog,psad,">
- <rule id="53700" level="0">
- <program_name>psad</program_name>
- <decoded_as>psad</decoded_as>
- <description>PSAD group</description>
- </rule>
- <!-- PSAD Log Types -->
- <rule id="53701" level="0">
- <if_sid>53700</if_sid>
- <match>scan detected</match>
- <description>PSAD group scan detected</description>
- </rule>
- <rule id="53702" level="0">
- <if_sid>53700</if_sid>
- <match>added iptables</match>
- <description>PSAD group added iptables</description>
- </rule>
- <!-- PSAD Rule Chains -->
- <rule id="53711" level="10">
- <if_sid>53701</if_sid>
- <match>DL: 4|DL: 5</match>
- <description>PSAD portscan</description>
- </rule>
- <rule id="53712" level="10">
- <if_sid>53702</if_sid>
- <match>auto-block against</match>
- <description>PSAD auto-block</description>
- </rule>
-<!-- WARNING: PSAD Danger Level 3 can be positives -->
- <rule id="53713" level="3">
- <if_sid>53701</if_sid>
- <match>DL: 3</match>
- <description>PSAD level 3 warning</description>
- </rule>
- <rule id="53714" level="10" frequency="4" timeframe="600">
- <if_matched_sid>53713</if_matched_sid>
- <same_source_ip />
- <description>many PSAD level 3 warnings from same source</description>
- </rule>
- <rule id="53715" level="10" frequency="8" timeframe="3600">
- <if_matched_sid>53713</if_matched_sid>
- <same_source_ip />
- <description>many PSAD level 3 warnings from same source (slow scan)</description>
- </rule>
- <!-- PSAD Signature Match -->
- <rule id="53716" level="6">
- <if_sid>53700</if_sid>
- <match>signature match: </match>
- <description>PSAD signature match</description>
- </rule>
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/pure-ftpd_rules.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] New connection from</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Authentication failed for user</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Logout| [INFO] Timeout</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Can't change directory to</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="120">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] \S+ is now logged in| is now logged in</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="11310" level="0">
- <decoded_as>pure-transfer</decoded_as>
- <description>Rule grouping for pure ftpd transfers.</description>
- </rule>
-
- <rule id="11311" level="0">
- <if_sid>11310</if_sid>
- <action>PUT</action>
- <description>File added to ftpd.</description>
- </rule>
-
- <rule id="11312" level="0">
- <if_sid>11310</if_sid>
- <action>GET</action>
- <description>File retrieved from ftpd.</description>
- </rule>
-
-
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/racoon_rules.xml, 2011/09/08 dcid Exp $
-
- - Racoon VPN rules for OSSEC HIDS.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- BETA -->
-
-<group name="syslog,racoon,">
- <rule id="14100" level="0">
- <decoded_as>racoon</decoded_as>
- <description>Grouping of racoon rules.</description>
- </rule>
-
- <rule id="14101" level="5">
- <decoded_as>racoon-failed</decoded_as>
- <description>VPN authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="14110" level="0">
- <if_sid>14100</if_sid>
- <action>INFO</action>
- <description>Racoon informational message.</description>
- </rule>
-
- <rule id="14111" level="4">
- <if_sid>14100</if_sid>
- <action>ERROR</action>
- <description>Racoon error message.</description>
- </rule>
-
- <rule id="14112" level="4">
- <if_sid>14100</if_sid>
- <action>WARNING</action>
- <description>Racoon warning message.</description>
- </rule>
-
- <rule id="14120" level="3">
- <if_sid>14110</if_sid>
- <match>ISAKMP-SA established </match>
- <group>authentication_success</group>
- <description>VPN established.</description>
- </rule>
-
- <rule id="14121" level="0">
- <if_sid>14111</if_sid>
- <match>such policy does not already exist</match>
- <description>Roadwarrior configuration (ignored error).</description>
- </rule>
-
- <rule id="14122" level="0">
- <if_sid>14112</if_sid>
- <match>ignore INITIAL-CONTACT notification</match>
- <description>Roadwarrior configuration (ignored warning).</description>
- </rule>
-
- <rule id="14123" level="0">
- <if_sid>14111</if_sid>
- <match>ERROR: invalid attribute|ERROR: rejected</match>
- <description>Invalid configuration settings (ignored error).</description>
- </rule>
-
- <rule id="14151" level="9" frequency="3" timeframe="360">
- <if_matched_sid>14101</if_matched_sid>
- <same_source_ip />
- <description>Multiple failed VPN logins.</description>
- </rule>
-</group> <!-- SYSLOG,RACOON -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/roundcube_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Roundcube rules for OSSEC.
- -
- - Author: Michael Starks
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-<group name="syslog,roundcube,">
- <rule id="9400" level="0">
- <decoded_as>roundcube</decoded_as>
- <description>Roundcube messages grouped.</description>
- </rule>
-
- <rule id="9401" level="6">
- <if_sid>9400</if_sid>
- <match>failed (LOGIN)| Login failed | Authentication failed| Failed login </match>
- <description>Roundcube authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="9402" level="3">
- <if_sid>9400</if_sid>
- <match>Successful login</match>
- <description>Roundcube authentication succeeded.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="9403" level="10" frequency="6" timeframe="120">
- <if_matched_sid>9401</if_matched_sid>
- <same_source_ip />
- <description>Roundcube brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-</group>
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/rules_config.xml, 2011/09/08 dcid Exp $
-
- - Rules config.
- - Configuration options. This file must always be included, otherwise
- - most of the rules will not work properly.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog">
- <rule id="01" level="0" noalert="1">
- <category>syslog</category>
- <description>Generic template for all syslog rules.</description>
- </rule>
-</group>
-
-<group name="firewall">
- <rule id="02" level="0" noalert="1">
- <category>firewall</category>
- <description>Generic template for all firewall rules.</description>
- </rule>
-</group>
-
-<group name="ids">
- <rule id="03" level="0" noalert="1">
- <category>ids</category>
- <description>Generic template for all ids rules.</description>
- </rule>
-</group>
-
-<group name="web-log">
- <rule id="04" level="0" noalert="1">
- <category>web-log</category>
- <description>Generic template for all web rules.</description>
- </rule>
-</group>
-
-<group name="squid">
- <rule id="05" level="0" noalert="1">
- <category>squid</category>
- <description>Generic template for all web proxy rules.</description>
- </rule>
-</group>
-
-<group name="windows">
- <rule id="06" level="0" noalert="1">
- <category>windows</category>
- <description>Generic template for all windows rules.</description>
- </rule>
-</group>
-
-<group name="ossec">
- <rule id="07" level="0" noalert="1">
- <category>ossec</category>
- <description>Generic template for all ossec rules.</description>
- </rule>
-</group>
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/sendmail_rules.xml, 2011/09/08 dcid Exp $
-
- - Official sendmail rules for OSSEC.
- - Author: Ahmet Ozturk
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,sendmail,">
- <rule id="3100" level="0">
- <decoded_as>sendmail-reject</decoded_as>
- <description>Grouping of the sendmail rules.</description>
- </rule>
-
- <rule id="3101" level="0" noalert="1">
- <if_sid>3100</if_sid>
- <match>reject=</match>
- <description>Grouping of the sendmail reject rules.</description>
- </rule>
-
- <rule id="3102" level="5">
- <if_sid>3101</if_sid>
- <match>reject=451 4.1.8 </match>
- <description>Sender domain does not have any valid </description>
- <description>MX record (Requested action aborted).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3103" level="6">
- <if_sid>3101</if_sid>
- <match>reject=550 5.0.0 |reject=553 5.3.0</match>
- <description>Rejected by access list </description>
- <description>(55x: Requested action not taken).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3104" level="6">
- <if_sid>3101</if_sid>
- <match>reject=550 5.7.1 </match>
- <description>Attempt to use mail server as relay </description>
- <description>(550: Requested action not taken).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3105" level="5">
- <if_sid>3101</if_sid>
- <match>reject=553 5.1.8 </match>
- <description>Sender domain is not found </description>
- <description> (553: Requested action not taken).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3106" level="5">
- <if_sid>3101</if_sid>
- <match>reject=553 5.5.4 </match>
- <description>Sender address does not have domain </description>
- <description>(553: Requested action not taken).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3107" level="4">
- <if_sid>3101</if_sid>
- <description>Sendmail rejected message.</description>
- </rule>
-
- <rule id="3108" level="6">
- <if_sid>3100</if_sid>
- <match>rejecting commands from</match>
- <description>Sendmail rejected due to pre-greeting.</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3109" level="8">
- <if_sid>3100</if_sid>
- <match>savemail panic</match>
- <description>Sendmail save mail panic.</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="3151" level="10" frequency="6" timeframe="120">
- <if_matched_sid>3102</if_matched_sid>
- <same_source_ip />
- <description>Sender domain has bogus MX record. </description>
- <description>It should not be sending e-mail.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3152" level="6" frequency="6" timeframe="120">
- <if_matched_sid>3103</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail from a </description>
- <description>previously rejected sender (access).</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3153" level="6" frequency="6" timeframe="120">
- <if_matched_sid>3104</if_matched_sid>
- <same_source_ip />
- <description>Multiple relaying attempts of spam.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3154" level="10" frequency="6" timeframe="120">
- <if_matched_sid>3105</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail </description>
- <description>from invalid/unknown sender domain.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3155" level="10" frequency="6" timeframe="120">
- <if_matched_sid>3106</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail from </description>
- <description>invalid/unknown sender.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3156" level="10" frequency="10" timeframe="120">
- <if_matched_sid>3107</if_matched_sid>
- <same_source_ip />
- <description>Multiple rejected e-mails from same source ip.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3158" level="10" frequency="6" timeframe="120">
- <if_matched_sid>3108</if_matched_sid>
- <same_source_ip />
- <description>Multiple pre-greetings rejects.</description>
- <group>multiple_spam,</group>
- </rule>
-
-
- <!-- Rules for SMF-SAV -->
- <rule id="3190" level="0">
- <decoded_as>smf-sav-reject</decoded_as>
- <description>Grouping of the smf-sav sendmail milter rules.</description>
- <group>smf-sav,</group>
- </rule>
-
- <rule id="3191" level="6">
- <if_sid>3190</if_sid>
- <match>^sender check failed|^sender check tempfailed</match>
- <description>SMF-SAV sendmail milter unable to verify </description>
- <description>address (REJECTED).</description>
- <group>smf-sav,spam,</group>
- </rule>
-
-</group> <!-- SYSLOG,SENDMAIL -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/smbd_rules.xml, 2011/09/08 dcid Exp $
-
- - Official SMB rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -
- - Test logs sent by: Kayvan A. Sylvan <kayvan at sylvan.com>
- -->
-
-<!-- Still BETA -->
-
-<group name="syslog,smbd,">
- <rule id="13100" level="0" noalert="1">
- <decoded_as>smbd</decoded_as>
- <description>Grouping for the smbd rules.</description>
- </rule>
-
- <rule id="13101" level="0">
- <if_sid>13100</if_sid>
- <match>getpeername failed. Error was Transport endpoint</match>
- <description>Samba network problems.</description>
- </rule>
-
- <rule id="13102" level="5">
- <if_sid>13100</if_sid>
- <match>Denied connection from|Connection denied from</match>
- <description>Samba connection denied.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="13103" level="0">
- <if_sid>13100</if_sid>
- <match>Connection reset by peer</match>
- <description>Samba network problems.</description>
- </rule>
-
- <rule id="13104" level="5">
- <if_sid>13100</if_sid>
- <match>Permission denied--</match>
- <description>User action denied by configuration.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="13105" level="3">
- <if_sid>13100</if_sid>
- <match>Unable to connect to CUPS server</match>
- <description>Samba network problems (unable to connect).</description>
- </rule>
-
- <rule id="13106" level="0" noalert="1">
- <decoded_as>nmbd</decoded_as>
- </rule>
-
- <rule id="13108" level="1">
- <if_sid>13100</if_sid>
- <match>smbd is already running</match>
- <description>An attempt has been made to start smbd but the process is already running.</description>
- </rule>
-
- <rule id="13109" level="1">
- <if_sid>13106</if_sid>
- <match>nmbd is already running</match>
- <description>An attempt has been made to start nmbd but the process is already running.</description>
- </rule>
-
- <rule id="13110" level="2">
- <if_sid>13100</if_sid>
- <match>Connection denied from</match>
- <description>Connection was denied.</description>
- </rule>
-
- <rule id="13111" level="3">
- <if_sid>13100</if_sid>
- <match>Socket is not connected</match>
- <description>Socket is not connected, write failed.</description>
- </rule>
-
- <rule id="13112" level="3">
- <decoded_as>iptables</decoded_as>
- <match>gvfsd-smb</match>
- <regex>segfault at \S+ ip \S+ sp \S+ error \d+ in</regex>
- <description>Segfault in gvfs-smb.</description>
- </rule>
-
-
-
-</group> <!-- SYSLOG,SMBD, -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/solaris_bsm_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Solaris BSM Auditing rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- Solaris BSM Log messages -->
-<group name="syslog,solaris_bsm,">
- <rule id="6100" level="0">
- <decoded_as>solaris_bsm</decoded_as>
- <description>Solaris BSM Auditing messages grouped.</description>
- </rule>
-
- <rule id="6101" level="5">
- <if_sid>6100</if_sid>
- <status>^failed</status>
- <description>Auditing session failed.</description>
- </rule>
-
- <rule id="6102" level="0">
- <if_sid>6100</if_sid>
- <status>^ok</status>
- <description>Auditing session succeeded.</description>
- </rule>
-
- <rule id="6103" level="3">
- <if_sid>6102</if_sid>
- <match>^login</match>
- <description>Login session succeeded.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="6104" level="5">
- <if_sid>6101</if_sid>
- <match>^login</match>
- <description>Login session failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="6105" level="3">
- <if_sid>6102</if_sid>
- <match>^su </match>
- <description>User successfully changed UID.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="6106" level="5">
- <if_sid>6103</if_sid>
- <match>^su </match>
- <description>User failed to change UID (user id).</description>
- <group>authentication_failed,</group>
- </rule>
-</group> <!-- SOLARIS BSM -->
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/sonicwall_rules.xml, 2011/09/08 dcid Exp $
-
- - Official SonicWall rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- SonicWall Log messages -->
-<group name="syslog,sonicwall,">
- <rule id="4800" level="0">
- <decoded_as>sonicwall</decoded_as>
- <description>SonicWall messages grouped.</description>
- </rule>
-
- <rule id="4801" level="8">
- <if_sid>4800</if_sid>
- <status>^1</status>
- <description>SonicWall critical message.</description>
- </rule>
-
- <rule id="4802" level="8">
- <if_sid>4800</if_sid>
- <status>^2</status>
- <description>SonicWall critical message.</description>
- </rule>
-
- <rule id="4803" level="4">
- <if_sid>4800</if_sid>
- <status>^3</status>
- <description>SonicWall error message.</description>
- </rule>
-
- <rule id="4804" level="3">
- <if_sid>4800</if_sid>
- <status>^4</status>
- <description>SonicWall warning message.</description>
- </rule>
-
- <rule id="4805" level="0">
- <if_sid>4800</if_sid>
- <status>^5</status>
- <description>SonicWall notice message.</description>
- </rule>
-
- <rule id="4806" level="0">
- <if_sid>4800</if_sid>
- <status>^6</status>
- <description>SonicWall informational message.</description>
- </rule>
-
- <rule id="4807" level="0">
- <if_sid>4800</if_sid>
- <status>^7</status>
- <description>SonicWall debug message.</description>
- </rule>
-
- <rule id="4810" level="3">
- <if_sid>4806</if_sid>
- <id>^236$</id>
- <description>Firewall administrator login.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="4811" level="9">
- <if_sid>4801</if_sid>
- <id>^30$|^32$</id>
- <description>Firewall authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="4850" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>4804</if_matched_sid>
- <description>Multiple firewall warning messages.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="4851" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>4803</if_matched_sid>
- <description>Multiple firewall error messages.</description>
- <group>service_availability,</group>
- </rule>
-</group> <!-- SonicWall -->
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/spamd_rules.xml, 2011/09/08 dcid Exp $
-
- - Spamd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-<!-- STILL BETA -->
-
-<group name="syslog,spamd,">
- <rule id="3500" level="0" noalert="1">
- <match>^spamd</match>
- <description>Grouping for the spamd rules</description>
- </rule>
-
- <rule id="3501" level="0">
- <if_sid>3500</if_sid>
- <match>: result:</match>
- <description>SPAMD result message (not very usefull here).</description>
- </rule>
-
- <rule id="3502" level="0">
- <if_sid>3500</if_sid>
- <match> checking message | processing message </match>
- <description>Spamd debug event (reading message).</description>
- </rule>
-</group> <!-- SYSLOG,SPAMD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/squid_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Squid rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -
- - Contributed by: Ahmet Ozturk
- -->
-
-
-<!-- More information about squid codes below:
- - http://www.uniar.ukrnet.net/tools/Squid-FAQ/FAQ-6.html
- -->
-
-
-<!-- Squid frequency -->
-<var name="SQUID_FREQ">8</var>
-
-
-<group name="squid,">
- <rule id="35000" level="0">
- <category>squid</category>
- <description>Squid messages grouped.</description>
- </rule>
-
- <!-- Pre-rule with all the 400 error codes.
- - This will make searching faster for most
- - of the traffic.
- -->
-
- <rule id="35002" level="4">
- <if_sid>35000</if_sid>
- <id>^4|^5|^6</id>
- <description>Squid generic error codes.</description>
- </rule>
-
- <rule id="35003" level="5">
- <if_sid>35002</if_sid>
- <id>^400</id>
- <description>Bad request/Invalid syntax.</description>
- </rule>
-
- <rule id="35004" level="5">
- <if_sid>35002</if_sid>
- <id>^401</id>
- <description>Unauthorized: Failed attempt to access </description>
- <description>authorization-required file or directory.</description>
- </rule>
-
- <rule id="35005" level="5">
- <if_sid>35002</if_sid>
- <id>^403</id>
- <description>Forbidden: Attempt to access forbidden file </description>
- <description>or directory.</description>
- </rule>
-
- <rule id="35006" level="5">
- <if_sid>35002</if_sid>
- <id>^404</id>
- <description>Not Found: Attempt to access non-existent </description>
- <description>file or directory.</description>
- </rule>
-
- <rule id="35007" level="5">
- <if_sid>35002</if_sid>
- <id>^407</id>
- <description>Proxy Authentication Required: User is not </description>
- <description>authorized to use proxy.</description>
- </rule>
-
- <rule id="35008" level="5">
- <if_sid>35002</if_sid>
- <id>^4</id>
- <description>Squid 400 error code (request failed).</description>
- </rule>
-
- <rule id="35009" level="5">
- <if_sid>35002</if_sid>
- <id>^5|^6</id>
- <description>Squid 500/600 error code (server error).</description>
- </rule>
-
- <rule id="35010" level="4">
- <if_sid>35009</if_sid>
- <id>^503</id>
- <description>Squid 503 error code (server unavailable).</description>
- </rule>
-
- <!-- Special rules for 403/404 errors -->
- <rule id="35021" level="6">
- <if_sid>35006</if_sid>
- <url>blst.php|xxx3.php|ngr7.php|ngr2.php|/nul.php$|/mul.php$|/444.php</url>
- <description>Attempt to access a Beagle worm (or variant) </description>
- <description>file.</description>
- <info type="link">http://www.symantec.com/avcenter/venc/data/w32.beagle.dp.html</info>
- <info type="text">W32.Beagle.DP is a Worm that drops Trojan.Lodear and opens a back door on the compromised computer.</info>
- <group>automatic_attack,</group>
- </rule>
-
- <!-- Other worms -->
- <rule id="35022" level="6">
- <if_sid>35006</if_sid>
- <url>/jk/exp.wmf$|/PopupSh.ocx$</url>
- <description>Attempt to access a worm/trojan related site.</description>
- <group>automatic_attack,</group>
- </rule>
-
- <!-- Ignoring google earth, ms web site access and some other
- - common extensions to cause false positives (specially anti virus).
- - It includes most of the time bugs on IE that always
- - access these pages (causing 403/404 errors).
- -->
- <rule id="35023" level="0">
- <if_sid>35004, 35005, 35006, 35009</if_sid>
- <url>.jpg|.gif|favicon.ico$|.png$|.swf|.txt$|.zip|.css|.xml|.js|.bmp$|</url>
- <url>windowsupdate/redir/wuredir.cab|</url>
- <url>^http://codecs.microsoft.com/isapi/ocget.dll|</url>
- <url>^http://activex.microsoft.com/objects/ocget.dll|</url>
- <url>^http://webmessenger.msn.com/session/null|</url>
- <url>^http://sqm.msn.com/sqm/wmp/sqmserver.dll|</url>
- <url>^http://config.messenger.msn.com/Config/MsgrConfig.asmx|</url>
- <url>kaspersky-labs.com/|</url>
- <url>^http://liveupdate.symantecliveupdate.com/|</url>
- <url>_vti_bin/owssvr.dll|MSOffice/cltreq.asp|</url>
- <url>google.com/mt?|</url>
- <url>google.com/kh?|</url>
- <url>^http://kh.google.com/flatfile</url>
-
- <!-- Add more extensions to be ignored in here.
- <url>|.html$|.htm</url>
- -->
-
- <description>Ignored files on a 40x error.</description>
- </rule>
-
- <!-- Context relevant rules (correlated) -->
- <rule id="35051" level="10" frequency="$SQUID_FREQ" timeframe="120">
- <if_matched_sid>35005</if_matched_sid>
- <same_source_ip />
- <different_url />
- <description>Multiple attempts to access forbidden file </description>
- <description>or directory from same source ip.</description>
- </rule>
-
- <rule id="35052" level="10" frequency="$SQUID_FREQ" timeframe="120">
- <if_matched_sid>35007</if_matched_sid>
- <same_source_ip />
- <description>Multiple unauthorized attempts to use proxy.</description>
- </rule>
-
- <rule id="35053" level="10" frequency="$SQUID_FREQ" timeframe="120">
- <if_matched_sid>35003</if_matched_sid>
- <same_source_ip />
- <different_url />
- <description>Multiple Bad requests/Invalid syntax.</description>
- </rule>
-
- <rule id="35054" level="12" frequency="$SQUID_FREQ" timeframe="240">
- <if_matched_sid>35021</if_matched_sid>
- <same_source_ip />
- <description>Infected machine with W32.Beagle.DP.</description>
- <info type="link">http://www.symantec.com/avcenter/venc/data/w32.beagle.dp.html</info>
- <info type="text">W32.Beagle.DP is a Worm that drops Trojan.Lodear and opens a back door on the compromised computer.</info>
- </rule>
-
- <rule id="35055" level="10" frequency="$SQUID_FREQ" timeframe="90">
- <if_matched_sid>35006</if_matched_sid>
- <same_source_ip />
- <different_url />
- <description>Multiple attempts to access a non-existent file.</description>
- </rule>
-
- <rule id="35056" level="12" frequency="$SQUID_FREQ" timeframe="240">
- <if_matched_sid>35022</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to access a worm/trojan/virus </description>
- <description>related web site. System probably infected.</description>
- </rule>
-
- <rule id="35057" level="10" frequency="$SQUID_FREQ" timeframe="240">
- <if_matched_sid>35008</if_matched_sid>
- <same_source_ip />
- <different_url />
- <description>Multiple 400 error codes (requests failed).</description>
- </rule>
-
- <rule id="35058" level="10" frequency="$SQUID_FREQ" timeframe="240">
- <if_matched_sid>35009</if_matched_sid>
- <same_source_ip />
- <different_url />
- <description>Multiple 500/600 error codes (server error).</description>
- </rule>
-
- <rule id="35095" level="0" frequency="2" timeframe="360">
- <if_matched_sid>35055</if_matched_sid>
- <same_source_ip />
- <description>Ignoring multiple attempts from same source ip</description>
- <description> (alert only once).</description>
- </rule>
-
-</group> <!-- ACCESSLOG,SQUID -->
-
-<!-- EOF -->
-
+++ /dev/null
-<!-- @(#) $Id: sshd_rules.xml,v 1.22 2010/12/19 14:50:14 ddp Exp $
- - Official SSHD rules for OSSEC.
- -
- - Copyright (C) 2009-2011 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- SSHD messages -->
-<group name="syslog,sshd,">
- <rule id="5700" level="0" noalert="1">
- <decoded_as>sshd</decoded_as>
- <description>SSHD messages grouped.</description>
- </rule>
-
- <rule id="5701" level="8">
- <if_sid>5700</if_sid>
- <match>Bad protocol version identification</match>
- <description>Possible attack on the ssh server </description>
- <description>(or version gathering).</description>
- </rule>
-
- <rule id="5702" level="5">
- <if_sid>5700</if_sid>
- <match>^reverse mapping</match>
- <regex>failed - POSSIBLE BREAK</regex>
- <description>Reverse lookup error (bad ISP or attack).</description>
- </rule>
-
- <rule id="5703" level="10" frequency="4" timeframe="360">
- <if_matched_sid>5702</if_matched_sid>
- <description>Possible breakin attempt </description>
- <description>(high number of reverse lookup errors).</description>
- </rule>
-
- <rule id="5704" level="4">
- <if_sid>5700</if_sid>
- <match>fatal: Timeout before authentication for</match>
- <description>Timeout while logging in (sshd).</description>
- </rule>
-
- <rule id="5705" level="10" frequency="4" timeframe="360">
- <if_matched_sid>5704</if_matched_sid>
- <description>Possible scan or breakin attempt </description>
- <description>(high number of login timeouts).</description>
- </rule>
-
- <rule id="5706" level="6">
- <if_sid>5700</if_sid>
- <match>Did not receive identification string from</match>
- <description>SSH insecure connection attempt (scan).</description>
- <group>recon,</group>
- </rule>
-
- <rule id="5707" level="14">
- <if_sid>5700</if_sid>
- <match>fatal: buffer_get_string: bad string</match>
- <description>OpenSSH challenge-response exploit.</description>
- <group>exploit_attempt,</group>
- </rule>
-
- <rule id="5709" level="0">
- <if_sid>5700</if_sid>
- <match>error: Could not get shadow information for NOUSER|</match>
- <match>fatal: Read from socket failed: |error: ssh_msg_send: write|</match>
- <match>^syslogin_perform_logout: |^pam_succeed_if(sshd:auth): error retrieving information about user|can't verify hostname: getaddrinfo</match>
- <description>Useless SSHD message without an user/ip and context.</description>
- </rule>
-
- <rule id="5710" level="5">
- <if_sid>5700</if_sid>
- <match>illegal user|invalid user</match>
- <description>Attempt to login using a non-existent user</description>
- <group>invalid_login,authentication_failed,</group>
- </rule>
-
- <rule id="5711" level="0">
- <if_sid>5700</if_sid>
- <match>authentication failure; logname= uid=0 euid=0 tty=ssh|</match>
- <match>input_userauth_request: invalid user|</match>
- <match>PAM: User not known to the underlying authentication module for illegal user|</match>
- <match>error retrieving information about user</match>
- <description>Useless/Duplicated SSHD message without a user/ip.</description>
- </rule>
-
- <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>5710</if_matched_sid>
- <description>SSHD brute force trying to get access to </description>
- <description>the system.</description>
- <same_source_ip />
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="5713" level="6">
- <if_sid>5700</if_sid>
- <match>Corrupted check bytes on</match>
- <description>Corrupted bytes on SSHD.</description>
- </rule>
-
- <rule id="5714" level="14" timeframe="120" frequency="1">
- <if_matched_sid>5713</if_matched_sid>
- <match>Local: crc32 compensation attack</match>
- <description>SSH CRC-32 Compensation attack</description>
- <info type="cve">2001-0144</info>
- <info type="link">http://www.securityfocus.com/bid/2347/info/</info>
- <group>exploit_attempt,</group>
- </rule>
-
- <rule id="5715" level="3">
- <if_sid>5700</if_sid>
- <match>^Accepted|authenticated.$</match>
- <description>SSHD authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="5716" level="5">
- <if_sid>5700</if_sid>
- <match>^Failed|^error: PAM: Authentication</match>
- <description>SSHD authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="5717" level="4">
- <if_sid>5700</if_sid>
- <match>error: Bad prime description in line</match>
- <description>SSHD configuration error (moduli).</description>
- </rule>
-
- <rule id="5718" level="5">
- <if_sid>5700</if_sid>
- <match>not allowed because</match>
- <description>Attempt to login using a denied user.</description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="5719" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>5718</if_matched_sid>
- <description>Multiple access attempts using a denied user.</description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="5720" level="10" frequency="6">
- <if_matched_sid>5716</if_matched_sid>
- <same_source_ip />
- <description>Multiple SSHD authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="5721" level="0">
- <if_sid>5700</if_sid>
- <match>Received disconnect from</match>
- <description>System disconnected from sshd.</description>
- </rule>
-
- <rule id="5722" level="0">
- <if_sid>5700</if_sid>
- <match>Connection closed</match>
- <description>ssh connection closed.</description>
- </rule>
-
- <rule id="5723" level="0">
- <if_sid>5700</if_sid>
- <match>error: buffer_get_bignum2_ret: negative numbers not supported</match>
- <info>This maybe a bad key in authorized_keys.</info>
- <description>SSHD key error.</description>
- </rule>
-
- <rule id="5724" level="0">
- <if_sid>5700</if_sid>
- <match>fatal: buffer_get_bignum2: buffer error</match>
- <info>This error may relate to ssh key handling.</info>
- <description>SSHD key error.</description>
- </rule>
-
- <rule id="5725" level="0">
- <if_sid>5700</if_sid>
- <match>fatal: Write failed: Host is down</match>
- <description>Host ungracefully disconnected.</description>
- </rule>
-
- <rule id="5726" level="5">
- <if_sid>5700</if_sid>
- <match>error: PAM: Module is unknown for</match>
- <description>Unknown PAM module, PAM misconfiguration.</description>
- </rule>
-
- <rule id="5727" level="0">
- <if_sid>5700</if_sid>
- <match>failed: Address already in use.</match>
- <description>Attempt to start sshd when something already bound to the port.</description>
- </rule>
-
- <rule id="5728" level="4">
- <if_sid>5700</if_sid>
- <match>Authentication service cannot retrieve user credentials</match>
- <info>May be related to PAM module errors.</info>
- <description>Authentication services were not able to retrieve user credentials.</description>
- <group>authentication_failed</group>
- </rule>
-
- <rule id="5729" level="0">
- <if_sid>5700</if_sid>
- <match>debug1: attempt</match>
- <description>Debug message.</description>
- </rule>
-
- <rule id="5730" level="4">
- <if_sid>5700</if_sid>
- <regex>error: connect to \S+ port \d+ failed: Connection refused</regex>
- <description>SSHD is not accepting connections.</description>
- </rule>
-
- <rule id="5731" level="6">
- <if_sid>5700</if_sid>
- <match>AKASSH_Version_Mapper1.</match>
- <description>SSH Scanning.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="5732" level="0">
- <if_sid>5700</if_sid>
- <match>error: connect_to </match>
- <description>Possible port forwarding failure.</description>
- </rule>
-
- <rule id="5733" level="0">
- <if_sid>5700</if_sid>
- <match>Invalid credentials</match>
- <description>User entered incorrect password.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="5734" level="0">
- <if_sid>5700</if_sid>
- <match>Could not load host key</match>
- <description>sshd could not load one or more host keys.</description>
- <info>This may be related to an upgrade to OpenSSH.</info>
- </rule>
-
- <rule id="5735" level="0">
- <if_sid>5700</if_sid>
- <match>Write failed: Broken pipe</match>
- <description>Failed write due to one host disappearing.</description>
- </rule>
-
- <rule id="5736" level="0">
- <if_sid>5700</if_sid>
- <match>^error: setsockopt SO_KEEPALIVE: Connection reset by peer$|</match>
- <match>^error: accept: Software caused connection abort$</match>
- <description>Connection reset or aborted.</description>
- </rule>
-
- <rule id="5737" level="5">
- <if_sid>5700</if_sid>
- <match>^fatal: Cannot bind any address.$</match>
- <description>sshd cannot bind to configured address.</description>
- </rule>
-
- <rule id="5738" level="5">
- <if_sid>5700</if_sid>
- <match>set_loginuid failed opening loginuid$</match>
- <description>pam_loginuid could not open loginuid.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="5739" level="4">
- <if_sid>5700</if_sid>
- <match>^error: Could not stat AuthorizedKeysCommand</match>
- <description>SSHD configuration error (AuthorizedKeysCommand)</description>
- </rule>
-
- <rule id="5740" level="4">
- <if_sid>5700</if_sid>
- <match>Connection reset by peer$</match>
- <description>ssh connection reset by peer</description>
- </rule>
-
- <rule id="5741" level="4">
- <if_sid>5700</if_sid>
- <match>Connection refused$</match>
- <description>ssh connection refused</description>
- </rule>
-
- <rule id="5742" level="4">
- <if_sid>5700</if_sid>
- <match>Connection timed out$</match>
- <description>ssh connection timed out</description>
- </rule>
-
- <rule id="5743" level="4">
- <if_sid>5700</if_sid>
- <match>No route to host$</match>
- <description>ssh no route to host</description>
- </rule>
-
- <rule id="5744" level="4">
- <if_sid>5700</if_sid>
- <match>failure direct-tcpip$</match>
- <description>ssh port forwarding issue</description>
- </rule>
-
- <rule id="5745" level="4">
- <if_sid>5700</if_sid>
- <match>Transport endpoint is not connected$</match>
- <description>ssh transport endpoint is not connected</description>
- </rule>
-
- <rule id="5746" level="4">
- <if_sid>5700</if_sid>
- <match>get_remote_port failed$</match>
- <description>ssh get_remote_port failed</description>
- </rule>
-
- <!-- http://www.gossamer-threads.com/lists/openssh/users/47438 -->
- <rule id="5747" level="6">
- <if_sid>5700</if_sid>
- <match>bad client public DH value</match>
- <description>ssh bad client public DH value</description>
- </rule>
-
- <!-- log sample with context:
- Nov 22 19:24:52 server sshd[4045]: Connection from 117.117.198.5 port 60304
- Nov 22 19:24:55 server sshd[4046]: Corrupted MAC on input.
- Nov 22 19:25:15 server sshd[4046]: Connection closed by 117.117.198.5
- -->
- <rule id="5748" level="6">
- <if_sid>5700</if_sid>
- <match>Corrupted MAC on input.</match>
- <description>ssh corrupted MAC on input</description>
- </rule>
-
- <rule id="5749" level="4">
- <if_sid>5700</if_sid>
- <match>^Bad packet length</match>
- <description>ssh bad packet length</description>
- </rule>
-
- <rule id="5750" level="0">
- <decoded_as>sshd</decoded_as>
- <if_sid>5700</if_sid>
- <match>Unable to negotiate with |Unable to negotiate a key</match>
- <description>sshd could not negotiate with client.</description>
- </rule>
-
- <rule id="5751" level="1">
- <decoded_as>sshd</decoded_as>
- <if_sid>5700</if_sid>
- <match>no hostkey alg [preauth]</match>
- <description>No hostkey alg.</description>
- </rule>
-
- <rule id="5752" level="2">
- <if_sid>5750</if_sid>
- <match>no matching key exchange method found.|Unable to negotiate a key exchange method</match>
- <description>Client did not offer an acceptable key exchange method.</description>
- </rule>
-
- <rule id="5753" level="2">
- <if_sid>5750</if_sid>
- <match>no matching cipher found.</match>
- <description>sshd could not negotiate with client, no matching cipher.</description>
- </rule>
-
- <rule id="5754" level="1">
- <if_sid>5700</if_sid>
- <match>Failed to create session: </match>
- <description>sshd failed to create a session.</description>
- </rule>
-
- <rule id="5755" level="2">
- <if_sid>5700</if_sid>
- <match>bad ownership or modes for file</match>
- <description>Authentication refused due to owner/permissions of authorized_keys.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="5756" level="0">
- <if_sid>5700</if_sid>
- <match> failed, subsystem not found$</match>
- <description>sshd subsystem request failed.</description>
- </rule>
-
- <rule id="5757" level="0">
- <decoded_as>sshd</decoded_as>
- <match>but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!$</match>
- <description>Bad DNS mapping.</description>
- </rule>
-
- <rule id="5758" level="8">
- <decoded_as>sshd</decoded_as>
- <match>^error: maximum authentication attempts exceeded </match>
- <description>Maximum authentication attempts exceeded.</description>
- <group>authentication_failed,</group>
- </rule>
-
-</group> <!-- SYSLOG, SSHD -->
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/symantec-av_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Symantec AV rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- For more info:
- - http://www.ossec.net/wiki/index.php/Symantec_Antivirus
- - Data submited by:
- -->
-
-
-<group name="symantec,">
- <rule id="7300" level="0">
- <decoded_as>symantec-av</decoded_as>
- <description>Grouping of Symantec AV rules.</description>
- </rule>
-
- <rule id="7301" level="0">
- <category>windows</category>
- <extra_data>^Symantec AntiVirus</extra_data>
- <description>Grouping of Symantec AV rules from eventlog.</description>
- </rule>
-
- <rule id="7310" level="9">
- <if_sid>7300, 7301</if_sid>
- <id>^5$|^17$</id>
- <group>virus</group>
- <description>Virus detected.</description>
- </rule>
-
- <rule id="7320" level="3">
- <if_sid>7300, 7301</if_sid>
- <id>^2$|^3$|^4$|^13$</id>
- <description>Virus scan updated,started or stopped.</description>
- </rule>
-
-</group> <!-- symantec -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/symantec-ws_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Symantec Web Security rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- For more info:
- - http://www.ossec.net/wiki/index.php/Symantec_WebSecurity
- - Data submited by: Michael Starks
- -->
-
-<!-- Still BETA -->
-
-<group name="symantec,">
- <rule id="7400" level="0">
- <decoded_as>symantec-websecurity</decoded_as>
- <description>Grouping of Symantec Web Security rules.</description>
- </rule>
-
- <rule id="7410" level="5">
- <if_sid>7400</if_sid>
- <id>^3=2,2=1</id>
- <description>Login failed accessing the web proxy.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="7415" level="3">
- <if_sid>7400</if_sid>
- <id>^3=1,2=1</id>
- <description>Login success accessing the web proxy.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="7420" level="3">
- <if_sid>7415</if_sid>
- <user>virtadmin</user>
- <description>Admin Login success to the web proxy.</description>
- <group>authentication_success,</group>
- </rule>
-
- <!-- Example alerting using the url (event id 2=27 is for web access
- <rule id="7425" level="3">
- <if_sid>7400</if_sid>
- <id>^2=27</id>
- <description>Web access message.</description>
- <url>abc.exe</url>
- </rule>
-
- -->
-
-</group> <!-- symantec -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: syslog_rules.xml,v 1.22 2010/11/25 17:06:17 ddp Exp $
- - Official Generic Syslog rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- Default variables for the SYSLOG rules. -->
-
-<!-- Bad words matching. Any log containing these messages
- - will be triggered.
- -->
-<var name="BAD_WORDS">core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
-
-
-<!-- Syslog errors. -->
-<group name="syslog,errors,">
- <rule id="1001" level="2">
- <match>^Couldn't open /etc/securetty</match>
- <description>File missing. Root access unrestricted.</description>
- </rule>
-
- <rule id="1002" level="2">
- <match>$BAD_WORDS</match>
- <options>alert_by_email</options>
- <description>Unknown problem somewhere in the system.</description>
- </rule>
-
- <rule id="1003" level="13" maxsize="1025">
- <description>Non standard syslog message (size too large).</description>
- </rule>
-
- <rule id="1004" level="5">
- <match>^exiting on signal</match>
- <description>Syslogd exiting (logging stopped).</description>
- </rule>
-
- <rule id="1005" level="5">
- <program_name>syslogd</program_name>
- <match>^restart</match>
- <description>Syslogd restarted.</description>
- </rule>
-
- <rule id="1006" level="5">
- <regex>^syslogd \S+ restart</regex>
- <description>Syslogd restarted.</description>
- </rule>
-
- <rule id="1007" level="7">
- <match>file system full|No space left on device</match>
- <description>File system full.</description>
- <group>low_diskspace,</group>
- </rule>
-
- <rule id="1008" level="5">
- <match>killed by SIGTERM</match>
- <description>Process exiting (killed).</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="1009" level="0">
- <if_sid>1002</if_sid>
- <match>terminated without error|can't verify hostname: getaddrinfo|</match>
- <match>PPM exceeds tolerance</match>
- <description>Ignoring known false positives on rule 1002..</description>
- </rule>
-
- <rule id="1010" level="5">
- <match>segfault at </match>
- <description>Process segfaulted.</description>
- <group>service_availability,</group>
- </rule>
-</group> <!-- SYSLOG,ERRORS -->
-
-
-
-<!-- NFS messages -->
-<group name="syslog,nfs,">
- <!-- XXX All These NFS rules need to be fixed. -->
- <rule id="2100" level="0" noalert="1">
- <program_name>^automount|^mount</program_name>
- <description>NFS rules grouped.</description>
- </rule>
-
- <rule id="2101" level="4">
- <if_sid>2100</if_sid>
- <match>nfs: mount failure</match>
- <description>Unable to mount the NFS share.</description>
- </rule>
-
- <rule id="2102" level="4">
- <if_sid>2100</if_sid>
- <match>reason given by server: Permission denied</match>
- <description>Unable to mount the NFS directory.</description>
- </rule>
-
- <rule id="2103" level="4">
- <match>^rpc.mountd: refused mount request from</match>
- <description>Unable to mount the NFS directory.</description>
- </rule>
-
- <rule id="2104" level="2">
- <if_sid>2100</if_sid>
- <regex>lookup for \S+ failed</regex>
- <description>Automount informative message</description>
- </rule>
-</group> <!-- SYSLOG,NFS -->
-
-
-
-<!-- xinetd messages -->
-<group name="syslog,xinetd,">
- <rule id="2301" level="10">
- <match>^Deactivating service </match>
- <description>Excessive number connections to a service.</description>
- </rule>
-</group> <!-- SYSLOG,XINETD -->
-
-
-
-<!-- Access control messages -->
-<group name="syslog,access_control,">
- <rule id="2501" level="5">
- <match>FAILED LOGIN |authentication failure|</match>
- <match>Authentication failed for|invalid password for|</match>
- <match>LOGIN FAILURE|auth failure: |authentication error|</match>
- <match>authinternal failed|Failed to authorize|</match>
- <match>Wrong password given for|login failed|Auth: Login incorrect|</match>
- <match>Failed to authenticate user</match>
- <group>authentication_failed,</group>
- <description>User authentication failure.</description>
- </rule>
-
- <rule id="2502" level="10">
- <match>more authentication failures;|REPEATED login failures</match>
- <description>User missed the password more than one time</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="2503" level="5">
- <regex>^refused connect from|</regex>
- <regex>^libwrap refused connection|</regex>
- <regex>Connection from \S+ denied</regex>
- <description>Connection blocked by Tcp Wrappers.</description>
- <group>access_denied,</group>
- </rule>
-
- <rule id="2504" level="9">
- <match>ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED</match>
- <description>Illegal root login. </description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="2505" level="3">
- <match>^ROOT LOGIN on</match>
- <description>Physical root login.</description>
- </rule>
-
- <rule id="2506" level="3">
- <match>^Authentication passed</match>
- <description>Pop3 Authentication passed.</description>
- </rule>
-
- <rule id="2507" level="0">
- <decoded_as>openldap</decoded_as>
- <description>OpenLDAP group.</description>
- </rule>
-
- <rule id="2508" level="3">
- <if_sid>2507</if_sid>
- <match>ACCEPT from</match>
- <description>OpenLDAP connection open.</description>
- </rule>
-
- <rule id="2509" level="5" timeframe="10" frequency="0">
- <if_sid>2507</if_sid>
- <if_matched_sid>2508</if_matched_sid>
- <same_id />
- <match>RESULT tag=97 err=49</match>
- <description>OpenLDAP authentication failed.</description>
- </rule>
-
-</group> <!-- SYSLOG,ACESSCONTROL -->
-
-
-
-<!-- rshd -->
-<group name="syslog,access_control,">
- <rule id="2550" level="0" noalert="1">
- <decoded_as>rshd</decoded_as>
- <description>rshd messages grouped.</description>
- </rule>
-
- <rule id="2551" level="10">
- <if_sid>2550</if_sid>
- <regex>^Connection from \S+ on illegal port$</regex>
- <description>Connection to rshd from unprivileged port. Possible network scan.</description>
- <group>connection_attempt,</group>
- </rule>
-</group>
-
-
-
-<!-- Mail/Procmail messages -->
-<group name="syslog,mail,">
- <rule id="2701" level="0">
- <program_name>^procmail</program_name>
- <description>Ignoring procmail messages.</description>
- </rule>
-</group> <!-- SYSLOG,SENDMAIL -->
-
-
-
-<!-- Smartd messages -->
-<group name="syslog,smartd,">
- <rule id="2800" level="0" noalert="1">
- <program_name>^smart</program_name>
- <description>Pre-match rule for smartd.</description>
- </rule>
-
- <rule id="2801" level="0">
- <if_sid>2800</if_sid>
- <match>No configuration file /etc/smartd.conf found</match>
- <description>Smartd Started but not configured</description>
- </rule>
-
- <rule id="2802" level="0">
- <if_sid>2800</if_sid>
- <match>Unable to register ATA device</match>
- <description>Smartd configuration problem</description>
- </rule>
-
- <rule id="2803" level="0">
- <if_sid>2800</if_sid>
- <match>No such device or address</match>
- <description>Device configured but not available to Smartd</description>
- </rule>
-</group> <!-- SYSLOG,SMARTD -->
-
-
-
-<!-- Linux Kernel messages -->
-<group name="syslog,linuxkernel,">
- <rule id="5100" level="0" noalert="1">
- <program_name>^kernel</program_name>
- <description>Pre-match rule for kernel messages</description>
- </rule>
-
- <rule id="5101" level="0">
- <if_sid>5100</if_sid>
- <match>PCI: if you experience problems, try using option</match>
- <description>Informative message from the kernel.</description>
- </rule>
-
- <rule id="5102" level="0">
- <if_sid>5100</if_sid>
- <match>modprobe: Can't locate module sound</match>
- <description>Informative message from the kernel</description>
- </rule>
-
- <rule id="5103" level="9">
- <if_sid>5100</if_sid>
- <match>Oversized packet received from</match>
- <description>Error message from the kernel. </description>
- <description>Ping of death attack.</description>
- </rule>
-
- <rule id="5104" level="8">
- <if_sid>5100</if_sid>
- <regex>Promiscuous mode enabled|</regex>
- <regex>device \S+ entered promiscuous mode</regex>
- <description>Interface entered in promiscuous(sniffing) mode.</description>
- <group>promisc,</group>
- </rule>
-
- <rule id="5105" level="0">
- <if_sid>5100</if_sid>
- <match>end_request: I/O error, dev fd0, sector 0|</match>
- <match>Buffer I/O error on device fd0, logical block 0</match>
- <description>Invalid request to /dev/fd0 (bug on the kernel).</description>
- </rule>
-
- <rule id="5106" level="0">
- <if_sid>5100</if_sid>
- <match>svc: unknown program 100227 (me 100003)</match>
- <description>NFS incompatibility between Linux and Solaris.</description>
- </rule>
-
- <rule id="5107" level="0">
- <if_sid>5100</if_sid>
- <match>svc: bad direction </match>
- <description>NFS incompatibility between Linux and Solaris.</description>
- </rule>
-
- <rule id="5108" level="12">
- <if_sid>5100</if_sid>
- <match>Out of Memory: </match>
- <description>System running out of memory. </description>
- <description>Availability of the system is in risk.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="5109" level="4">
- <if_sid>5100</if_sid>
- <match>I/O error: dev |end_request: I/O error, dev</match>
- <description>Kernel Input/Output error</description>
- </rule>
-
- <rule id="5110" level="4">
- <if_sid>5100</if_sid>
- <match>Forged DCC command from</match>
- <description>IRC misconfiguration</description>
- </rule>
-
- <rule id="5111" level="0">
- <if_sid>5100</if_sid>
- <match>ipw2200: Firmware error detected.| ACPI Error</match>
- <description>Kernel device error.</description>
- </rule>
-
- <rule id="5112" level="0">
- <if_sid>5100</if_sid>
- <match>usbhid: probe of</match>
- <description>Kernel usbhid probe error (ignored).</description>
- </rule>
-
- <rule id="5113" level="7">
- <if_sid>5100</if_sid>
- <match>Kernel log daemon terminating</match>
- <group>system_shutdown,</group>
- <description>System is shutting down.</description>
- </rule>
-
- <rule id="5130" level="7">
- <if_sid>5100</if_sid>
- <match>ADSL line is down</match>
- <description>Monitor ADSL line is down.</description>
- </rule>
-
- <rule id="5131" level="3">
- <if_sid>5100</if_sid>
- <match>ADSL line is up</match>
- <description>Monitor ADSL line is up.</description>
- </rule>
-
- <rule id="5200" level="0">
- <match>^hpiod: unable to ParDevice</match>
- <description>Ignoring hpiod for producing useless logs.</description>
- </rule>
-</group> <!-- SYSLOG,LINUXKERNEL -->
-
-
-
-<!-- Cron messages -->
-<group name="syslog,cron,">
- <rule id="2830" level="0">
- <program_name>crond|crontab</program_name>
- <description>Crontab rule group.</description>
- </rule>
-
- <rule id="2831" level="0">
- <if_sid>2830</if_sid>
- <match>^unable to exec</match>
- <description>Wrong crond configuration</description>
- </rule>
-
- <rule id="2834" level="5">
- <if_sid>2830</if_sid>
- <match>BEGIN EDIT</match>
- <description>Crontab opened for editing.</description>
- </rule>
-
- <rule id="2832" level="5">
- <if_sid>2830</if_sid>
- <match>REPLACE</match>
- <description>Crontab entry changed.</description>
- </rule>
-
- <rule id="2833" level="8">
- <if_sid>2832</if_sid>
- <match>^(root)</match>
- <description>Root's crontab entry changed.</description>
- </rule>
-
-</group> <!-- SYSLOG,CRON -->
-
-
-
-<!-- Su messages -->
-<group name="syslog, su,">
- <rule id="5300" level="0" noalert="1">
- <decoded_as>su</decoded_as>
- <description>Initial grouping for su messages.</description>
- </rule>
-
- <rule id="5301" level="5">
- <if_sid>5300</if_sid>
- <match>authentication failure; |failed|BAD su|^-</match>
- <description>User missed the password to change UID (user id).</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="5302" level="9">
- <if_sid>5301</if_sid>
- <user>^root</user>
- <description>User missed the password to change UID to root.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="5303" level="3">
- <if_sid>5300</if_sid>
- <regex>session opened for user root|^'su root'|</regex>
- <regex>^+ \S+ \S+\proot$|^\S+ to root on|^SU \S+ \S+ + \S+ \S+-root$</regex>
- <description>User successfully changed UID to root.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="5304" level="3">
- <if_sid>5300</if_sid>
- <regex>session opened for user|succeeded for|</regex>
- <regex>^+|^\S+ to |^SU \S+ \S+ + </regex>
- <description>User successfully changed UID.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="5305" level="4">
- <if_sid>5303, 5304</if_sid>
- <if_fts></if_fts>
- <options>alert_by_email</options>
- <description>First time (su) is executed by user.</description>
- </rule>
-
- <rule id="5306" level="0">
- <if_sid>5300</if_sid>
- <match>unknown class</match>
- <info>OpenBSD uses login classes, and an inappropriate login class was used.</info>
- <description>A user has attempted to su to an unknown class.</description>
- </rule>
-
-</group> <!-- SYSLOG,SU -->
-
-
-
-<!-- Tripwire messages -->
-<group name="syslog,tripwire,">
- <rule id="7101" level="8">
- <match>Integrity Check failed: File could not</match>
- <description>Problems with the tripwire checking</description>
- </rule>
-</group> <!-- SYSLOG,TRIPWIRE -->
-
-
-
-<!-- Adduser messages -->
-<group name="syslog,adduser">
- <rule id="5901" level="8">
- <match>^new group</match>
- <description>New group added to the system</description>
- </rule>
-
- <rule id="5902" level="8">
- <match>^new user|^new account added</match>
- <description>New user added to the system</description>
- </rule>
-
- <rule id="5903" level="2">
- <match>^delete user|^account deleted|^remove group</match>
- <description>Group (or user) deleted from the system</description>
- </rule>
-
- <rule id="5904" level="8">
- <match>^changed user</match>
- <description>Information from the user was changed</description>
- </rule>
-
- <rule id="5905" level="0">
- <program_name>useradd</program_name>
- <match>failed adding user </match>
- <description>useradd failed.</description>
- </rule>
-
-</group> <!-- SYSLOG,ADDUSER -->
-
-
-
-<!-- Sudo messages -->
-<group name="syslog,sudo">
- <rule id="5400" level="0" noalert="1">
- <decoded_as>sudo</decoded_as>
- <description>Initial group for sudo messages</description>
- </rule>
-
- <rule id="5401" level="5">
- <if_sid>5400</if_sid>
- <match>incorrect password attempt</match>
- <description>Failed attempt to run sudo</description>
- </rule>
-
- <rule id="5402" level="3">
- <if_sid>5400</if_sid>
- <regex> ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND=</regex>
- <description>Successful sudo to ROOT executed</description>
- </rule>
-
- <rule id="5403" level="4">
- <if_sid>5400</if_sid>
- <options>alert_by_email</options>
- <if_fts></if_fts>
- <description>First time user executed sudo.</description>
- </rule>
-
- <rule id="5404" level="10">
- <if_sid>5401</if_sid>
- <match>3 incorrect password attempts</match>
- <description>Three failed attempts to run sudo</description>
- </rule>
-
- <rule id="5405" level="5">
- <if_sid>5400</if_sid>
- <match>user NOT in sudoers</match>
- <description>Unauthorized user attempted to use sudo.</description>
- </rule>
-
-</group> <!-- SYSLOG, SUDO -->
-
-
-<!-- PPTP messages -->
-<group name="syslog,pptp">
- <rule id="9100" level="0" noalert="1">
- <program_name>^pptpd</program_name>
- <description>PPTPD messages grouped</description>
- </rule>
-
- <rule id="9101" level="0">
- <if_sid>9100</if_sid>
- <regex>^GRE: \S+ from \S+ failed: status = -1 </regex>
- <description>PPTPD failed message (communication error)</description>
- <info type="link">http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info>
- </rule>
-
- <rule id="9102" level="0">
- <if_sid>9100</if_sid>
- <match>^tcflush failed: Bad file descriptor</match>
- <description>PPTPD communication error</description>
- </rule>
-</group>
-
-
-
-<!-- Syslog FTS -->
-<group name="syslog,fts,">
- <rule id="10100" level="4">
- <if_group>authentication_success</if_group>
- <options>alert_by_email</options>
- <if_fts></if_fts>
- <group>authentication_success</group>
- <description>First time user logged in.</description>
- </rule>
-</group>
-
-
-<group name="syslog,squid,">
- <rule id="9200" level="0" noalert="1">
- <program_name>^squid</program_name>
- <description>Squid syslog messages grouped</description>
- </rule>
-
- <rule id="9201" level="0">
- <if_sid>9200</if_sid>
- <match>^ctx: enter level|^sslRead|^urlParse: Illegal |</match>
- <match>^httpReadReply: Request not yet |^httpReadReply: Excess data</match>
- <description>Squid debug message</description>
- </rule>
-</group>
-
-
-<group name="syslog,dpkg,">
- <rule id="2900" level="0">
- <decoded_as>windows-date-format</decoded_as>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d startup |</regex>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status |</regex>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove |</regex>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d configure |</regex>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install |</regex>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge |</regex>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d trigproc |</regex>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d conffile |</regex>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade </regex>
- <description>Dpkg (Debian Package) log.</description>
- </rule>
-
- <rule id="2901" level="3">
- <if_sid>2900</if_sid>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install</regex>
- <description>New dpkg (Debian Package) requested to install.</description>
- </rule>
-
- <rule id="2902" level="7">
- <if_sid>2900</if_sid>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status installed</regex>
- <description>New dpkg (Debian Package) installed.</description>
- <group>config_changed,</group>
- </rule>
-
- <rule id="2903" level="7">
- <if_sid>2900</if_sid>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove|</regex>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge</regex>
- <description>Dpkg (Debian Package) removed.</description>
- <group>config_changed,</group>
- </rule>
-</group>
-
-
-<group name="syslog,yum,">
- <rule id="2930" level="0">
- <program_name>^yum</program_name>
- <description>Yum logs.</description>
- </rule>
-
- <rule id="2931" level="0">
- <hostname>yum.log$</hostname>
- <match>^Installed|^Updated|^Erased</match>
- <description>Yum logs.</description>
- </rule>
-
- <rule id="2932" level="7">
- <if_sid>2930,2931</if_sid>
- <match>^Installed</match>
- <group>config_changed,</group>
- <description>New Yum package installed.</description>
- </rule>
-
- <rule id="2933" level="7">
- <if_sid>2930,2931</if_sid>
- <match>^Updated</match>
- <group>config_changed,</group>
- <description>Yum package updated.</description>
- </rule>
-
- <rule id="2934" level="7">
- <if_sid>2930,2931</if_sid>
- <match>^Erased</match>
- <group>config_changed,</group>
- <description>Yum package deleted.</description>
- </rule>
-
- <!-- SCSI CONTROLLER -->
- <rule id="2935" level="0" noalert="1">
- <if_sid>5100</if_sid>
- <id>mptscsih</id>
- <description>Grouping for the mptscrih rules.</description>
- </rule>
-
- <rule id="2936" level="0" noalert="1">
- <if_sid>5100</if_sid>
- <id>mptbase</id>
- <description>Grouping for the mptbase rules.</description>
- </rule>
-
- <rule id="2937" level="12">
- <if_sid>2935</if_sid>
- <status>FAILED</status>
- <description>Possible Disk failure. SCSI controller error.</description>
- </rule>
-
- <rule id="2938" level="12">
- <if_sid>2936</if_sid>
- <action>failed</action>
- <description>SCSI RAID ARRAY ERROR, drive failed.</description>
- </rule>
-
- <rule id="2939" level="12">
- <if_sid>2936</if_sid>
- <action>degraded</action>
- <description>SCSI RAID is now in a degraded status.</description>
- </rule>
-
- <rule id="2940" level="0">
- <program_name>^NetworkManager</program_name>
- <description>NetworkManager grouping.</description>
- </rule>
-
- <rule id="2941" level="3">
- <if_sid>2940</if_sid>
- <match> No chain/target/match by that name.$</match>
- <description>Incorrect chain/target/match.</description>
- </rule>
-
- <rule id="2942" level="0">
- <if_sid>1002</if_sid>
- <match>g_slice_set_config: assertion `sys_page_size == 0' failed</match>
- <description>Uninteresting gnome error.</description>
- </rule>
-
- <rule id="2943" level="0">
- <match>^nouveau </match>
- <description>nouveau driver grouping</description>
- </rule>
-
- <rule id="2944" level="1">
- <if_sid>2943</if_sid>
- <match> DATA_ERROR BEGIN_END_ACTIVE$| DATA_ERROR$</match>
- <description>Uninteresting nouveau error.</description>
- </rule>
-
- <rule id="2945" level="4">
- <program_name>^rsyslogd</program_name>
- <match>^imuxsock begins to drop messages </match>
- <info>https://isc.sans.edu/diary/Are+you+losing+system+logging+information+%28and+don%27t+know+it%29%3F/15106</info>
- <description>rsyslog may be dropping messages due to rate-limiting.</description>
- </rule>
-
-</group>
-
-
-<!-- EOF -->
+++ /dev/null
-<!--Maintained by Josh Brower, Josh@DefensiveDepth.com -->
-<!--Licensed under the MIT License: http://opensource.org/licenses/MIT-->
-
-<!-- Ruleset to detect Windows Process Anomalies -
- - Uses Sysmon Event ID 1 logs & associated decoder.
- - Currently only looks at Parent Image Anomalies.
- - Windows Process Attributes documentation here: http://defensivedepth.com/windows-processes
- -
- - OSSEC to Sysmon (Event ID 1) Fields Mapping:
- - user = User
- - status = Image
- - url = Hash
- - extra_data = ParentImage
- -->
-
-<group name="sysmon_process-anomalies">
-
- <rule id="18501" level="12">
- <if_sid>18100</if_sid>
- <status>svchost.exe</status>
- <description>Sysmon - Suspicious Process - svchost.exe</description>
- </rule>
-
- <rule id="18502" level="0">
- <if_sid>18501</if_sid>
- <extra_data>\services.exe</extra_data>
- <description>Sysmon - Legitimate Parent Image - svchost.exe</description>
- </rule>
-
-
-<rule id="18511" level="12">
- <if_sid>18100</if_sid>
- <status>lsm.exe</status>
- <description>Sysmon - Suspicious Process - lsm.exe</description>
-</rule>
-
-<rule id="18512" level="0">
- <if_sid>18511</if_sid>
- <extra_data>wininit.exe</extra_data>
- <description>Sysmon - Legitimate Parent Image - lsm.exe</description>
-</rule>
-
-<rule id="18513" level="12">
- <if_sid>18100</if_sid>
- <extra_data>lsm.exe</extra_data>
- <description>Sysmon - Suspicious Process - lsm.exe is a Parent Image</description>
-</rule>
-
-
-<rule id="18521" level="12">
- <if_sid>18100</if_sid>
- <status>csrss.exe</status>
- <description>Sysmon - Suspicious Process - csrss.exe</description>
-</rule>
-
-<rule id="18522" level="0">
- <if_sid>18521</if_sid>
- <extra_data>smss.exe</extra_data>
- <description>Sysmon - Legitimate Parent Image - csrss.exe</description>
-</rule>
-
-
-<rule id="18531" level="12">
- <if_sid>18100</if_sid>
- <status>lsass.exe</status>
- <description>Sysmon - Suspicious Process - lsass</description>
-</rule>
-
-<rule id="18532" level="0">
- <if_sid>18531</if_sid>
- <extra_data>wininit.exe</extra_data>
- <description>Sysmon - Legitimate Parent Image - lsass.exe</description>
-</rule>
-
-<rule id="18533" level="12">
- <if_sid>18100</if_sid>
- <extra_data>lsass.exe</extra_data>
- <description>Sysmon - Suspicious Process - lsass.exe is a Parent Image</description>
-</rule>
-
-
-<rule id="18541" level="12">
- <if_sid>18100</if_sid>
- <status>winlogon.exe</status>
- <description>Sysmon - Suspicious Process - winlogon.exe</description>
-</rule>
-
-<rule id="18542" level="0">
- <if_sid>18541</if_sid>
- <extra_data>smss.exe</extra_data>
- <description>Sysmon - Legitimate Parent Image - winlogon.exe</description>
-</rule>
-
-
-<rule id="18551" level="12">
- <if_sid>18100</if_sid>
- <status>wininit.exe</status>
- <description>Sysmon - Suspicious Process - wininit</description>
-</rule>
-
-<rule id="18552" level="0">
- <if_sid>18551</if_sid>
- <extra_data>smss.exe</extra_data>
- <description>Sysmon - Legitimate Parent Image - wininit.exe</description>
-</rule>
-
-
-<rule id="18561" level="12">
- <if_sid>18100</if_sid>
- <status>smss.exe</status>
- <description>Sysmon - Suspicious Process - smss.exe</description>
-</rule>
-
-<rule id="18562" level="0">
- <if_sid>18561</if_sid>
- <extra_data>system</extra_data>
- <description>Sysmon - Legitimate Parent Image - smss.exe</description>
-</rule>
-
-
-<rule id="18571" level="12">
- <if_sid>18100</if_sid>
- <status>taskhost.exe</status>
- <description>Sysmon - Suspicious Process - taskhost.exe</description>
-</rule>
-
-<rule id="18572" level="0">
- <if_sid>18571</if_sid>
- <extra_data>services.exe|svchost.exe</extra_data>
- <description>Sysmon - Legitimate Parent Image - taskhost.exe</description>
-</rule>
-
-
-<rule id="18581" level="12">
- <if_sid>18100</if_sid>
- <status>/services.exe</status>
- <description>Sysmon - Suspicious Process - services.exe</description>
-</rule>
-
-<rule id="18582" level="0">
- <if_sid>18581</if_sid>
- <extra_data>wininit.exe</extra_data>
- <description>Sysmon - Legitimate Parent Image - services.exe</description>
-</rule>
-
-
-<rule id="18591" level="12">
- <if_sid>18100</if_sid>
- <status>dllhost.exe</status>
- <description>Sysmon - Suspicious Process - dllhost.exe</description>
-</rule>
-
-<rule id="18592" level="0">
- <if_sid>18591</if_sid>
- <extra_data>svchost.exe|services.exe</extra_data>
- <description>Sysmon - Legitimate Parent Image - dllhost.exe</description>
-</rule>
-
-
-<rule id="18601" level="12">
- <if_sid>18100</if_sid>
- <status>\explorer.exe</status>
- <description>Sysmon - Suspicious Process - explorer.exe</description>
-</rule>
-
-<rule id="18602" level="0">
- <if_sid>18601</if_sid>
- <extra_data>userinit.exe</extra_data>
- <description>Sysmon - Legitimate Parent Image - explorer.exe</description>
-</rule>
-</group> <!-- sysmon_process-anomalies -->
-
-<!-- EOF -->
+++ /dev/null
-<group name="local,systemd,">
-
- <rule id="40700" level="0">
- <program_name>^systemd$|^systemctl$</program_name>
- <description>Systemd rules</description>
- </rule>
-
- <rule id="40701" level="0">
- <if_sid>40700</if_sid>
- <match> Stale file handle$</match>
- <description>Stale file handle.</description>
- </rule>
-
- <rule id="40702" level="2">
- <if_sid>40700</if_sid>
- <match>Failed to get unit file state for</match>
- <description>Failed to get unit state for service. This means that the .service file is missing</description>
- </rule>
-
- <rule id="40703" level="5">
- <if_sid>40700</if_sid>
- <match>entered failed state</match>
- <description>Service has entered a failed state, and likely has not started.</description>
- </rule>
-
-</group>
-
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/telnetd_rules.xml, 2011/09/08 dcid Exp $
-
- - Telnetd rules for OSSEC.
- - Author: Ahmet Ozturk
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,telnetd">
- <rule id="5600" level="0" noalert="1">
- <match>telnetd</match>
- <description>Grouping for the telnetd rules</description>
- </rule>
-
- <rule id="5601" level="5">
- <if_sid>5600</if_sid>
- <match>refused connect from </match>
- <description>Connection refused by TCP Wrappers.</description>
- </rule>
-
- <rule id="5602" level="3">
- <if_sid>5600</if_sid>
- <match>: connect from </match>
- <description>Remote host established a telnet connection.</description>
- </rule>
-
- <rule id="5603" level="5" timeframe="1">
- <match>ttloop: peer died:|ttloop: read:</match>
- <if_matched_sid>5602</if_matched_sid>
- <description>Remote host invalid connection.</description>
- </rule>
-
- <rule id="5604" level="5">
- <match>warning: can't verify hostname:</match>
- <description>Reverse lookup error (bad hostname config).</description>
- </rule>
-
- <rule id="5631" level="10" frequency="6" timeframe="120">
- <if_matched_sid>5602</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source </description>
- <description>(possible scan).</description>
- </rule>
-
-</group> <!-- SYSLOG,TELNETD -->
+++ /dev/null
-<!-- Rules for detecting maybe critical top-level-domains -->
-<!-- https://www.symantec.com/blogs/feature-stories/top-20-shady-top-level-domains, https://twitter.com/someinfosecguy -->
-
-<!-- 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT kino.to:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE -->
-
-<group name="web-access,">
-
- <rule id="31111" level="2">
- <if_sid>31100</if_sid>
- <url>.top:|.to:|.gq:|.cf:|.men:|.loan:|.ml:|.work:|.click:|.tk:|.country:|.pw:|.party:|.trade:|.review:|.club:|.bid:|.country:|.stream:|.download:|.xin:|.gdn:|.racing:|.jetzt:|.win:|.vip:|.ren:|.kim:|.mom:|.date:|.wang:|.accountants:|.science:|.work:|.ninja:|.xyz:|.faith:|.zip:|.racing:|.cricket:|.space:|.realtor:|.christmas:|.gdn:|.pro:</url>
- <description>Maybe critical URL access attempt</description>
- </rule>
-
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_da.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Ny forbindelse fra</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Godkendelse mislykkedes for</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Logout| [INFO] Timeout</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Kan ikke ændre mappen til</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ er logget på nu</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_de.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule><b>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Neue Verbindung von</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Authentifizierung fehlgeschlagen</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Logout | [INFO] Zeitüberschreitung</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Kann nicht ins Verzeichnis \S+ wechseln</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ ist jetzt eingeloggt</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
\ No newline at end of file
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_en.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] New connection from</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Authentication failed for user</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Logout| [INFO] Timeout</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Can't change directory to</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="120">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ is now logged in</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_es.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Nueva conexión desde</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Autentificación fallida para el usuario</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Fin de sesión.| [INFO] Timeout</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] No puedo cambiar al directorio</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ está ahora dentro del sistema</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_fr.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Nouvelle connexion de</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Erreur d'authentification pour l'utilisateur</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Deloggue.| [INFO] Temps de reponse depasse</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Ne peut changer le repertoire en</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ est maintenant loggue</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_fr_funny.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] \S+ ramene son cul</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] \S+ c'est un batard, il connait pas son code</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Cassos | [INFO] Putain mais achete-toi des doigts</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] C'est quoi ce delire, je peux pas aller dans</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ vient de debarquer</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
\ No newline at end of file
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_it.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Nuova connessione da</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Autenticazione falita per l'utente</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Logout.| [INFO] Timeout</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Impossibile cambiare la directory in</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ è ora loggato</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_nl.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Nieuwe verbinding vanaf</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Autorisatie faalde voor gebruiker</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Logout | [INFO] Onderbreking</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Kan de directory niet veranderen naar</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ is nu ingelogd</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
\ No newline at end of file
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_no.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Ny tilkobling fra</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Godkjennelse mislyktes for</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Logg ut.| [INFO] Timeout</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Kan ikke skifte katalog til</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ er nå logget inn</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_pt_br.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Nova conexão a partir de</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Autenticação falhou para usuário</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Fim de sessão.| [INFO] Tempo expirado</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Não foi possÃvel entrar no diretório</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ agora está logado</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_ro.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Conexiune noua de la</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Autentificare esuata pentru utilizatorul</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Iesire.| [INFO] Temporizare expirata</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Nu pot intra in directorul</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ este acum logat</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_sk.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Nove spojenie z</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Autentifikacia uzivatela zlyhala</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Logout.| [INFO] Cas vyprsal</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Nemozem prejst do adresara</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ je prave prihlaseny</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] Nyanslutning från</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] Behörighetskontroll misslyckas för användare</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Logout| [INFO] Timeout</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Kan ej ändra bibliotek till</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ har loggat in</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_tr.xml, 2011/09/08 dcid Exp $
-
- - Official pure-ftpd rules for OSSEC.
- - Author: Peter Ahlert <peter@ifup.de>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,pure-ftpd,">
- <rule id="11300" level="0">
- <decoded_as>pure-ftpd</decoded_as>
- <description>Grouping for the pure-ftpd rules.</description>
- </rule>
-
- <rule id="11301" level="3">
- <if_sid>11300</if_sid>
- <match>[INFO] \S+ den yeni baðlantý</match>
- <description>New FTP connection.</description>
- <group>connection_attempt,</group>
- </rule>
-
- <rule id="11302" level="5">
- <if_sid>11300</if_sid>
- <match>[WARNING] \S+ kullanýcýsý için giriþ hatalý</match>
- <description>FTP Authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11303" level="0">
- <if_sid>11300</if_sid>
- <match> [INFO] Çýkýþ.| [INFO] Zaman Aþýmý</match>
- <description>FTP user logout/timeout</description>
- </rule>
-
- <rule id="11304" level="0">
- <if_sid>11300</if_sid>
- <match> [NOTICE] </match>
- <description>FTP notice messages</description>
- </rule>
-
- <rule id="11305" level="5">
- <if_sid>11300</if_sid>
- <match>[INFO] Klasör deðiþtirilemedi</match>
- <description>Attempt to access invalid directory</description>
- </rule>
-
- <rule id="11306" level="10" frequency="6" timeframe="3600">
- <if_matched_sid>11302</if_matched_sid>
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11307" level="10" frequency="6" timeframe="60">
- <if_matched_sid>11301</if_matched_sid>
- <same_source_ip />
- <description>Multiple connection attempts from same source.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="11309" level="3">
- <match>[INFO] \S+ giriþ yaptý</match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
-</group> <!-- SYSLOG,PURE-FTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/trend-osce_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Trend Micro OSCE (Office Scan) rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- For more info:
- -
- -->
-
-
-<group name="trend_micro,ocse">
- <rule id="7600" level="0">
- <decoded_as>trend-osce</decoded_as>
- <description>Grouping of Trend OSCE rules.</description>
- </rule>
-
- <rule id="7610" level="5">
- <if_sid>7600</if_sid>
- <id>^0|$|^1$|^2$|^33|^10$|^11$|^12$</id>
- <group>virus</group>
- <description>Virus detected and cleaned/quarantined/removed</description>
- </rule>
-
- <rule id="7611" level="9">
- <if_sid>7600</if_sid>
- <id>^5$|^6$|^7$|^8$|^14$|^15$|^16$</id>
- <group>virus</group>
- <description>Virus detected and unable to clean up.</description>
- </rule>
-
- <rule id="7612" level="3">
- <if_sid>7600</if_sid>
- <id>^4$|^13$</id>
- <description>Virus scan completed with no errors detected.</description>
- </rule>
-
- <rule id="7613" level="5">
- <if_sid>7600</if_sid>
- <id>^25$</id>
- <description>Virus scan passed by found potential security risk.</description>
- </rule>
-</group> <!-- symantec -->
-
-
-<!-- EOF -->
+++ /dev/null
- <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
- -->
-
-<group name="syslog,unbound,">
-
- <rule id="53760" level="0">
- <decoded_as>unbound</decoded_as>
- <description>Unbound grouping.</description>
- </rule>
-
- <rule id="53761" level="1">
- <if_sid>53760</if_sid>
- <match> notice: </match>
- <description>Notice grouping.</description>
- </rule>
-
- <rule id="53762" level="1">
- <if_sid>53760</if_sid>
- <match> info: </match>
- <description>Info grouping.</description>
- </rule>
-
- <rule id="53770" level="2">
- <if_sid>53761</if_sid>
- <match>sendto failed: Can't assign requested address</match>
- <description>Can't assign requested address.</description>
- </rule>
-
- <rule id="53771" level="0">
- <if_sid>53762</if_sid>
- <match> A IN$</match>
- <description>DNS A request.</description>
- </rule>
-
- <rule id="53772" level="0">
- <if_sid>53762</if_sid>
- <match> AAAA IN$</match>
- <description>DNS AAAA request.</description>
- </rule>
-
- <rule id="53773" level="7">
- <if_sid>53771,53772</if_sid>
- <url>.top.|.to.|.gq.|.cf.|.men.|.loan.|.ml.|.work.|.click.|.tk.|.country.|.pw.|.party.|.trade.|.review.|.club.|.bid.|.country.|.stream.|.download.|.xin.|.gdn.|.racing.|.jetzt.|.win.|.vip.|.ren.|.kim.|.mom.|.date.|.wang.|.accountants.|.science.|.work.|.ninja.|.xyz.|.faith.|.zip.|.racing.|.cricket.|.space.|.realtor.|.christmas.|.gdn.|.pro.</url>
- <description>Maybe critical URL requested</description>
- </rule>
-
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/vmpop3d_rules.xml, 2011/09/08 dcid Exp $
-
- - Official rules for vm-pop3d.
- -
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,vm-pop3d,">
- <rule id="9800" level="0" noalert="1">
- <decoded_as>vm-pop3d</decoded_as>
- <description>Grouping for the vm-pop3d rules.</description>
- </rule>
-
- <rule id="9801" level="5">
- <if_sid>9800</if_sid>
- <match>failed auth</match>
- <group>authentication_failed,</group>
- <description>Login failed accessing the pop3 server.</description>
- </rule>
-
- <rule id="9820" level="10" frequency="6" timeframe="240">
- <if_matched_sid>9801</if_matched_sid>
- <same_source_ip />
- <description>POP3 brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
-</group>
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/vmware_rules.xml, 2011/09/08 dcid Exp $
-
- - Official VMWare ESX rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- SonicWall Log messages -->
-<group name="vmware,">
- <rule id="19100" level="0">
- <decoded_as>vmware</decoded_as>
- <description>VMWare messages grouped.</description>
- </rule>
-
- <rule id="19101" level="0">
- <decoded_as>vmware-syslog</decoded_as>
- <description>VMWare ESX syslog messages grouped.</description>
- </rule>
-
- <rule id="19102" level="8">
- <if_sid>19100</if_sid>
- <status>^crit|^fatal</status>
- <description>VMware ESX critical message.</description>
- </rule>
-
- <rule id="19103" level="4">
- <if_sid>19100</if_sid>
- <status>^error</status>
- <description>VMware ESX error message.</description>
- </rule>
-
- <rule id="19104" level="3">
- <if_sid>19100</if_sid>
- <status>^warn</status>
- <description>VMware ESX warning message.</description>
- </rule>
-
- <rule id="19105" level="0">
- <if_sid>19100</if_sid>
- <status>^notice</status>
- <description>VMware ESX notice message.</description>
- </rule>
-
- <rule id="19106" level="0">
- <if_sid>19100</if_sid>
- <status>^info</status>
- <description>VMware ESX informational message.</description>
- </rule>
-
- <rule id="19107" level="0">
- <if_sid>19100</if_sid>
- <status>^verbose</status>
- <description>VMware ESX verbose message.</description>
- </rule>
-
-
- <!-- Authentication messages. -->
-
- <rule id="19110" level="3">
- <if_sid>19106</if_sid>
- <match>logged in$</match>
- <description>VMWare ESX authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="19111" level="5">
- <if_sid>19106</if_sid>
- <match>Failed login attempt for</match>
- <description>VMWare ESX authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="19112" level="3">
- <if_sid>19101</if_sid>
- <program_name>vmware-hostd|vmware-authd</program_name>
- <match>Accepted password for|login from</match>
- <description>VMWare ESX user login.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="19113" level="3">
- <if_sid>19101</if_sid>
- <program_name>vmware-hostd|vmware-authd</program_name>
- <match>Rejected password for</match>
- <description>VMWare ESX user authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
-
-
- <!-- Guest OS messages. -->
- <rule id="19120" level="8">
- <if_sid>19106</if_sid>
- <match>-> VM_STATE_OFF</match>
- <description>Virtual machine state changed to OFF.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="19121" level="3">
- <if_sid>19106</if_sid>
- <match>-> VM_STATE_POWERING_ON</match>
- <description>Virtual machine being turned ON.</description>
- </rule>
-
- <rule id="19122" level="3">
- <if_sid>19106</if_sid>
- <match>-> VM_STATE_ON</match>
- <description>Virtual machine state changed to ON.</description>
- <options>alert_by_email</options>
- </rule>
-
- <rule id="19123" level="5">
- <if_sid>19106</if_sid>
- <match>-> VM_STATE_RECONFIGURING</match>
- <description>Virtual machine being reconfigured.</description>
- <group>config_changed,</group>
- <options>alert_by_email</options>
- </rule>
-
-
- <!-- Composite rules. -->
-
- <rule id="19150" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>19104</if_matched_sid>
- <description>Multiple VMWare ESX warning messages.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="19151" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>19103</if_matched_sid>
- <description>Multiple VMWare ESX error messages.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="19152" level="10" frequency="6" timeframe="120">
- <if_matched_sid>19111</if_matched_sid>
- <description>Multiple VMWare ESX authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="19153" level="10" frequency="6" timeframe="120">
- <if_matched_sid>19113</if_matched_sid>
- <description>Multiple VMWare ESX user authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
-</group> <!-- VMware ESX -->
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/vpn_concentrator_rules.xml, 2011/09/08 dcid Exp $
-
- -
- - Official Cisco VPN Concentrator rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- For more info:
- - http://www.ossec.net/wiki/index.php/Cisco_VPN_Concentrator
- -->
-
-
-<group name="syslog,cisco_vpn,">
- <rule id="14200" level="0">
- <decoded_as>cisco-vpn-concentrator</decoded_as>
- <description>Grouping of Cisco VPN concentrator rules</description>
- </rule>
-
- <rule id="14201" level="3">
- <if_sid>14200</if_sid>
- <id>^IKE/52$</id>
- <description>VPN authentication successful.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="14202" level="5">
- <if_sid>14200</if_sid>
- <id>^AUTH/5$|^AUTH/9$|^IKE/167$|^PPP/9$|^SSH/33$|^PSH/23$</id>
- <description>VPN authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="14203" level="4">
- <if_sid>14200</if_sid>
- <id>^HTTP/47$|^SSH/16$</id>
- <options>alert_by_email</options>
- <description>VPN Admin authentication successful.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="14251" level="10" frequency="8" timeframe="240">
- <if_matched_sid>14202</if_matched_sid>
- <same_source_ip />
- <description>Multiple VPN authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-</group> <!-- SYSLOG,vpn_concentrator -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/vpopmail_rules.xml, 2011/09/08 dcid Exp $
-
- - Official rules for vpopmail.
- -
- - Author: Ceg Ryan <cegryan ( at ) gmail.com>
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,vpopmail,">
- <rule id="9900" level="0">
- <decoded_as>vpopmail</decoded_as>
- <description>Grouping for the vpopmail rules.</description>
- </rule>
-
- <rule id="9901" level="5">
- <if_sid>9900</if_sid>
- <match> password fail </match>
- <group>authentication_failed,</group>
- <description>Login failed for vpopmail.</description>
- </rule>
-
- <rule id="9902" level="5">
- <if_sid>9900</if_sid>
- <match> vpopmail user not found </match>
- <group>invalid_login,</group>
- <description>Attempt to login to vpopmail with invalid username.</description>
- </rule>
-
- <rule id="9903" level="5">
- <if_sid>9900</if_sid>
- <match> null password given </match>
- <group>authentication_failed,</group>
- <description>Attempt to login to vpopmail with empty password.</description>
- </rule>
-
- <rule id="9904" level="1">
- <if_sid>9900</if_sid>
- <match> login success </match>
- <group>authentication_success,</group>
- <description>Vpopmail successful login.</description>
- </rule>
-
-
- <rule id="9951" level="10" frequency="8" timeframe="240">
- <if_matched_sid>9901</if_matched_sid>
- <same_source_ip />
- <description>Vpopmail brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="9952" level="10" frequency="8" timeframe="240">
- <if_matched_sid>9902</if_matched_sid>
- <same_source_ip />
- <description>Vpopmail brute force (email harvesting).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="9953" level="10" frequency="8" timeframe="240">
- <if_matched_sid>9903</if_matched_sid>
- <same_source_ip />
- <description>VPOPMAIL brute force (empty password).</description>
- <group>authentication_failures,</group>
- </rule>
-
-</group>
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/vsftpd_rules.xml, 2011/09/08 dcid Exp $
-
- - Official vsftpd rules for OSSEC.
- - Author: Joachim Vorrath <joachim.vorrath@vorrath-net.de>
- - Author: Jorge Augusto Senger <jorge@br10.com.br>
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,vsftpd,">
- <rule id="11400" level="0" noalert="1">
- <decoded_as>vsftpd</decoded_as>
- <description>Grouping for the vsftpd rules.</description>
- </rule>
-
- <rule id="11401" level="3">
- <if_sid>11400</if_sid>
- <match>CONNECT: Client</match>
- <group>connection_attempt</group>
- <description>FTP session opened.</description>
- </rule>
-
- <rule id="11402" level="3">
- <if_sid>11400</if_sid>
- <match>OK LOGIN: </match>
- <description>FTP Authentication success.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="11403" level="5">
- <if_sid>11400</if_sid>
- <match>FAIL LOGIN: </match>
- <description>Login failed accessing the FTP server.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="11404" level="0">
- <if_sid>11400</if_sid>
- <match>OK UPLOAD: </match>
- <description>FTP server file upload.</description>
- </rule>
-
- <rule id="11451" level="10" frequency="6" timeframe="120">
- <if_matched_sid>11403</if_matched_sid>
- <same_source_ip />
- <description>FTP brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="11452" level="10" frequency="10" timeframe="60">
- <if_matched_sid>11401</if_matched_sid>
- <same_source_ip />
- <description>Multiple FTP connection attempts from </description>
- <description>same source IP.</description>
- <group>recon,</group>
- </rule>
-
-</group> <!-- SYSLOG,VSFTPD -->
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/web_appsec_rules.xml, 2012/08/11 dcid Exp $
-
- -
- - Web attacks/vulns specific rules for OSSEC.
- -
- - Copyright (C) 2012 Daniel B. Cid (dcid@dcid.me)
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- Collection of rules for common web attacks that we are seeing in the wild.
- - The real goal is to stop bots and automated attacks from doing further damage
- - on sites that are not updated.
- -->
-<group name="web,appsec,attack">
-
-
-
- <!-- Checking POST / requests - WP comment spam coming from fake search engines.
- -->
- <rule id="31501" level="6">
- <if_sid>31100</if_sid>
- <match>POST /</match>
- <url>/wp-comments-post.php</url>
- <regex>Googlebot|MSNBot|BingBot</regex>
- <description>WordPress Comment Spam (coming from a fake search engine UA).</description>
- </rule>
-
- <!-- Timthumb scans.
- -->
- <rule id="31502" level="6">
- <if_sid>31100</if_sid>
- <url>thumb.php|timthumb.php</url>
- <regex> "GET \S+thumb.php?src=\S+.php</regex>
- <description>TimThumb vulnerability exploit attempt.</description>
- </rule>
-
- <!-- osCommerce login.php bypass
- -->
- <rule id="31503" level="6">
- <if_sid>31100</if_sid>
- <url>login.php</url>
- <regex> "POST /\S+.php/login.php?cPath=</regex>
- <description>osCommerce login.php bypass attempt.</description>
- </rule>
-
- <!-- osCommerce file manager login.php bypass
- -->
- <rule id="31504" level="6">
- <if_sid>31100</if_sid>
- <url>login.php</url>
- <regex>/admin/\w+.php/login.php</regex>
- <description>osCommerce file manager login.php bypass attempt.</description>
- </rule>
-
- <!-- Timthumb backdoor access.
- -->
- <rule id="31505" level="6">
- <if_sid>31100</if_sid>
- <url>/cache/external</url>
- <regex> "GET /\S+/cache/external\S+.php</regex>
- <description>TimThumb backdoor access attempt.</description>
- </rule>
-
- <!-- Timthumb backdoor access.
- -->
- <rule id="31506" level="6">
- <if_sid>31100</if_sid>
- <url>cart.php</url>
- <regex> "GET /\S+cart.php?\S+templatefile=../</regex>
- <description>Cart.php directory transversal attempt.</description>
- </rule>
-
- <!-- MSSQL IIS inject rules -->
- <rule id="31507" level="6">
- <if_sid>31100</if_sid>
- <url>DECLARE%20@S%20CHAR|%20AS%20CHAR</url>
- <description>MSSQL Injection attempt (ur.php, urchin.js).</description>
- </rule>
-
- <!-- BAD/Annoying user agents -->
- <rule id="31508" level="6">
- <if_sid>31100</if_sid>
- <match> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s</match>
- <description>Blacklisted user agent (known malicious user agent).</description>
- </rule>
-
- <!-- WordPress wp-login.php brute force -->
- <rule id="31509" level="3">
- <if_sid>31108</if_sid>
- <url>wp-login.php|/administrator</url>
- <regex>] "POST \S+wp-login.php| "POST /administrator</regex>
- <description>CMS (WordPress or Joomla) login attempt.</description>
- </rule>
-
- <!-- If we see frequent wp-login POST's, it is likely a bot. -->
- <rule id="31510" level="8" frequency="6" timeframe="30">
- <if_matched_sid>31509</if_matched_sid>
- <same_source_ip />
- <description>CMS (WordPress or Joomla) brute force attempt.</description>
- </rule>
-
- <!-- Nothing wrong with wget per se, but it misses a lot of links
- - that generates many 404s. Blocking it to avoid the noise.
- -->
- <rule id="31511" level="0">
- <if_sid>31100</if_sid>
- <match>" "Wget/</match>
- <description>Blacklisted user agent (wget).</description>
- </rule>
-
- <!-- Uploadify scans.
- -->
- <rule id="31512" level="6">
- <if_sid>31100</if_sid>
- <url>uploadify.php</url>
- <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
- <description>Uploadify vulnerability exploit attempt.</description>
- </rule>
-
- <!-- BBS delete.php skin_path.
- -->
- <rule id="31513" level="6">
- <if_sid>31100</if_sid>
- <url>delete.php</url>
- <regex> "GET \S+/delete.php?board_skin_path=http://\S+.php</regex>
- <description>BBS delete.php exploit attempt.</description>
- </rule>
-
- <!-- Simple shell.php command execution
- -->
- <rule id="31514" level="6">
- <if_sid>31100</if_sid>
- <url>shell.php</url>
- <regex> "GET \S+/shell.php?cmd=</regex>
- <description>Simple shell.php command execution.</description>
- </rule>
-
- <!-- PHPMyAdmin scans
- -->
- <rule id="31515" level="6">
- <if_sid>31100</if_sid>
- <url>phpMyAdmin/scripts/setup.php</url>
- <description>PHPMyAdmin scans (looking for setup.php).</description>
- </rule>
-
- <!-- Suspicious URL's access
- -->
- <rule id="31516" level="6">
- <if_sid>31100</if_sid>
- <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
- <description>Suspicious URL access.</description>
- </rule>
-
- <!-- Checking POST requests - Too many in a small type = likely a bot -->
- <rule id="31530" level="3">
- <if_sid>31100</if_sid>
- <match>] "POST </match>
- <options>no_log</options>
- <description>POST request received.</description>
- </rule>
-
- <rule id="31531" level="0">
- <if_sid>31530</if_sid>
- <url>/wp-admin/|/administrator/|/admin/</url>
- <description>Ignoring often post requests inside /wp-admin and /admin.</description>
- </rule>
-
- <rule id="31533" level="10" timeframe="20" frequency="6">
- <if_matched_sid>31530</if_matched_sid>
- <same_source_ip />
- <description>High amount of POST requests in a small period of time (likely bot).</description>
- </rule>
-
- <!-- Anomaly rules - Used on common web attacks -->
- <rule id="31550" level="6">
- <if_sid>31100</if_sid>
- <url>%00</url>
- <regex> "GET /\S+.php?\S+%00</regex>
- <description>Anomaly URL query (attempting to pass null termination).</description>
- </rule>
-
-
-</group>
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/web_rules.xml, 2013/02/28 dcid Exp $
-
- -
- - Official Web access rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="web,accesslog,">
- <rule id="31100" level="0">
- <category>web-log</category>
- <description>Access log messages grouped.</description>
- </rule>
-
- <rule id="31108" level="0">
- <if_sid>31100</if_sid>
- <id>^2|^3</id>
- <compiled_rule>is_simple_http_request</compiled_rule>
- <description>Ignored URLs (simple queries).</description>
- </rule>
-
- <rule id="31101" level="5">
- <if_sid>31100</if_sid>
- <id>^4</id>
- <description>Web server 400 error code.</description>
- </rule>
-
- <rule id="31102" level="0">
- <if_sid>31101</if_sid>
- <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$|.jpeg$</url>
- <compiled_rule>is_simple_http_request</compiled_rule>
- <description>Ignored extensions on 400 error codes.</description>
- </rule>
-
- <rule id="31103" level="6">
- <if_sid>31100,31108</if_sid>
- <url>=select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
- <url>union+|where+|null,null|xp_cmdshell</url>
- <description>SQL injection attempt.</description>
- <group>attack,sql_injection,</group>
- </rule>
-
- <rule id="31104" level="6">
- <if_sid>31100</if_sid>
-
- <!-- Attempt to do directory transversal, simple sql injections,
- - or access to the etc or bin directory (unix). -->
- <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|</url>
- <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|/boot.ini|</url>
- <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url>
- <url>exec%20|../..//|%5C../%5C|././././|2e%2e%5c%2e|\x5C\x5C</url>
- <description>Common web attack.</description>
- <group>attack,</group>
- </rule>
-
- <rule id="31105" level="6">
- <if_sid>31100</if_sid>
- <url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url>
- <url>%20ONLOAD=|INPUT%20|iframe%20</url>
- <description>XSS (Cross Site Scripting) attempt.</description>
- <group>attack,</group>
- </rule>
-
- <rule id="31106" level="6">
- <if_sid>31103, 31104, 31105</if_sid>
- <id>^200</id>
- <description>A web attack returned code 200 (success).</description>
- <group>attack,</group>
- </rule>
-
- <rule id="31110" level="6">
- <if_sid>31100</if_sid>
- <url>?-d|?-s|?-a|?-b|?-w</url>
- <description>PHP CGI-bin vulnerability attempt.</description>
- <group>attack,</group>
- </rule>
-
- <rule id="31109" level="6">
- <if_sid>31100</if_sid>
- <url>+as+varchar</url>
- <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</regex>
- <description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
- <group>attack,</group>
- </rule>
-
-
- <!-- If your site have a search engine, you may need to ignore
- - it in here.
- -->
- <rule id="31107" level="0">
- <if_sid>31103, 31104, 31105</if_sid>
- <url>^/search.php?search=|^/index.php?searchword=</url>
- <description>Ignored URLs for the web attacks</description>
- </rule>
-
- <rule id="31115" level="13" maxsize="7900">
- <if_sid>31100</if_sid>
- <description>URL too long. Higher than allowed on most </description>
- <description>browsers. Possible attack.</description>
- <group>invalid_access,</group>
- </rule>
-
-
- <!-- 500 error codes, server error
- - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
- -->
- <rule id="31120" level="5">
- <if_sid>31100</if_sid>
- <id>^50</id>
- <description>Web server 500 error code (server error).</description>
- </rule>
-
- <rule id="31121" level="4">
- <if_sid>31120</if_sid>
- <id>^501</id>
- <description>Web server 501 error code (Not Implemented).</description>
- </rule>
-
- <rule id="31122" level="5">
- <if_sid>31120</if_sid>
- <id>^500</id>
- <options>alert_by_email</options>
- <description>Web server 500 error code (Internal Error).</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="31123" level="4">
- <if_sid>31120</if_sid>
- <id>^503</id>
- <options>alert_by_email</options>
- <description>Web server 503 error code (Service unavailable).</description>
- </rule>
-
-
- <!-- Rules to ignore crawlers -->
- <rule id="31140" level="0">
- <if_sid>31101</if_sid>
- <compiled_rule>is_valid_crawler</compiled_rule>
- <description>Ignoring google/msn/yahoo bots.</description>
- </rule>
-
- <!-- Ignoring nginx 499's -->
- <rule id="31141" level="0">
- <if_sid>31101</if_sid>
- <id>^499</id>
- <description>Ignored 499's on nginx.</description>
- </rule>
-
-
- <rule id="31151" level="10" frequency="12" timeframe="90">
- <if_matched_sid>31101</if_matched_sid>
- <same_source_ip />
- <description>Multiple web server 400 error codes </description>
- <description>from same source ip.</description>
- <group>web_scan,recon,</group>
- </rule>
-
- <rule id="31152" level="10" frequency="6" timeframe="120">
- <if_matched_sid>31103</if_matched_sid>
- <same_source_ip />
- <description>Multiple SQL injection attempts from same </description>
- <description>source ip.</description>
- <group>attack,sql_injection,</group>
- </rule>
-
- <rule id="31153" level="10" frequency="8" timeframe="120">
- <if_matched_sid>31104</if_matched_sid>
- <same_source_ip />
- <description>Multiple common web attacks from same source ip.</description>
- <group>attack,</group>
- </rule>
-
- <rule id="31154" level="10" frequency="8" timeframe="120">
- <if_matched_sid>31105</if_matched_sid>
- <same_source_ip />
- <description>Multiple XSS (Cross Site Scripting) attempts </description>
- <description>from same source ip.</description>
- <group>attack,</group>
- </rule>
-
- <rule id="31161" level="10" frequency="12" timeframe="120">
- <if_matched_sid>31121</if_matched_sid>
- <same_source_ip />
- <description>Multiple web server 501 error code (Not Implemented).</description>
- <group>web_scan,recon,</group>
- </rule>
-
- <rule id="31162" level="10" frequency="12" timeframe="120">
- <if_matched_sid>31122</if_matched_sid>
- <same_source_ip />
- <description>Multiple web server 500 error code (Internal Error).</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="31163" level="10" frequency="12" timeframe="120">
- <if_matched_sid>31123</if_matched_sid>
- <same_source_ip />
- <description>Multiple web server 503 error code (Service unavailable).</description>
- <group>web_scan,recon,</group>
- </rule>
-
- <rule id="31164" level="6">
- <if_sid>31100</if_sid>
- <url>=%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B</url>
- <description>SQL injection attempt.</description>
- <group>attack,sqlinjection,</group>
- </rule>
-
- <rule id="31165" level="6">
- <if_sid>31100</if_sid>
- <url>%EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045</url>
- <description>SQL injection attempt.</description>
- <group>attack,sqlinjection,</group>
- </rule>
-
-</group> <!-- Web access log -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/wordpress_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Wordpress rules for OSSEC.
- -
- - Author: Daniel B. Cid
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-<group name="syslog,wordpress,">
- <rule id="9500" level="0">
- <decoded_as>wordpress</decoded_as>
- <description>Wordpress messages grouped.</description>
- </rule>
-
- <rule id="9501" level="5">
- <if_sid>9500</if_sid>
- <match>User authentication failed</match>
- <description>Wordpress authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="9502" level="3">
- <if_sid>9500</if_sid>
- <match>User logged in</match>
- <description>Wordpress authentication succeeded.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="9503" level="3">
- <if_sid>9500</if_sid>
- <match>WPsyslog was successfully initiali</match>
- <description>WPsyslog was successfully initialized.</description>
- </rule>
-
- <rule id="9504" level="3">
- <if_sid>9500</if_sid>
- <match>Plugin deactivated</match>
- <description>Wordpress plugin deactivated.</description>
- </rule>
-
- <rule id="9505" level="7">
- <if_sid>9500</if_sid>
- <match>Warning: Comment flood attempt</match>
- <description>Wordpress Comment Flood Attempt.</description>
- </rule>
-
- <rule id="9510" level="7">
- <if_sid>9500</if_sid>
- <match>Warning: IDS:</match>
- <description>Attack against Wordpress detected.</description>
- </rule>
-
- <rule id="9551" level="10">
- <if_matched_sid>9501</if_matched_sid>
- <same_source_ip />
- <description>Multiple wordpress authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
-</group>
-
-
-<!-- EOF -->
+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/zeus_rules.xml, 2011/09/08 dcid Exp $
-
- -
- - Official Zeus rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -
- - Contributed by: Chris Buckley <chris at cjbuckley.net>
- -->
-
-
-<!-- For more info:
- - http://www.ossec.net/wiki/index.php/Log_Samples_Zeus
- -->
-
-
-<group name="zeus,">
- <rule id="31200" level="0">
- <decoded_as>zeus</decoded_as>
- <description>Grouping of Zeus rules.</description>
- </rule>
-
- <rule id="31201" level="0">
- <if_sid>31200</if_sid>
- <regex>^[\S+ \S+] INFO:|^[\S+ \S+] SSL:</regex>
- <description>Grouping of Zeus informational logs.</description>
- </rule>
-
- <rule id="31202" level="4">
- <if_sid>31200</if_sid>
- <regex>^[\S+ \S+] WARN:</regex>
- <description>Zeus warning log.</description>
- </rule>
-
- <rule id="31203" level="9">
- <if_sid>31200</if_sid>
- <regex>^[\S+ \S+] SERIOUS:</regex>
- <description>Zeus serious log.</description>
- </rule>
-
- <rule id="31204" level="12">
- <if_sid>31200</if_sid>
- <regex>^[\S+ \S+] FATAL:</regex>
- <description>Zeus fatal log.</description>
- </rule>
-
- <rule id="31205" level="8">
- <if_sid>31202</if_sid>
- <match>admin:Authentication failure</match>
- <description>Admin authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="31206" level="0">
- <if_sid>31202</if_sid>
- <match>Unknown directive</match>
- <description>Configuration warning (ignored).</description>
- </rule>
-
- <rule id="31251" level="10" frequency="6" timeframe="120">
- <if_matched_sid>31202</if_matched_sid>
- <description>Multiple Zeus warnings.</description>
- </rule>
-</group> <!-- zeus, -->
-
-
-<!-- EOF -->
projects / ossec-hids.git / commitdiff