From: Ivan Rako Date: Mon, 17 Jun 2019 21:44:20 +0000 (+0200) Subject: obrisane nepotrebne datoteke od zadnjeg builda X-Git-Tag: debian/3.3.0-1^0 X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=commitdiff_plain obrisane nepotrebne datoteke od zadnjeg builda --- diff --git a/build-stamp b/build-stamp deleted file mode 100644 index e69de29..0000000 diff --git a/debian/files b/debian/files deleted file mode 100644 index d4e038c..0000000 --- a/debian/files +++ /dev/null @@ -1 +0,0 @@ -ossec-hids_3.3.0-1_amd64.deb admin extra diff --git a/debian/ossec-hids.debhelper.log b/debian/ossec-hids.debhelper.log deleted file mode 100644 index 503f31c..0000000 --- a/debian/ossec-hids.debhelper.log +++ /dev/null @@ -1,90 +0,0 @@ -dh_prep -dh_installdirs -dh_installchangelogs -dh_installdocs -dh_lintian -dh_installman -dh_link -dh_compress -dh_fixperms -dh_installdeb -dh_shlibdeps -dh_gencontrol -dh_md5sums -dh_builddeb -dh_builddeb -dh_prep -dh_installdirs -dh_installchangelogs -dh_installdocs -dh_lintian -dh_installman -dh_link -dh_compress -dh_fixperms -dh_installdeb -dh_shlibdeps -dh_gencontrol -dh_md5sums -dh_builddeb -dh_builddeb -dh_prep -dh_installdirs -dh_installchangelogs -dh_installdocs -dh_lintian -dh_installman -dh_link -dh_compress -dh_fixperms -dh_installdeb -dh_shlibdeps -dh_gencontrol -dh_md5sums -dh_builddeb -dh_builddeb -dh_prep -dh_installdirs -dh_installchangelogs -dh_installdocs -dh_lintian -dh_installman -dh_link -dh_compress -dh_fixperms -dh_installdeb -dh_shlibdeps -dh_gencontrol -dh_md5sums -dh_builddeb -dh_builddeb -dh_prep -dh_installdirs -dh_installchangelogs -dh_installdocs -dh_lintian -dh_installman -dh_link -dh_compress -dh_fixperms -dh_installdeb -dh_shlibdeps -dh_gencontrol -dh_md5sums -dh_builddeb -dh_builddeb -dh_prep -dh_installdirs -dh_installchangelogs -dh_installdocs -dh_lintian -dh_installman -dh_link -dh_compress -dh_fixperms -dh_installdeb -dh_shlibdeps -dh_gencontrol -dh_md5sums -dh_builddeb -dh_builddeb diff --git a/debian/ossec-hids.substvars b/debian/ossec-hids.substvars deleted file mode 100644 index 0faece2..0000000 --- a/debian/ossec-hids.substvars +++ /dev/null @@ -1,3 +0,0 @@ -shlibs:Depends=libc6 (>= 2.14), libssl1.1 (>= 1.1.0), zlib1g (>= 1:1.2.3.3) -misc:Depends= -misc:Pre-Depends= diff --git a/debian/ossec-hids/DEBIAN/conffiles b/debian/ossec-hids/DEBIAN/conffiles deleted file mode 100644 index 7d0dc6d..0000000 --- a/debian/ossec-hids/DEBIAN/conffiles +++ /dev/null @@ -1,5 +0,0 @@ -/var/ossec/rules/local_rules.xml -/var/ossec/etc/ossec.conf -/var/ossec/etc/internal_options.conf -/etc/init.d/ossec-hids -/etc/ossec-init.conf diff --git a/debian/ossec-hids/DEBIAN/control b/debian/ossec-hids/DEBIAN/control deleted file mode 100644 index db6beef..0000000 --- a/debian/ossec-hids/DEBIAN/control +++ /dev/null @@ -1,19 +0,0 @@ -Package: ossec-hids -Version: 3.3.0-1 -Architecture: amd64 -Maintainer: Ivan Rako -Installed-Size: 17088 -Depends: postfix | mail-transport-agent, expect (>= 5.45-2), lsb-base (>= 3.2-14), adduser (>= 3.113+nmu3), libc6 (>= 2.14), libssl1.1 (>= 1.1.0), zlib1g (>= 1:1.2.3.3) -Section: admin -Priority: extra -Description: OSSEC open source Host-based Intrusion Detection System (HIDS) - OSSEC is a scalable, multi-platform, open source Host-based Intrusion - Detection System (HIDS). It has a powerful correlation and analysis - engine, integrating log analysis, file integrity checking, Windows - registry monitoring, centralized policy enforcement, rootkit detection, - real-time alerting and active response. - . - It runs on most operating systems, including Linux, OpenBSD, FreeBSD, - MacOS, Solaris and Windows. - . - More information on OSSEC is available at: http://www.ossec.net/ . diff --git a/debian/ossec-hids/DEBIAN/md5sums b/debian/ossec-hids/DEBIAN/md5sums deleted file mode 100644 index 129751f..0000000 --- a/debian/ossec-hids/DEBIAN/md5sums +++ /dev/null @@ -1,447 +0,0 @@ -837694ab5ee70bc5827025502e2b2483 usr/share/doc/ossec-hids/BUGS -4a1616de42c745c30a02f507f2fd8919 usr/share/doc/ossec-hids/CONFIG -5286e829a8f7223e6ec167c57a721437 usr/share/doc/ossec-hids/CONTRIBUTORS.gz -6ecb2d39964fe1cf2c3e143c5427ce42 usr/share/doc/ossec-hids/README.config -6168b7cb1f75122fa8866a9d11bb8b06 usr/share/doc/ossec-hids/README.md -37e5b985193f8631e21373d4169588ae usr/share/doc/ossec-hids/active-response-internal.txt -795bdb6f0d351a17d7f7cae6179cdc9a usr/share/doc/ossec-hids/active-response.txt -f8c8c2b41823ff6fc0444cdb2eea5be1 usr/share/doc/ossec-hids/changelog.Debian.gz -c0712e1142b815256284b49e424038de usr/share/doc/ossec-hids/changelog.gz -00e9f6c6449a29dcdfdcfd64bfd62c11 usr/share/doc/ossec-hids/contrib/active-list.pl -eb802564770338081e2b7640044a856c usr/share/doc/ossec-hids/contrib/add_localfile.sh -6361c0b861dd45be86f8dbe5327fb95b usr/share/doc/ossec-hids/contrib/compile_alerts.pl -75bd099e8853bf6b147a0c00c75256a3 usr/share/doc/ossec-hids/contrib/compile_alerts.txt.gz -f29c4cc38d9d52754ff1aca1016a1f69 usr/share/doc/ossec-hids/contrib/config2xml.gz -6edf0c2261cec3147374ab7e223ee8a7 usr/share/doc/ossec-hids/contrib/debian-packages/Readme.txt -16ff6cb4ce64d56d5c63321d5491f585 usr/share/doc/ossec-hids/contrib/debian-packages/generate_ossec.sh.gz -837ac8d8a4d8fd89627e49fe93cd6e0f usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/changelog.gz -84bc3da1b3e33a18e8d5e1bdd7a18d7a usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/compat -18fdfe6e73421bcde33b90e16e0cedee usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/conffiles -57488387a176a4715570ec581b45b0f5 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/control -ec092b426b329155f9f3406f9cadbaef usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/copyright -f3f919bb9df0b84ae3fb4739c1c221a9 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/ossec-hids-agent.lintian-overrides -1b20ca88fba887e31f55ff43a371b3d2 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/01_makefile.patch -9128b264c18030031acd26aefa669114 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/02_ossec-agent.conf.patch -13cdfb6bf457c720bd7c7a05a53b9992 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/series -2ef38d3c5c636f5e9f40c86fd0b3f976 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/postinst -3448af5dc1c73e19b675166663d3d67c usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/postrm -612e70ec20da876634700dd0d5417d22 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/preinst -4034b9e90f7d88b55493554e0a87e150 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/rules -d3a10140af54ec7371d3b9b084b07c14 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/source/format -8976a785fb2b23cc0a13d17399084dc5 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/templates -c678fc89d221bb5f3e53fc3bcd93e8e0 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/changelog.gz -84bc3da1b3e33a18e8d5e1bdd7a18d7a usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/compat -18fdfe6e73421bcde33b90e16e0cedee usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/conffiles -1c11554096c4fc6af1d9ea15fdfc61f6 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/control -ec092b426b329155f9f3406f9cadbaef usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/copyright -dec1921222bfe2a9191b3c5d22f47d67 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/ossec-hids.lintian-overrides -37463537093f8a94f4cec1d231d889fa usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/01_makefile.patch -0326b1ee8f71fe61eb59e31aa23751fe usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/02_ossec-server.conf.patch -8bb641ab91b5c7d82b76ab71dab7c0bf usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/series -5bd8dd827930f4fd77055e83ca0e89d4 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/postinst.gz -70f33cfc6430996167988c2338f307e3 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/postrm -4fcc2e0e778d4aaaf3a3cd220c994267 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/preinst -4034b9e90f7d88b55493554e0a87e150 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/rules -d3a10140af54ec7371d3b9b084b07c14 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/source/format -a4ba1a5f6da6fdc3c6c95f9f67ed7029 usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/templates -5d47b88205aef993618c9e2968e1e7f2 usr/share/doc/ossec-hids/contrib/iis-logs.bat -ddcab750caa658684d29c5fffe3cf161 usr/share/doc/ossec-hids/contrib/logtesting/1/log -58f012497b31188068d211f9f486fc1e usr/share/doc/ossec-hids/contrib/logtesting/1/res -7e0156b8d732b8448f6af3181d350a18 usr/share/doc/ossec-hids/contrib/logtesting/10/log -10520ba96802c0cd496ac3f5829456a1 usr/share/doc/ossec-hids/contrib/logtesting/10/res -04bfbfc40a343ae31a9a7f12fe1b45dd usr/share/doc/ossec-hids/contrib/logtesting/11/log -a7f736c7941071c81b251972c267d61c usr/share/doc/ossec-hids/contrib/logtesting/11/res -6afa6e10da301618c4ae55c09291a2bb usr/share/doc/ossec-hids/contrib/logtesting/12/log -615a3d90fe2095260a8d9415b8d7cf63 usr/share/doc/ossec-hids/contrib/logtesting/12/res -51e290523486cb0e8e91427b2d876715 usr/share/doc/ossec-hids/contrib/logtesting/13/log -16b9a5c028be572c13cb1bf0d2422736 usr/share/doc/ossec-hids/contrib/logtesting/13/res -00b89cd61f97a803d619c0e910bb4af5 usr/share/doc/ossec-hids/contrib/logtesting/14/log -1dcf0d4e55de853e88392ac3b183a53d usr/share/doc/ossec-hids/contrib/logtesting/14/res -19e5180cef68d453c4be871f9a71fcaf usr/share/doc/ossec-hids/contrib/logtesting/15/log -e739dd096294e15d853715275439b623 usr/share/doc/ossec-hids/contrib/logtesting/15/res -2ca78ae79aec39b9fda64a6ec02a98eb usr/share/doc/ossec-hids/contrib/logtesting/16/log -487ebee4944ae058518db4b43856d016 usr/share/doc/ossec-hids/contrib/logtesting/16/res -d12d7187e4c1d5d9f233f9b54aece159 usr/share/doc/ossec-hids/contrib/logtesting/17/log -0cb8f8c51f9764668de472ca70c3b589 usr/share/doc/ossec-hids/contrib/logtesting/17/res -15986b5f36aa276ab203380cd2e317b8 usr/share/doc/ossec-hids/contrib/logtesting/18/log -44d2b68c6b99b42d70b74e59ac90e8c0 usr/share/doc/ossec-hids/contrib/logtesting/18/res -25c2e286a6281999a16aff5ca7b330e0 usr/share/doc/ossec-hids/contrib/logtesting/19/log -cb7f10b14fb0276633e30e15a36c3c5d usr/share/doc/ossec-hids/contrib/logtesting/19/res -28bf66d3ac8948bb1433106bd13f1f9a usr/share/doc/ossec-hids/contrib/logtesting/2/log -7056fc30f30eada875927771190c654c usr/share/doc/ossec-hids/contrib/logtesting/2/res -8405e122be04cf249027db9d9f4e9684 usr/share/doc/ossec-hids/contrib/logtesting/20/log -80a9d8ebdd01e230ec3cd54117ccb0f0 usr/share/doc/ossec-hids/contrib/logtesting/20/res -4515bd5e79763fb4ee3e0990afa06fb4 usr/share/doc/ossec-hids/contrib/logtesting/21/log -dcf92d72ec5e27170998e9c96292c187 usr/share/doc/ossec-hids/contrib/logtesting/21/res -093d4ac9c3c59facac20343e93194461 usr/share/doc/ossec-hids/contrib/logtesting/22/log -7b4234846173079d01ccb0bf095c617d usr/share/doc/ossec-hids/contrib/logtesting/22/res -d4d28ea5ec71f05921df7abdcc5d2653 usr/share/doc/ossec-hids/contrib/logtesting/23/log -eb9d80508d11d762ef8812cbcfce495b usr/share/doc/ossec-hids/contrib/logtesting/23/res -28a5742d21141bda7684b3a5a21347df usr/share/doc/ossec-hids/contrib/logtesting/24/log -ce5d26b939433527067e3c8700a02d39 usr/share/doc/ossec-hids/contrib/logtesting/24/res -fdc4756c8890bfb87469c639eab2e540 usr/share/doc/ossec-hids/contrib/logtesting/25/log -78318a210801736432946eaf88aabf1b usr/share/doc/ossec-hids/contrib/logtesting/25/res -3b1d6b063d8508d1557b66c0aa5c8ed6 usr/share/doc/ossec-hids/contrib/logtesting/26/log -d6a500efd6fef6a77c6110e1c711e5f7 usr/share/doc/ossec-hids/contrib/logtesting/26/res -6778f805f166351f1e7ba6abfc4a31b7 usr/share/doc/ossec-hids/contrib/logtesting/27/log -1f6de6748f57796b10897fca0c151257 usr/share/doc/ossec-hids/contrib/logtesting/27/res -67121ad2041ebad4dea055ec5893030d usr/share/doc/ossec-hids/contrib/logtesting/28/log -f6a61b3482d7e874afc165b560c5b968 usr/share/doc/ossec-hids/contrib/logtesting/28/res -e639debcea8f8cb2d9be1374646cf986 usr/share/doc/ossec-hids/contrib/logtesting/29/log -9dc7f21623adb6139a75f9c516c46799 usr/share/doc/ossec-hids/contrib/logtesting/29/res -c0106274d05b14a01c6ebc6655df8ed4 usr/share/doc/ossec-hids/contrib/logtesting/3/log -d9edb0fd6d63d5322db0122547259504 usr/share/doc/ossec-hids/contrib/logtesting/3/res -079bef27c66438368518cf60ec5fee14 usr/share/doc/ossec-hids/contrib/logtesting/30/log -a010162d8d4029cdaaa1632a0ddfe80b usr/share/doc/ossec-hids/contrib/logtesting/30/res -ef8a44ff77a842e2198eaff91185b307 usr/share/doc/ossec-hids/contrib/logtesting/31/log -dcfa43b3c7a3123345af6bb5040315a4 usr/share/doc/ossec-hids/contrib/logtesting/31/res -4d4ea3741ca79916a80e6e8122b01ada usr/share/doc/ossec-hids/contrib/logtesting/32/log -7fa4d54a81b9c8c9df10733ad4f3e8bd usr/share/doc/ossec-hids/contrib/logtesting/32/res -2e595586e9fc6b63a08a0c9943ae78c8 usr/share/doc/ossec-hids/contrib/logtesting/33/log -7cf73a0e9ece302b0f375bced880651a usr/share/doc/ossec-hids/contrib/logtesting/33/res -fab45dea6a8a06ea2635faf4f1f10602 usr/share/doc/ossec-hids/contrib/logtesting/34/log -fb5cc0403773c11ff499cc8a369795cf usr/share/doc/ossec-hids/contrib/logtesting/34/res -03eec2ea663c9fcb325894b2eea586fb usr/share/doc/ossec-hids/contrib/logtesting/35/log -bdafc17a3cba4f8f3a9651da00aa351f usr/share/doc/ossec-hids/contrib/logtesting/35/res -6d5917975b6a5f90a85a3559397458fa usr/share/doc/ossec-hids/contrib/logtesting/36/log -676b7f2f9af5d3524ff24c36e2f311a1 usr/share/doc/ossec-hids/contrib/logtesting/36/res -b32b05370f9db79597c83f2c769c1e70 usr/share/doc/ossec-hids/contrib/logtesting/37/log -4d202db9345cfd8a0c9c81ff152ef5ef usr/share/doc/ossec-hids/contrib/logtesting/37/res -c094593056ef3ef08112d73b69f75ad6 usr/share/doc/ossec-hids/contrib/logtesting/38/log -3d16fc5187e7f2b20ec1d8934769a2f0 usr/share/doc/ossec-hids/contrib/logtesting/38/res -bb1f606b1173fa6d3d709636aaf52bc6 usr/share/doc/ossec-hids/contrib/logtesting/39/log -2d619593fcbeb409793df4864fe26ce2 usr/share/doc/ossec-hids/contrib/logtesting/39/res -ff0629d38e3e17b95c57f728a092893e usr/share/doc/ossec-hids/contrib/logtesting/4/log -4718e1a6fdf5c90eced9760bd2348ae2 usr/share/doc/ossec-hids/contrib/logtesting/4/res -79ffdfeca47e9e8c2e96293c36e1b2b5 usr/share/doc/ossec-hids/contrib/logtesting/40/log -7e03c9a8ba34d3ae60525b9864cd6280 usr/share/doc/ossec-hids/contrib/logtesting/40/res -7877ffca08e15e3f27f7a226050de61c usr/share/doc/ossec-hids/contrib/logtesting/41/log -49671d4383fc716af035ec7c6c26a8c0 usr/share/doc/ossec-hids/contrib/logtesting/41/res -b714adbc716780e807e67e39292bfc41 usr/share/doc/ossec-hids/contrib/logtesting/42/log -6a8a48180541301bd72340ec0277a254 usr/share/doc/ossec-hids/contrib/logtesting/42/res -310c5612f9034dace7cf44de56ec85cb usr/share/doc/ossec-hids/contrib/logtesting/43/log -ceb5a0b590e24fdca6b0ea28565c6050 usr/share/doc/ossec-hids/contrib/logtesting/43/res -1d4073657a5cf8b13fda4a420386c2ce usr/share/doc/ossec-hids/contrib/logtesting/44/log -053ea6a14a127e56ec23b0120c463758 usr/share/doc/ossec-hids/contrib/logtesting/44/res -661b035c6f68719fcb5d4a032c1fc56a usr/share/doc/ossec-hids/contrib/logtesting/5/log -e6cd0d314f817758a6b8b76b5995f864 usr/share/doc/ossec-hids/contrib/logtesting/5/res -f98bf6281cade52dda14be0e1abc7d51 usr/share/doc/ossec-hids/contrib/logtesting/6/log -e77759b334d7b0387218c6f4edb06202 usr/share/doc/ossec-hids/contrib/logtesting/6/res -d0c640d8ce6c72196aade008c342113a usr/share/doc/ossec-hids/contrib/logtesting/7/log -633ce5812deeb37fc272eb527e32f7fb usr/share/doc/ossec-hids/contrib/logtesting/7/res -46f9f7ed1bb605c9a59d322ac5b5e4be usr/share/doc/ossec-hids/contrib/logtesting/8/log -df256bfdb4fe2d02a347222bf1d57369 usr/share/doc/ossec-hids/contrib/logtesting/8/res -35c70c693b33cfdeeb422946a4ebb27f usr/share/doc/ossec-hids/contrib/logtesting/9/log -c4c76b6cbdff0567edd4f470f5ab9c68 usr/share/doc/ossec-hids/contrib/logtesting/9/res -31c6f82c910c42877aff4f00479d7660 usr/share/doc/ossec-hids/contrib/logtesting/dotests.sh -1311b61e9420be0e7a7417e21cdf8eb3 usr/share/doc/ossec-hids/contrib/ossec-batch-manager.pl.gz -26120dcca290d675b436c7288eda0961 usr/share/doc/ossec-hids/contrib/ossec-configure.gz -c5895071106aaafce8e41dccec8e7727 usr/share/doc/ossec-hids/contrib/ossec-eps.sh -7c044d3b2fe2204375c189b50c61df79 usr/share/doc/ossec-hids/contrib/ossec-pcre2-config.pl -86364646e79f43240afe7f983bc59939 usr/share/doc/ossec-hids/contrib/ossec-testing/runtests.py -39bcbaa85d26e65b4ad7c92bef19adf0 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apache.ini -ee38334917cf71b6c33825f94d93b40a usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apparmor.ini -3421ec3af5907dcb48e102646e929097 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/asterisk.ini -75afbc0fe986ca023736068867fdff44 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cimserver.ini -7123baf8b8df41f3272b612f95c77822 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cisco_ios.ini -a672c27e1792b73b52ff9990e366cd03 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cpanel.ini -02cc805ff8c5587c38fd8db86215cecf usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dnsmasq.ini -9d5481ea547cf7ba1a5ff6eb9e6f104f usr/share/doc/ossec-hids/contrib/ossec-testing/tests/doas.ini -869936459b93492d9f93f9b4936e5145 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dovecot.ini -34cf635f6b9d562d91fc992d3f04eef8 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dpkg.ini -2cf42013d679aea651dea71adea4def5 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dropbear.ini -a2482d83a4a95d813eacfc8e7439d522 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/exim.ini -eca380f2883cc3438e9b57f79bfef9fb usr/share/doc/ossec-hids/contrib/ossec-testing/tests/firewalld.ini -57582094990d5c08c6b49a9ec7cdba4e usr/share/doc/ossec-hids/contrib/ossec-testing/tests/mailscanner.ini -7b72af39b93bd432b6325a26de704c67 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/modsecurity.ini -4a0d9b3d3e14d2d859f5291e3f0d8745 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/named.ini -b952817f8f1f1b411425b1ed7334d935 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/netscreen.ini -57882a2537cb2e1ff6b60192fa21c44f usr/share/doc/ossec-hids/contrib/ossec-testing/tests/nginx.ini -ea4e37c9b552b39405f4c191d6ac8b1e usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd-dhcpd.ini -110b4d0b34add43417746f84b5356673 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd-httpd.ini -64ab54d43f3668b5524b166ba3be95a9 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd.ini -2d158390855a6d8bf83bf94b803518bb usr/share/doc/ossec-hids/contrib/ossec-testing/tests/opensmtpd.ini -a48e0a51a53a086bbc704c8ea02fac7f usr/share/doc/ossec-hids/contrib/ossec-testing/tests/ossec.ini -66de64cc3ef095f642d81d1e0dc51760 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/pam.ini -fabac3657e4e61b0e3832997592b8d06 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/postfix.ini -a132c18ab8d03015d184451a7e0fba88 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/proftpd.ini -f236d15c29b7c5636dbbab8ed1771457 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/rsh.ini -3c02d3985542033902ea8aaabdcfbd14 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/samba.ini -a07a4270d2c2d5b280da30086a891e74 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sshd.ini.gz -c484c0fae0c7284cbb82c88e4dfae552 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/su.ini -c9cea2a751a71e25251517116fceb9da usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sudo.ini -96622c0f22421c6df4f863883f630146 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/syslog.ini -debe45435dfc9a5b0433d0e9d5d7ff33 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sysmon.ini -1d200e5de5b9fac9d5bafdd99538ffaa usr/share/doc/ossec-hids/contrib/ossec-testing/tests/systemd.ini -5c44a8c308700f0a63062852d1dfd66c usr/share/doc/ossec-hids/contrib/ossec-testing/tests/unbound.ini -5ee9b388068b9abc92a5b37522823345 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/vsftpd.ini -d997e1a0ea182d20bfa2e721b6dd630e usr/share/doc/ossec-hids/contrib/ossec-testing/tests/web_appsec.ini.gz -b8283a5c091484d0e7d0d587b5c36429 usr/share/doc/ossec-hids/contrib/ossec-testing/tests/web_rules.ini.gz -4f8dc7665e5c3ee5a15c59e8bfc6afc3 usr/share/doc/ossec-hids/contrib/ossec2mysql.conf -42a9088b5515f119c997fa623a9202d5 usr/share/doc/ossec-hids/contrib/ossec2mysql.pl.gz -0192e0053819e3c9e96692d75b5d569a usr/share/doc/ossec-hids/contrib/ossec2mysql.sql -ef414309ea4d052ea794c202495e9971 usr/share/doc/ossec-hids/contrib/ossec2mysqld.pl.gz -e4776bc8677a9bc9e27954204c7be108 usr/share/doc/ossec-hids/contrib/ossec2rss.php -580e67249d3d35d56eacfeed2f49676f usr/share/doc/ossec-hids/contrib/ossec_report.txt -86b3a0b849835358239b14b0a80ac42b usr/share/doc/ossec-hids/contrib/ossec_report_contrib.pl.gz -51e3a35aaf203053ba0fbd8cfcd5262f usr/share/doc/ossec-hids/contrib/ossec_rules_list.py -13b9f9e62671298b36279f8e3c8f5414 usr/share/doc/ossec-hids/contrib/ossecmysql.pm -ed30e7c5961b1bd2665442740fc88cc4 usr/share/doc/ossec-hids/contrib/ossectop.pl.gz -4dd78bafa46fcc0c8b2715ce6f6bf980 usr/share/doc/ossec-hids/contrib/rename_agent.sh -e62b7020124e8511442d16a194ec4642 usr/share/doc/ossec-hids/contrib/renumber_agent.sh -1a708ce0d7829e0f791e22967febf337 usr/share/doc/ossec-hids/contrib/selinux/README.md -b18f16ade8fbe684aa0a40abcdc9cc38 usr/share/doc/ossec-hids/contrib/selinux/ossec_agent.pp.bz2 -2f588a4bb6bcf254504c4b5230bb8e44 usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.fc -fb18f2e6b70278427f6091cad15d2903 usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.if -a86a8c2d38f2eb659d0215d376425ca6 usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.te -85987f6127d21a45b1cb56730412c6f6 usr/share/doc/ossec-hids/contrib/specs/agent/ossec-hids-agent.spec.gz -01a9dc72a899b7ce436090dae327d44f usr/share/doc/ossec-hids/contrib/specs/agent/preloaded-vars.conf -3a715d03ebcf88e49f7f6c57737d16ad usr/share/doc/ossec-hids/contrib/specs/getattr.pl -289d90f9ced4ecbe3d9c2191f510c019 usr/share/doc/ossec-hids/contrib/specs/local/ossec-hids-local.spec.gz -2f891a3e416d0437051a57e3352e92e9 usr/share/doc/ossec-hids/contrib/specs/local/preloaded-vars.conf -e566e49c21dbff66adfbbb221ade1fa8 usr/share/doc/ossec-hids/contrib/specs/remove_ossec -6487fe6ffc3044c1490855c8ad66d1d3 usr/share/doc/ossec-hids/contrib/specs/server/ossec-hids-server.spec.gz -91d6bfd71aae00ec8d417a648723d688 usr/share/doc/ossec-hids/contrib/specs/server/preloaded-vars.conf -36a763900d1684b18d62f522d89b16c9 usr/share/doc/ossec-hids/contrib/util.sh.gz -d1b76d88e4e86fa5764b6ff87e75afa9 usr/share/doc/ossec-hids/contrib/version_bump.sh -4394cf0ae4be9a18dc980477b4fe140e usr/share/doc/ossec-hids/contrib/zeromq_pubsub.py -8ff5151ebf27bcd88147711f7137d84a usr/share/doc/ossec-hids/copyright -f9dfb3b1d0437204140e01a38e61e67e usr/share/doc/ossec-hids/logs.txt -b97b59bcd7fd187ef8906e5a11bcd831 usr/share/doc/ossec-hids/manager.txt -7ff4fdf57fa4a0893acb2aa1456f99ad usr/share/doc/ossec-hids/nmap.txt -cd1d75de0812f18f2449ce96aa1e2cc9 usr/share/doc/ossec-hids/rootcheck.txt -81b7533099b1d0b3b16e4536396ab2c3 usr/share/doc/ossec-hids/rule_ids.txt -4c8e5978b4620d7689a5157676c7419f usr/share/doc/ossec-hids/rules.txt -167230023fd4073919f4b9b889d03537 usr/share/lintian/overrides/ossec-hids -0667f3e6e85767903d87259c094f8a96 var/ossec/active-response/bin/disable-account.sh -419ac74d4b27d162b342768d02d6d820 var/ossec/active-response/bin/firewall-drop.sh -10469eac45725c47d874bae736a3a66b var/ossec/active-response/bin/firewalld-drop.sh -91d7f73f73c28c874e122eb5436d132e var/ossec/active-response/bin/host-deny.sh -91819d33fc1831c33090e6f12634c446 var/ossec/active-response/bin/ip-customblock.sh -33ab5d196695ec8839f76ffaaa6f27be var/ossec/active-response/bin/ipfw.sh -5638fccb7b4dd00e319c4c447b69cdfa var/ossec/active-response/bin/ipfw_mac.sh -efb5285d9f55add13aea64b47b1eaf4d var/ossec/active-response/bin/npf.sh -538cc11a437c0328be434a9fceaaca72 var/ossec/active-response/bin/ossec-pagerduty.sh -a9fa1a7766ef5b2a409b395a2c56c70c var/ossec/active-response/bin/ossec-slack.sh -887f589645c1a8b101a0a69131319d41 var/ossec/active-response/bin/ossec-tweeter.sh -4174391d0f30e910c3fe08b8f2b926db var/ossec/active-response/bin/pf.sh -54265163fd59969371516ae7cf4024ee var/ossec/active-response/bin/restart-ossec.sh -8bcf0f30b891a992272720be3d19bc44 var/ossec/active-response/bin/route-null.sh -dec7c8080318beef0a9e844dd3e8afd7 var/ossec/agentless/main.exp -bb7a69b93edd848950a2903025b74f64 var/ossec/agentless/register_host.sh -f20efab66ce8e00f42fa48d9f17cca69 var/ossec/agentless/ssh.exp -4eca74f9067487150ee71967f0166e56 var/ossec/agentless/ssh_asa-fwsmconfig_diff -562d4553a856e50f99ad345e8c67f243 var/ossec/agentless/ssh_foundry_diff -719fac4c372282feed2fd5660711579c var/ossec/agentless/ssh_generic_diff -67d9753fc2a85e4aa29adecafff4883d var/ossec/agentless/ssh_integrity_check_bsd -74afff1cf200a53bfe97cee5cd7c5dcb var/ossec/agentless/ssh_integrity_check_linux -a655d0f2f1d37d3cd73cac697fadab8b var/ossec/agentless/ssh_nopass.exp -9950831653276a8f547a22ff3d34c3e9 var/ossec/agentless/ssh_pixconfig_diff -3921be40dcc0f788733b6ff425f34fc1 var/ossec/agentless/sshlogin.exp -bbc944400c8ff42548db56aa9526c26e var/ossec/agentless/su.exp -858c96ea523f106627b033152bc45160 var/ossec/bin/agent_control -0fa527f240cc1d16c26b63955fb4db59 var/ossec/bin/clear_stats -36de274c925176e3cc53d3774e962231 var/ossec/bin/list_agents -0b213358c43940d7f7ca8d5cf69d79c4 var/ossec/bin/manage_agents -9fd711315cfb08eb74103ad1155d69ef var/ossec/bin/ossec-agentd -614c35e1e006c7551856ac42fb6d2b98 var/ossec/bin/ossec-agentlessd -b3c45cb55eb11954cda9fceb052e1978 var/ossec/bin/ossec-analysisd -4511bcb7fbf06ff32b9311238b55b9f1 var/ossec/bin/ossec-authd -096f42b8e97277346c9fd06b9bab779e var/ossec/bin/ossec-client.sh -e37e405944dbdcb15bf0df4214a40a02 var/ossec/bin/ossec-csyslogd -961e17c1a00f382020ac77a796624f50 var/ossec/bin/ossec-dbd -d2b89d867a04c1af272ad5e01408302e var/ossec/bin/ossec-execd -60767dfe6f316821d3f55ae95c3e182c var/ossec/bin/ossec-local.sh -76ff1fcbfb08e3323580852251097586 var/ossec/bin/ossec-logcollector -59031d3829364329414e27dda58e53db var/ossec/bin/ossec-logtest -fb66fafd6c383d2a77499f0085d70fd6 var/ossec/bin/ossec-maild -fa78d72cf7530cce68a4daf5706d5468 var/ossec/bin/ossec-makelists -debbfe5fc8cb7bd0b37fa62e8940e2a3 var/ossec/bin/ossec-monitord -fb1c1262c8fa7a80454e3935ac2191e6 var/ossec/bin/ossec-regex -4d7747d88b85adfb93501c22eab86488 var/ossec/bin/ossec-regex-convert -d9107438d274884fbe49fda623c3e22c var/ossec/bin/ossec-remoted -23209f1ff0f3d099dd9e5a8768e7a26c var/ossec/bin/ossec-reportd -97cbc7d61d3221a3b2e4ca7a9957e26f var/ossec/bin/ossec-server.sh -91c528bf32ea3bc93c494d58c8e74589 var/ossec/bin/ossec-syscheckd -7e035f74f7e831096e791988c511c27b var/ossec/bin/rootcheck_control -f27238a80ba5b405ea32379df7652f73 var/ossec/bin/syscheck_control -34aaed0dec4f3a4cf8967eb46cbd9189 var/ossec/bin/syscheck_update -413f2fac20102a054ff6364ba1e1a442 var/ossec/bin/verify-agent-conf -15eb9e43bbe430143208d817ebf9bcfa var/ossec/etc/decoder.xml -c7276d8581d1b292ef4c435efe15792c var/ossec/etc/ossec-agent.conf -4480b406998c79f7620a707ae0fbc28a var/ossec/etc/ossec-local.conf -f7de27d80c3249b33f5d467c587c747b var/ossec/etc/ossec-server.conf -b7e95261db48d69b8e0a51d62eb4d80b var/ossec/etc/shared/acsc_office2016_rcl.txt -ef369cb627325b368ff115858b88b2d3 var/ossec/etc/shared/cis_apache2224_rcl.txt -966703e11b6c7f99849f833c26756b30 var/ossec/etc/shared/cis_debian_linux_rcl.txt -edda0c19b1b599ba0c05c8156a4180a3 var/ossec/etc/shared/cis_debianlinux7-8_L1_rcl.txt -74e421baff5866743077f1393a9920f0 var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt -5dac76cfcffd4a92cac52cd76e898625 var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt -5944dadb63dc5a85ad1883be5583cc8a var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt -1398ee965c76a016588243ca5e623c53 var/ossec/etc/shared/cis_rhel5_linux_rcl.txt -35f2c78645df44f97bd437ce62af51ac var/ossec/etc/shared/cis_rhel6_linux_rcl.txt -a803ee5e8225e03e07dde6678dbfe90d var/ossec/etc/shared/cis_rhel7_linux_rcl.txt -a9f685121627f1ffddbbad95f2f781c3 var/ossec/etc/shared/cis_rhel_linux_rcl.txt -0e69cca992d4712c6224dce082c65050 var/ossec/etc/shared/cis_sles11_linux_rcl.txt -0e0884a98f115381c3a80b9b0f512a45 var/ossec/etc/shared/cis_sles12_linux_rcl.txt -381c96094ba7dfb120305faee69c2cae var/ossec/etc/shared/cis_solaris11_rcl.txt -9a1c5ebfae7fdb099eb4b0e4f266c60b var/ossec/etc/shared/cis_win10_enterprise_L1_rcl.txt -d3c349f0c1506f540ea2d538ce9af96a var/ossec/etc/shared/cis_win10_enterprise_L2_rcl.txt -67df0f28863c45756458c39d271f4ec3 var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt -6b179293b008d27e21bb7484e23ee481 var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt -5dc14ff9f648cfa87c5865b8ac25a497 var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt -ab93937229e6e6e1172a428faedfe8ab var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt -3e00294108353fd5a11779ea49348745 var/ossec/etc/shared/cis_win2016_domainL1_rcl.txt -37b794d6e0361e52bbc09ee1ff68fd41 var/ossec/etc/shared/cis_win2016_domainL2_rcl.txt -9abca97a0ba2a6d8261642b7b9095593 var/ossec/etc/shared/cis_win2016_memberL1_rcl.txt -6443af3efe35dffe10b8c993a661fc16 var/ossec/etc/shared/cis_win2016_memberL2_rcl.txt -f2363ea4b7db5e4678e4e5970edeb3bf var/ossec/etc/shared/rootkit_files.txt -bf8f5e69576d2c24ac99d429b0457182 var/ossec/etc/shared/rootkit_trojans.txt -739b1094ed1fc5b9ed56c90767a4f13c var/ossec/etc/shared/system_audit_pw.txt -c5c836fe0934b93310e22965dd6008a4 var/ossec/etc/shared/system_audit_rcl.txt -072526aa22390da8d1ae90675daa89ab var/ossec/etc/shared/system_audit_ssh.txt -8cc6abc69459c3dc6ed57721799a85da var/ossec/etc/shared/win_applications_rcl.txt -456aead916261071d591e36d9d2ffe7c var/ossec/etc/shared/win_audit_rcl.txt -f946edf404eb1f0a7c4cd7379843d10d var/ossec/etc/shared/win_malware_rcl.txt -5beb343b0a745e27809ba05e18f02325 var/ossec/rules/apache_rules.xml -a89d6ede255a6153871bcea44b97c2ad var/ossec/rules/apparmor_rules.xml -453cf7fef0d15e0235e8810952a79641 var/ossec/rules/arpwatch_rules.xml -606ec5a3a06273f62d918b31c6f23db1 var/ossec/rules/asterisk_rules.xml -38976de60331ee0dc1282cc6c3c7d11a var/ossec/rules/attack_rules.xml -6b5e4a2c2db3bb11a5484542cdc19335 var/ossec/rules/cimserver_rules.xml -08a8fe27f0a473cc52332a5bbbaa5c48 var/ossec/rules/cisco-ios_rules.xml -08898a5bb515ce41f078b9f1a506efbf var/ossec/rules/clam_av_rules.xml -241a2216fd53ac49f4c5fbf3339c5a8c var/ossec/rules/courier_rules.xml -5195c41ee82b764c74bd609a28f04d6e var/ossec/rules/dnsmasq_rules.xml -e260c65b0f751713c8e429929e3336fc var/ossec/rules/dovecot_rules.xml -3972e18cb731845c73302fac4a0c2b61 var/ossec/rules/dropbear_rules.xml -e96bad66449712e467dd7f4bdc9b168c var/ossec/rules/exim_rules.xml -ec419a3314ee54458c675f46045945cc var/ossec/rules/firewall_rules.xml -0b7dbf62e17827bbad194ba0e207267e var/ossec/rules/firewalld_rules.xml -713c2fa70a1522db77bbbf1a5ad0a02f var/ossec/rules/ftpd_rules.xml -60786f05c15b410a10c02e26748552fc var/ossec/rules/hordeimp_rules.xml -c3f69db682835a9c6d340dcb84c71bac var/ossec/rules/ids_rules.xml -85fa200afdbc14dc8370b1fedb84cb1e var/ossec/rules/imapd_rules.xml -67cbbd76dbd60be15c44ff4ce32ea54f var/ossec/rules/kesl_rules.xml -97f77273c44125c3d3cdc5b9d59e4ffd var/ossec/rules/last_rootlogin_rules.xml -cc120a808a7056f0324841dda62f4b3e var/ossec/rules/linux_usbdetect_rules.xml -1b5d5422cb39fd4162105796117dea28 var/ossec/rules/log-entries/101 -dfa8b00422f0a1e9b3d23beb2f2d7de0 var/ossec/rules/log-entries/1101 -9f8c154eef305de60090b3735b3f0130 var/ossec/rules/log-entries/1301_1302_1303 -840b9d7bf203ef470646a39d8aca9157 var/ossec/rules/log-entries/1401 -131b09172a2d71a0001e0b13546292d7 var/ossec/rules/log-entries/1402 -72c684543aca976f6bb24f10c75753e6 var/ossec/rules/log-entries/1602 -843c0581e37ec7281bdf033c42c1a735 var/ossec/rules/log-entries/1603 -f104f91c9dd237fa3f2044ffa7b82f56 var/ossec/rules/log-entries/1607 -4c52e893fbdff1a517ae45a4827aabb6 var/ossec/rules/log-entries/1609 -80841a291739e028b74b43fbf0125106 var/ossec/rules/log-entries/1901 -5d9309013b89ea3a3a03bf2e9b8911cb var/ossec/rules/log-entries/1902 -a825252dc314231bfc4b66d346e09776 var/ossec/rules/log-entries/1903 -64fe673e7c8a6631a9bf12d93344cabd var/ossec/rules/log-entries/1905 -2c839ec3029c2b665caeb96f58c4ea88 var/ossec/rules/log-entries/201 -46693453e00064949bc744350598429f var/ossec/rules/log-entries/202 -f928e6b85fac0b83cc0975b8cc526015 var/ossec/rules/log-entries/204 -5658dc589f061472dfa66abfee25e4a1 var/ossec/rules/log-entries/2501 -ec28a3b731da5f3928acd0c96a6bdf71 var/ossec/rules/log-entries/2601 -11ef54ac0855e58c2ce6499613897f8f var/ossec/rules/log-entries/301 -fce48671b83304965c67d70666ec99d3 var/ossec/rules/log-entries/401 -990af66fbb2d0be60d3cecb66aa3d0a6 var/ossec/rules/log-entries/403 -e7b2f3fdff7a25379c66170a0263c6ba var/ossec/rules/log-entries/408 -cae367ba5c8ceb24d8b979576b31cfb0 var/ossec/rules/log-entries/409 -08c11c76a46d52f5d11f5fb510afa288 var/ossec/rules/log-entries/access-control -9af99ce364db350d654b4ac94dfb8623 var/ossec/rules/log-entries/apache-error.logs -f784ed5df7c3d92694e10d841ee7e269 var/ossec/rules/log-entries/cisco-ios-ids -cb8418c9c8f51b0a32fcb5b37ba1ed5e var/ossec/rules/log-entries/ciscoios -0a056a908813715c485d47b8503acb99 var/ossec/rules/log-entries/ftpd -f88ca67e43ec8dc545e06cc06fe5bc20 var/ossec/rules/log-entries/iis6 -e656870b1d5b842fb981f6ac498bc3bb var/ossec/rules/log-entries/imapd -0987510c57d89de58dd28f1c4ceb28b2 var/ossec/rules/log-entries/kernel -5e089cc0673e3afc18d678e165af2563 var/ossec/rules/log-entries/mail-alerts -ea41a85db66019fea625a5dae568c6fe var/ossec/rules/log-entries/mail-errors -41d886855f4bcbaea0080351ecc4b9f7 var/ossec/rules/log-entries/ns1 -13430ed34ed2166883ce2e3c14316848 var/ossec/rules/log-entries/proftpd -ba18cb7475d7deb95969d63455e478e6 var/ossec/rules/log-entries/smbd -e815c435abcc6d55f12048987e393cec var/ossec/rules/log-entries/spamd -b3a0c9f26aef9e3a7c4c731384a219f5 var/ossec/rules/log-entries/sshd -eb888813ad59cfbf608c61de066e424c var/ossec/rules/log-entries/symantecws -b1d2f27c745b5c6b4e97cbe6c57fced7 var/ossec/rules/log-entries/telnetd -7911bf548fa638ab6a65444430ed5542 var/ossec/rules/log-entries/unkown -90aa5b996c0590eed871b4bbfb2d26b1 var/ossec/rules/log-entries/vpn.log -d3f4dec83fdbd7820caff802d719b402 var/ossec/rules/log-entries/vpopmail -6527d50177a04985148e6d38705a1c23 var/ossec/rules/log-entries/worms -d0008b254bcdb6590914984cb595c822 var/ossec/rules/log-entries/xferlog -f4c33f878dddee2a7930a6bde6a0e6f8 var/ossec/rules/mailscanner_rules.xml -372c2345d862659866496e0c02b60d7c var/ossec/rules/mcafee_av_rules.xml -50fbc8d49ae3a468b49b1edf31064e70 var/ossec/rules/mhn_cowrie_rules.xml -dd1181e1a8f5c47da045e29159e0a5a4 var/ossec/rules/mhn_dionaea_rules.xml -3a7ed0f22cd277ef710809a82508a44d var/ossec/rules/ms-exchange_rules.xml -c833e578b1b65a7666924e5ac21bf7fb var/ossec/rules/ms-se_rules.xml -e9dcba8f1ab8edba3b0fdfa1b6d13872 var/ossec/rules/ms1016_usbdetect_rules.xml -4573b0c0a55e592b04935d1e4cbae468 var/ossec/rules/ms_dhcp_rules.xml -ae39b715c5ca2f34800effc60ff1843b var/ossec/rules/ms_firewall_rules.xml -143b815660a94c95af7f6053c77f4344 var/ossec/rules/ms_ftpd_rules.xml -df929e3b4ec60a56b86c809979bff0fe var/ossec/rules/ms_ipsec_rules.xml -eda74865e7efc41267fe1afad93c658e var/ossec/rules/ms_powershell_rules.xml -2dfcb3434e16ef1bd1ab17dae91f316b var/ossec/rules/msauth_rules.xml -11749a4a81df69d17d2a9f8f0068e54a var/ossec/rules/mysql_rules.xml -7a2e1f5d8076430a994f1e679c5f3feb var/ossec/rules/named_rules.xml -63da34e778e2f4d66139b939dd4c7484 var/ossec/rules/netscreenfw_rules.xml -28204ef8bad631254a755f33f4546ddb var/ossec/rules/nginx_rules.xml -97e21ddec67096b83b1325b5f6b60aea var/ossec/rules/nsd_rules.xml -50a7300c8c1ba9854fe79da28b4d4b98 var/ossec/rules/openbsd-dhcpd_rules.xml -43a4c289dc1b07f206b279d4e3a187ba var/ossec/rules/openbsd_rules.xml -b0d00dc7ecff9211064693218a3a95db var/ossec/rules/opensmtpd_rules.xml -39bcb6a994b23a044c0790d77a77b3e1 var/ossec/rules/ossec_rules.xml -7e39bf479a30ea9ff891866c5077a503 var/ossec/rules/owncloud_rules.xml -f54b9e7e6c0d0189620dd17f11a472b4 var/ossec/rules/pam_rules.xml -e77da584db6c13d934d098d2353ac80e var/ossec/rules/php_rules.xml -501da0094cc3d4ba62c65ed3b353549d var/ossec/rules/pix_rules.xml -f5e4afd5cd4cca4e9c4328467a0d3111 var/ossec/rules/policy_rules.xml -c8ca757b0bf3cb7649228c1947065aff var/ossec/rules/postfix_rules.xml -41df6baaaa55420cf4e197438474dd74 var/ossec/rules/postgresql_rules.xml -dc0b51f4d2ca9f015b007f2bf6fd40a8 var/ossec/rules/proftpd_rules.xml -902a2869fd182e1df364bb633312b27a var/ossec/rules/proxmox-ve_rules.xml -14bbf5613389bdfcb4ff361eb421a029 var/ossec/rules/psad_rules.xml -365c9ac9f7c384aa372cf360f99f4b66 var/ossec/rules/pure-ftpd_rules.xml -223c7d61ec6a954fc5738a8794e87a2d var/ossec/rules/racoon_rules.xml -cca2c4a80b3bec3d938b27f8d84f83f4 var/ossec/rules/roundcube_rules.xml -12479fdb28410e4227b63f5c4542ad86 var/ossec/rules/rules_config.xml -a8589d02ef5ac8909366e17576e04206 var/ossec/rules/sendmail_rules.xml -ba0f553a0315b988468431a518ecaea8 var/ossec/rules/smbd_rules.xml -c7d6a9819a0114fd3723da037ca72941 var/ossec/rules/solaris_bsm_rules.xml -91acc4c37a82a24917dd49a0234935d9 var/ossec/rules/sonicwall_rules.xml -266dfbc74658e58209e905c8d3aa265c var/ossec/rules/spamd_rules.xml -ca00f4c574a557007a67e665edbdb1b4 var/ossec/rules/squid_rules.xml -5654f8fb648baf0176e78126729d1731 var/ossec/rules/sshd_rules.xml -cec4c84ab0c472e23fac03c800976191 var/ossec/rules/symantec-av_rules.xml -4469b35f943baa308e6f24a6414e448a var/ossec/rules/symantec-ws_rules.xml -adefc2dcbc751cdd80cfb65a5d27f606 var/ossec/rules/syslog_rules.xml -2ec0a4435ba7507da7695d7d66e8e836 var/ossec/rules/sysmon_rules.xml -83938b706ce03aea17e247a8ec7ccbdf var/ossec/rules/systemd_rules.xml -70a2d32b8e8d58e6d268174084300d09 var/ossec/rules/telnetd_rules.xml -533f767e83344e274cab9511f4258a9a var/ossec/rules/topleveldomain_rules.xml -388e96bc1d1e809f8d803b1d89b5c4a4 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_da.xml -76cae7282056b7368f87dc35f51dd042 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_de.xml -7eef6cf722c3b3d9054e08ab360065ab var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_en.xml -878dd9f2ba85ea6412f37643bb9a9e1e var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_es.xml -8608a50c1b269e01288e44c35dc4ed1e var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr.xml -cddc3675a94cba0429ef52a114ce2c2d var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr_funny.xml -d70b192f8e625ceb73a30f1a897c33db var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_it.xml -b4301ce8f2e89a1108b302c6e7bc5bbe var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_nl.xml -7b24fe651dc07f5e61213cf3e85d81d4 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_no.xml -c173fbc5724f751887abdcedcb1a1f5f var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_pt_br.xml -2ff1852c585c59cc2cb927afa2368f5c var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_ro.xml -6e429d9a2635a1fc63b64a0e2357b8b7 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sk.xml -3189235616e06ede7a0e28638e91ae45 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml -e1d4cfcfc1afffe9291ff74531b93f43 var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_tr.xml -4a4bd7aa57d4a3c50ee1221fdd18058e var/ossec/rules/trend-osce_rules.xml -556dfdd1f092dbf2443a0c899c31e2a7 var/ossec/rules/unbound_rules.xml -248a9698a23b03848be4641c1e6aebb0 var/ossec/rules/vmpop3d_rules.xml -c517617b906c22556d34136a4994a529 var/ossec/rules/vmware_rules.xml -fe8aa8e3dd3d60a9247b8faade030ea3 var/ossec/rules/vpn_concentrator_rules.xml -812d2a049e381d2816493904ee4cc61b var/ossec/rules/vpopmail_rules.xml -efb95fd6017a26023f522bfdd855195b var/ossec/rules/vsftpd_rules.xml -a4f2a7206c4ea2ddade684aae026fd2f var/ossec/rules/web_appsec_rules.xml -0a6c46cde0395a03387714fb7162ef32 var/ossec/rules/web_rules.xml -4d72b512251ac20bb9b55a41a1c5cae9 var/ossec/rules/wordpress_rules.xml -d4a4116cd4bb720352855b93fbd1905a var/ossec/rules/zeus_rules.xml diff --git a/debian/ossec-hids/DEBIAN/postinst b/debian/ossec-hids/DEBIAN/postinst deleted file mode 100755 index 3c66719..0000000 --- a/debian/ossec-hids/DEBIAN/postinst +++ /dev/null @@ -1,147 +0,0 @@ -#!/bin/sh - -set -e - -case "$1" in - configure) - # continue below - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - exit 0 - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 0 - ;; -esac - -# users and group names -OSSEC_USER="ossec" -OSSEC_USER_MAIL="ossecm" -OSSEC_USER_EXEC="ossece" -OSSEC_USER_REM="ossecr" -OSSEC_GROUP="ossec" - -# get installation directory -. /etc/ossec-init.conf -if [ "X${DIRECTORY}" = "X" ]; then - DIRECTORY="/var/ossec" -fi - -# create group -if ! getent group $OSSEC_GROUP >/dev/null; then - addgroup --system $OSSEC_GROUP -fi - -# create/modify users -if ! getent passwd $OSSEC_USER >/dev/null; then - adduser --quiet --system --no-create-home \ - --ingroup $OSSEC_GROUP \ - --home $DIRECTORY --shell /bin/false $OSSEC_USER -else - usermod -g $OSSEC_GROUP -s /bin/false \ - -d $DIRECTORY $OSSEC_USER >/dev/null 2>&1 -fi -if ! getent passwd $OSSEC_USER_MAIL >/dev/null; then - adduser --quiet --system --no-create-home \ - --ingroup $OSSEC_GROUP \ - --home $DIRECTORY --shell /bin/false $OSSEC_USER_MAIL -else - usermod -g $OSSEC_GROUP -s /bin/false \ - -d $DIRECTORY $OSSEC_USER_MAIL >/dev/null 2>&1 -fi -if ! getent passwd $OSSEC_USER_EXEC >/dev/null; then - adduser --quiet --system --no-create-home \ - --ingroup $OSSEC_GROUP \ - --home $DIRECTORY --shell /bin/false $OSSEC_USER_EXEC -else - usermod -g $OSSEC_GROUP -s /bin/false \ - -d $DIRECTORY $OSSEC_USER_EXEC >/dev/null 2>&1 -fi -if ! getent passwd $OSSEC_USER_REM >/dev/null; then - adduser --quiet --system --no-create-home \ - --ingroup $OSSEC_GROUP \ - --home $DIRECTORY --shell /bin/false $OSSEC_USER_REM -else - usermod -g $OSSEC_GROUP -s /bin/false \ - -d $DIRECTORY $OSSEC_USER_REM >/dev/null 2>&1 -fi - -# fix ownership -chown -R root:$OSSEC_GROUP $DIRECTORY -chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/alerts -chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/ossec -chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/fts -chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/syscheck -chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/rootcheck -chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/agent-info -chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/rids -chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/stats -chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs -chown -R root:$OSSEC_GROUP $DIRECTORY/etc -touch $DIRECTORY/logs/ossec.log -chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs/ossec.log -chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh -chown -R root:$OSSEC_GROUP $DIRECTORY/rules -chown root:$OSSEC_GROUP $DIRECTORY/etc/decoder.xml -chown root:$OSSEC_GROUP $DIRECTORY/etc/internal_options.conf -chown root:$OSSEC_GROUP $DIRECTORY/etc/client.keys >/dev/null 2>&1 || true -chown root:$OSSEC_GROUP $DIRECTORY/agentless/* -chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh -chown -R root:$OSSEC_GROUP $DIRECTORY/etc/shared -chown root:$OSSEC_GROUP $DIRECTORY/var/run -chown root:$OSSEC_GROUP $DIRECTORY/active-response/bin/* -chown root:$OSSEC_GROUP $DIRECTORY/bin/* -chown root:$OSSEC_GROUP $DIRECTORY/etc/ossec.conf - -# fix perms -chmod -R 550 $DIRECTORY -chmod -R 770 $DIRECTORY/queue/alerts -chmod -R 770 $DIRECTORY/queue/ossec -chmod -R 750 $DIRECTORY/queue/fts -chmod -R 750 $DIRECTORY/queue/syscheck -chmod -R 750 $DIRECTORY/queue/rootcheck -chmod -R 750 $DIRECTORY/queue/diff -chmod -R 755 $DIRECTORY/queue/agent-info -chmod -R 755 $DIRECTORY/queue/rids -chmod -R 755 $DIRECTORY/queue/agentless -chmod -R 750 $DIRECTORY/stats -chmod -R 750 $DIRECTORY/logs -chmod -R 550 $DIRECTORY/rules -chmod 770 $DIRECTORY/var/run -chmod 550 $DIRECTORY/etc -chmod 440 $DIRECTORY/etc/internal_options.conf -chmod -R 770 $DIRECTORY/etc/shared -chmod 700 $DIRECTORY/.ssh -chmod 755 $DIRECTORY/active-response/bin/* -chmod 550 $DIRECTORY/bin/* -chmod 440 $DIRECTORY/etc/ossec.conf - -# fixups: no need for execute bits on files there -find $DIRECTORY/rules -type f -exec chmod ugo-x '{}' ';' -find $DIRECTORY/etc -type f -exec chmod ugo-x '{}' ';' - -# copy timezone and localtime -if [ -e /etc/timezone ]; then - cmp -s /etc/timezone $DIRECTORY/etc/timezone || \ - cp -a /etc/timezone $DIRECTORY/etc/timezone -fi -if [ -e /etc/localtime ]; then - cmp -s /etc/localtime $DIRECTORY/etc/localtime || \ - cp -a /etc/localtime $DIRECTORY/etc/localtime -fi - -# update system v init links -update-rc.d ossec-hids defaults >/dev/null - -# and start the service -service ossec-hids restart - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - - - -exit 0 diff --git a/debian/ossec-hids/DEBIAN/postrm b/debian/ossec-hids/DEBIAN/postrm deleted file mode 100755 index 9cf35a4..0000000 --- a/debian/ossec-hids/DEBIAN/postrm +++ /dev/null @@ -1,58 +0,0 @@ -#! /bin/sh - -set -e - -case "$1" in - purge) - # continue below - ;; - - remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) - exit 0 - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# cleanup leftovers -rm -rf /var/ossec/etc /var/ossec/queue /var/ossec/stats - -# chown ossec mail directory back to root -chown -Rh root:root /var/ossec - -# users and group names -OSSEC_USER="ossec" -OSSEC_USER_MAIL="ossecm" -OSSEC_USER_EXEC="ossece" -OSSEC_USER_REM="ossecr" -OSSEC_GROUP="ossec" - -# delete users/groups -if getent passwd $OSSEC_USER >/dev/null; then - deluser $OSSEC_USER -fi -if getent passwd $OSSEC_USER_MAIL >/dev/null; then - deluser $OSSEC_USER_MAIL -fi -if getent passwd $OSSEC_USER_EXEC >/dev/null; then - deluser $OSSEC_USER_EXEC -fi -if getent passwd $OSSEC_USER_REM >/dev/null; then - deluser $OSSEC_USER_REM -fi -if getent group $OSSEC_GROUP >/dev/null; then - delgroup --quiet $OSSEC_GROUP -fi - -# update system v init links -update-rc.d -f ossec-hids remove - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - - - -exit 0 diff --git a/debian/ossec-hids/DEBIAN/prerm b/debian/ossec-hids/DEBIAN/prerm deleted file mode 100755 index b170947..0000000 --- a/debian/ossec-hids/DEBIAN/prerm +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -set -e - -case "$1" in - purge|remove) - # continue below - ;; - - *) - exit 0 - ;; -esac - -# stop the service -service ossec-hids stop - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - - - -exit 0 diff --git a/debian/ossec-hids/etc/init.d/ossec-hids b/debian/ossec-hids/etc/init.d/ossec-hids deleted file mode 100755 index 24783e0..0000000 --- a/debian/ossec-hids/etc/init.d/ossec-hids +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -### BEGIN INIT INFO -# Provides: ossec-hids -# Required-Start: $local_fs $remote_fs $syslog -# Required-Stop: $local_fs $remote_fs $syslog -# Should-Start: $network -# Should-Stop: $network -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: OSSEC HIDS init script -# Description: Init script for OSSEC HIDS services -### END INIT INFO - -# OSSEC Controls OSSEC HIDS -# Author: Daniel B. Cid -# Modified for slackware by Jack S. Lai -# Modified for Debian package by Dinko Korunic -# Modified for CARNet by Ivan Rako - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin - -. /lib/lsb/init-functions -. /etc/ossec-init.conf -if [ "X${DIRECTORY}" = "X" ]; then - DIRECTORY="/var/ossec" -fi - -start() { - ${DIRECTORY}/bin/ossec-control start -} - -stop() { - ${DIRECTORY}/bin/ossec-control stop -} - -status() { - ${DIRECTORY}/bin/ossec-control status -} - - -case "$1" in - start) - start - ;; - stop) - stop - ;; - restart) - stop - start - ;; - force-reload) - stop - start - ;; - status) - status - ;; - *) - echo "*** Usage: $0 {start|stop|restart|status}" - exit 1 -esac - -exit 0 diff --git a/debian/ossec-hids/etc/ossec-init.conf b/debian/ossec-hids/etc/ossec-init.conf deleted file mode 100644 index b8cc11f..0000000 --- a/debian/ossec-hids/etc/ossec-init.conf +++ /dev/null @@ -1,4 +0,0 @@ -DIRECTORY="/var/ossec" -VERSION="v3.3.0" -DATE="Mon Jun 17 14:58:09 UTC 2019" -TYPE="local" diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/BUGS b/debian/ossec-hids/usr/share/doc/ossec-hids/BUGS deleted file mode 100644 index d504153..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/BUGS +++ /dev/null @@ -1,24 +0,0 @@ -OSSEC v3.3.0 -Copyright (C) 2019 Trend Micro Inc. - - -** Reporting bugs ** - -Please, make sure to include the following information: - --OSSEC version number. --Content of /etc/ossec-init.conf --Content of /var/ossec/etc/ossec.conf --Content of /var/ossec/logs/ossec.log --Operating system name/version (uname -a if Unix) --Any other relevant information. - - - -Github (Public Issue Reporting): -https://github.com/ossec/ossec-hids/issues - -Email (Private Issue Reporting): -If you prefer to contact us privately or if it is a security -issue, send an e-mail to OSSEC Project ( ossec@ossec-hids.org ). - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/CONFIG b/debian/ossec-hids/usr/share/doc/ossec-hids/CONFIG deleted file mode 100644 index fac52b8..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/CONFIG +++ /dev/null @@ -1,19 +0,0 @@ -OSSEC v3.3.0 -Copyright (C) 2019 Trend Micro Inc. - - -= Information about OSSEC = - -Visit http://ossec.github.io - - -= Recommended Installation = - -See INSTALL - - -== Configuring OSSEC == - -Just follow the steps from the install.sh script. -More information at -https://ossec.github.io/docs/manual/index.html diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/CONTRIBUTORS.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/CONTRIBUTORS.gz deleted file mode 100644 index 41357c0..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/CONTRIBUTORS.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/README.config b/debian/ossec-hids/usr/share/doc/ossec-hids/README.config deleted file mode 100644 index c460150..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/README.config +++ /dev/null @@ -1,3 +0,0 @@ -Configuration options: - -http://www.ossec.net/en/manual.html diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/README.md b/debian/ossec-hids/usr/share/doc/ossec-hids/README.md deleted file mode 100644 index ed377bb..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/README.md +++ /dev/null @@ -1,41 +0,0 @@ -OSSEC v3.3.0 Copyright (C) 2019 Trend Micro Inc. - -# Information about OSSEC - -OSSEC is a full platform to monitor and control your systems. It mixes together -all the aspects of HIDS (host-based intrusion detection), log monitoring and -SIM/SIEM together in a simple, powerful and open source solution. - -Visit our website for the latest information. [ossec.github.io](http://ossec.github.io) - - - -## Current Releases - -The current stable releases are available on the ossec website. - -* Releases can be downloaded from: [Downloads](http://ossec.github.io/downloads.html) -* Release documentation is available at: [docs](http://ossec.github.io/docs/) - -## Development ## - -The development version is hosted on GitHub and just a simple git clone away. - -[![Build Status](https://travis-ci.org/ossec/ossec-hids.svg?branch=master)](https://travis-ci.org/ossec/ossec-hids) -[![Coverity Scan Build Status](https://scan.coverity.com/projects/1847/badge.svg)](https://scan.coverity.com/projects/1847) - - -## Credits and Thanks ## - -* OSSEC comes with a modified version of zlib and a small part - of openssl (sha1 and blowfish libraries) -* This product includes software developed by the OpenSSL Project - for use in the OpenSSL Toolkit (http://www.openssl.org/) -* This product includes cryptographic software written by Eric - Young (eay@cryptsoft.com) -* This product include software developed by the zlib project - (Jean-loup Gailly and Mark Adler) -* This product include software developed by the cJSON project - (Dave Gamble) - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/active-response-internal.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/active-response-internal.txt deleted file mode 100644 index bcb71c6..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/active-response-internal.txt +++ /dev/null @@ -1,29 +0,0 @@ -OSSEC HIDS 0.6 -Copyright (c) 2004-2006 Daniel B. Cid - - - -How the active response works internally: - -- Read active-response.txt for details on configuration - - -1 - The analysis server receives an event that matches the - active response policy. - -2 - The analysis server verifies that all required fields - are provided with the event. It means that the analysis - server was able to decode the event and extract the - necessary information. One example is if it was able - to extract the IP address from the event to send to - the firewall to be blocked. - -3 - If the active response policy specify that the action - must be executed locally on the AS, a message is sent - to the execd directly. - -4 - If the active response policy specify that the action - must be executed remotely, a message is sent to the - "Active response forwarder" (remoted) to forward the - event to the specified agent. - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/active-response.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/active-response.txt deleted file mode 100644 index 154d928..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/active-response.txt +++ /dev/null @@ -1,6 +0,0 @@ -OSSEC HIDS v0.7 -Copyright (c) 2004-2006 Daniel B. Cid - - - -http://www.ossec.net/en/manual.html#active-response diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/changelog.Debian.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/changelog.Debian.gz deleted file mode 100644 index a8fb115..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/changelog.Debian.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/changelog.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/changelog.gz deleted file mode 100644 index 85cb11a..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/changelog.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/active-list.pl b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/active-list.pl deleted file mode 100644 index 01f2c65..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/active-list.pl +++ /dev/null @@ -1,103 +0,0 @@ -#!/usr/bin/perl -# -# OSSEC active-response script to store a suspicious IP address in a MySQL table. -# -# Available actions are: -# 'add' - Create a new record in the MySQL DB -# 'delete' - Remove a existing record -# -# History -# ------- -# 2010/10/24 xavir@rootshell.be Created -# - -use strict; -use warnings; -use DBI; -use Regexp::IPv6 qw($IPv6_re); - -# ----------------------- -# DB access configuration -# ----------------------- -my $db_name = 'ossec_active_lists'; -my $db_user = 'suspicious'; -my $db_pass = 'xxxxxxxxxx'; - -my ($second, $minute, $hour, $dayOfMonth, $month, $yearOffset, $dayOfWeek, $dayOfYear, $daylightSavings) = localtime(); -my $theTime = sprintf("%d-%02d-%02d %02d:%02d:%02d", - $yearOffset+1900, $month+1, $dayOfMonth, $hour, $minute, $second); - -my $nArgs = $#ARGV + 1; -if ($nArgs != 5) { - print STDERR "Usage: active-list.pl \n"; - exit 1; -} - -my $action = $ARGV[0]; -my $ipAddr = $ARGV[2]; -my $alertId = $ARGV[3]; -my $ruleId = $ARGV[4]; - -if ($action ne "add" && $action ne "delete") { - WriteLog("Invalid action: $action\n"); - exit 1; -} - -if ($ipAddr =~ m/^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)/) { - if ($1 > 255 || $2 > 255 || $3 > 255 || $4 > 255) { - WriteLog("Invalid IP address: $ipAddr\n"); - exit 1; - } -} -else if ($ipAddr =~ m/^$IPv6_re/) { -} -else { - WriteLog("Invalid IP address: $ipAddr\n"); -} - -WriteLog("active-list.pl $action $ipAddr $alertId $ruleId\n"); - -my $dbh = DBI->connect('DBI:mysql:' . $db_name, $db_user, $db_pass) || \ - die "Could not connect to database: $DBI::errstr"; - -if ( $action eq "add" ) { - my $sth = $dbh->prepare('SELECT ip FROM ip_addresses WHERE ip = "' . $ipAddr . '"'); - $sth->execute(); - my $result = $sth->fetchrow_hashref(); - if (!$result->{ip}) { - $sth = $dbh->prepare('INSERT INTO ip_addresses VALUES ("' . $ipAddr . '","'. $theTime . '",' . $alertId . ',' . $ruleId . ',"Added by suspicious-ip Perl Script")'); - if (!$sth->execute) { - WriteLog("Cannot insert new IP address: $DBI::errstr\n"); - } - } - else { - $sth = $dbh->prepare('UPDATE ip_addresses SET timestamp = "' . $theTime . '", alertid = ' . $alertId . ', ruleid = ' . $ruleId . ' WHERE ip = "' . $ipAddr . '"'); - if (!$sth->execute) { - WriteLog("Cannot update IP address: $DBI::errstr\n"); - } - } -} -else { - my $sth = $dbh->prepare('DELETE FROM ip_addresses WHERE ip = "' . $ipAddr . '"'); - if (!$sth->execute) { - WriteLog("Cannot remove IP address: $DBI::errstr\n"); - } -} - -$dbh->disconnect; -exit 0; - -sub WriteLog -{ - if ( $_[0] eq "" ) { return; } - - my $pwd = `pwd`; - chomp($pwd); - my $date = `date`; - chomp($date); - - open(LOGH, ">>" . $pwd . "/../active-responses.log") || die "Cannot open log file."; - print LOGH $date . " " . $_[0]; - close(LOGH); - return; -} diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/add_localfile.sh b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/add_localfile.sh deleted file mode 100644 index a35958c..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/add_localfile.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -# Add a localfile to ossec. -# by Daniel B. Cid - dcid ( at ) ossec.net - -FILE=$1 -FORMAT=$2 - -if [ "X$FILE" = "X" ]; then - echo "$0: []" - exit 1; -fi - -if [ "X$FORMAT" = "X" ]; then - FORMAT="syslog" -fi - -# Checking if file is already configured -grep "$FILE" /var/ossec/etc/ossec.conf > /dev/null 2>&1 -if [ $? = 0 ]; then - echo "$0: File $FILE already configured at ossec." - exit 1; -fi - -# Checking if file exist -ls -la $FILE > /dev/null 2>&1 -if [ ! $? = 0 ]; then - echo "$0: File $FILE does not exist." - exit 1; -fi - -echo " - - - $FORMAT - $FILE - - -" >> /var/ossec/etc/ossec.conf - -echo "$0: File $FILE added."; -exit 0; diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/compile_alerts.pl b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/compile_alerts.pl deleted file mode 100644 index bcf8763..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/compile_alerts.pl +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/perl -w -use strict; -# Contrib by Meir Michanie -# meirm at riunx.com -# Licensed under GPL -my $VERSION='0.1'; -my $ossec_path='/var/ossec'; -my $rules_config="$ossec_path/etc/rules_config.xml"; -my $usersignatures_path="$ossec_path/user_signatures"; -my $signatures_path="$ossec_path/signatures"; -while ( @ARGV) { - $_=shift @ARGV; - if (m/^-u$|^--user-signatures$/) { - $usersignatures_path= shift @ARGV; - &help() unless -d $usersignatures_path; - }elsif (m/^-s$|^--signatures$/){ - $signatures_path= shift @ARGV; - &help() unless -d $signatures_path; - }elsif (m/^-c$|^--rules_config$/){ - $rules_config= shift @ARGV; - &help() unless -f $rules_config; - }elsif (m/^-h$|^--help$/){ - &help; - } -} -print STDERR "Adding $rules_config\n"; -my @rules_files=($rules_config); -opendir (USERDEFINED , "$usersignatures_path") || die ("Could not open dir $usersignatures_path\n"); -my @temparray=(); -while ($_ = readdir(USERDEFINED)){ - chomp; - next unless -f "$usersignatures_path/$_"; - print STDERR "Adding $usersignatures_path/$_\n"; - push @temparray, "$usersignatures_path/$_"; -} -close (USERDEFINED); -push @rules_files , sort (@temparray); - -@temparray=(); -opendir(RULES,"$signatures_path") || die ("Could not open dir $signatures_path\n"); -while ($_ = readdir(RULES)){ - chomp; - next unless -f "$signatures_path/$_"; - print STDERR "Adding $signatures_path/$_\n"; - push @temparray, "$signatures_path/$_"; -} -close (RULES); -push @rules_files , sort (@temparray); -map { print STDERR "processing: $_\n";} @rules_files; -foreach (@rules_files){ - open (RFILE, "$_") ||die ("Could not open file $_"); - my @content=; - close (RFILE); - print join ('',@content); -} - -sub help(){ - print STDERR "$0\nRules compilation tool for OSSEC \n"; - print "This tool facilitates the building of monolitic rules file to be included in ossec.xml.\n" - . "You only need one rules include entry in ossec.xml\n" - . "\n" - . "\tossec_rules.xml" - ."" - - . "$0 will print to STDOUT the result of the mixing.\n" - . "If no parameter are passed then the application will use the default locations.\n" - . "Default values:\n" - . "--user-signatures -> $usersignatures_path\n" - . "--signatures -> $signatures_path\n" - . "--rules-config -> $rules_config\n" - . "Compiling rules allows us to generate multiple configurations and even facilitate the upgrade of them.\n" - . "By instance, you can make a directory with symbolic links to rules you want to use without altering the standard repository.\n" - . "There are more examples of situation where you can use a subset of the rules repository\n" - . "I invite someone to reword this explanation.\n"; - - print STDERR "\n\nUsage:\n"; - print STDERR "$0 [-u|--user-signatures] [-s|--signatures] \n" - ."\n\nBUGS:\n" - . "I just wanted to deliver version one.\n" - . "I will change the script to read the directory sorted, so you can link signatures with names that would emulate the behavior of the sysV system.\n"; - - exit; -} diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/compile_alerts.txt.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/compile_alerts.txt.gz deleted file mode 100644 index e7ae949..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/compile_alerts.txt.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/config2xml.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/config2xml.gz deleted file mode 100644 index 0711cdd..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/config2xml.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/Readme.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/Readme.txt deleted file mode 100644 index d965be6..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/Readme.txt +++ /dev/null @@ -1,28 +0,0 @@ -ossec-debian -============ - -OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. - -These are the files used to create OSSEC-HIDS version 2.8 debian packages, the ones included both in ossec.net website and in WAZUH repository. You can find these packages at: - -http://www.ossec.net/?page_id=19 - -or directly at: http://ossec.wazuh.com/repos/apt/ - -There are two different packages that can be built with these files: - -* ossec-hids: Package that includes both the server and the agent. -* ossec-hids-agent: Package that includes just the agent. - -Each one of the subdirectories includes: - -* Patches -* Debian control files: changelog, compat, control, copyright, lintian-overrides, postinst, postrm, preinst, rules - -Additionally a script, ```generate_ossec.sh```, is included to generate the Debian packages for Jessie, Sid and Wheezy Debian distributions, both for i386 and amd64 architectures. This script uses Pbuilder to build the packages, and uploads those to an APT repository, setup with Reprepro. - -For more details on how to create Debian Packages and an APT repository you can check my post at: - -http://santi-bassett.blogspot.com/2014/07/setting-up-apt-repository-with-reprepro.html - -Please don't hesitate to contribute (preferably via pull requests) to improve these packages. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/generate_ossec.sh.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/generate_ossec.sh.gz deleted file mode 100644 index fd6dada..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/generate_ossec.sh.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/changelog.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/changelog.gz deleted file mode 100644 index 31f4846..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/changelog.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/compat b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/compat deleted file mode 100644 index 7f8f011..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/compat +++ /dev/null @@ -1 +0,0 @@ -7 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/conffiles b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/conffiles deleted file mode 100644 index 8bda695..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/conffiles +++ /dev/null @@ -1 +0,0 @@ -/var/ossec/etc/ossec.conf diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/control b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/control deleted file mode 100644 index 7dd930d..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/control +++ /dev/null @@ -1,15 +0,0 @@ -Source: ossec-hids-agent -Section: admin -Priority: extra -Maintainer: Santiago Bassett -Build-Depends: debhelper (>= 7.0.50~), libssl-dev, linux-libc-dev -Standards-Version: 3.8.4 -Homepage: http://www.ossec.net - -Package: ossec-hids-agent -Architecture: any -Depends: ${shlibs:Depends}, libc6 (>= 2.7), libssl1.0.0, expect, debconf -Conflicts: ossec-hids -Description: OSSEC Agent - Host Based Intrusion Detection System - OSSEC HIDS for log analysis, integrity checking, rootkits detection and - active response. This package includes the server and the agent. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/copyright b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/copyright deleted file mode 100644 index df7fd9a..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/copyright +++ /dev/null @@ -1,34 +0,0 @@ -This work was packaged for Debian by: - - Santiago Bassett on Fri, 29 Nov 2013 03:11:44 +0000 - -It was downloaded from: - - http://www.ossec.net - -Upstream Authors: - - dcid@dcid.me - Jia-BingJB_Cheng@trendmicro.com - vichargrave@gmail.com - ossec@michaelstarks.com - ddpbsd@gmail.com - scott@atomicorp.com - brad.lhotsky@gmail.com - jeremy@jeremyrossi.com - santiago.bassett@gmail.com - -Copyright: - - GNU General Public License version 2. - -License: - - GNU General Public License version 2. - -The Debian packaging is: - - Copyright (C) 2014 Santiago Bassett - -and is licensed under the GPL version 2, -see "/usr/share/common-licenses/GPL-2". diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/ossec-hids-agent.lintian-overrides b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/ossec-hids-agent.lintian-overrides deleted file mode 100644 index b8633f0..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/ossec-hids-agent.lintian-overrides +++ /dev/null @@ -1,9 +0,0 @@ -ossec-hids-agent: embedded-library -ossec-hids-agent: embedded-zlib -ossec-hids-agent: possible-gpl-code-linked-with-openssl -ossec-hids-agent: new-package-should-close-itp-bug -ossec-hids-agent: possibly-insecure-handling-of-tmp-files-in-maintainer-script -ossec-hids-agent: non-standard-dir-in-var -ossec-hids-agent: file-in-unusual-dir -ossec-hids-agent: hardening-no-fortify-functions -ossec-hids-agent: hardening-no-relro diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/01_makefile.patch b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/01_makefile.patch deleted file mode 100644 index f1159bc..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/01_makefile.patch +++ /dev/null @@ -1,59 +0,0 @@ -Index: ossec-hids-agent-2.8.2/Makefile -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ ossec-hids-agent-2.8.2/Makefile 2015-06-15 03:15:51.083134760 +0000 -@@ -0,0 +1,54 @@ -+# -+# Santiago Bassett -+# 06/15/2015 -+# -+ -+DESTDIR=/ -+DIR=$(DESTDIR)/var/ossec/ -+OSSEC_INIT=$(DIR)/etc/ossec-init.conf -+CEXTRA="-DCLIENT" -+all: -+ echo "CEXTRA=$(CEXTRA)" >> src/Config.OS -+ (cd src; make all) -+ -+clean: -+ rm bin/* || /bin/true -+ chmod 750 $(DIR) || /bin/true -+ chmod 750 $(DIR)/* || /bin/true -+ (cd src; make clean) -+ rm -f src/Config.OS -+ rm -f src/analysisd/compiled_rules/compiled_rules.h -+ rm -f src/isbigendian.c -+ rm -f src/analysisd/ossec-makelists -+ rm -f src/analysisd/ossec-logtest -+ rm -f src/isbigendian -+ -+install: -+ mkdir -p $(DIR) -+ (cd $(DIR); mkdir -p logs bin queue queue/ossec queue/alerts queue/syscheck queue/diff queue/rids) -+ (cd $(DIR); mkdir -p var var/run etc etc/init.d etc/shared active-response active-response/bin agentless .ssh) -+ cp -pr src/rootcheck/db/*.txt $(DIR)/etc/shared/ -+ chmod -x $(DIR)/etc/shared/*.txt -+ cp -pr etc/internal_options.conf $(DIR)/etc/ -+ chmod -x $(DIR)/etc/internal_options.conf -+ cp -pr etc/local_internal_options.conf $(DIR)/etc/ > /dev/null 2>&1 || /bin/true -+ cp -pr etc/client.keys $(DIR)/etc/ > /dev/null 2>&1 ||/bin/true -+ cp -pr src/agentlessd/scripts/* $(DIR)/agentless/ -+ cp -pr src/client-agent/ossec-agentd ${DIR}/bin/ -+ cp -pr src/os_auth/agent-auth ${DIR}/bin/ -+ cp -pr src/logcollector/ossec-logcollector ${DIR}/bin/ -+ cp -pr src/syscheckd/ossec-syscheckd ${DIR}/bin/ -+ cp -pr src/os_execd/ossec-execd ${DIR}/bin/ -+ cp -pr src/init/ossec-client.sh ${DIR}/bin/ossec-control -+ cp -pr src/addagent/manage_agents ${DIR}/bin/ -+ cp -pr contrib/util.sh ${DIR}/bin/ -+ sh src/init/fw-check.sh execute > /dev/null -+ cp -pr active-response/*.sh ${DIR}/active-response/bin/ -+ cp -pr active-response/firewalls/*.sh ${DIR}/active-response/bin/ -+ cp -pr etc/ossec-agent.conf $(DIR)/etc/ossec.conf -+ chmod -x $(DIR)/etc/ossec.conf -+ cp -p src/init/ossec-hids-debian.init $(DIR)/etc/init.d/ossec -+ echo "DIRECTORY=\"/var/ossec\"" > $(OSSEC_INIT) -+ echo "VERSION=\"v2.8.2\"" >> $(OSSEC_INIT) -+ echo "DATE=\"`date`\"" >> $(OSSEC_INIT) -+ echo "TYPE=\"agent\"" >> $(OSSEC_INIT) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/02_ossec-agent.conf.patch b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/02_ossec-agent.conf.patch deleted file mode 100644 index ddcbe1b..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/02_ossec-agent.conf.patch +++ /dev/null @@ -1,58 +0,0 @@ -Index: ossec-hids-2.8.2/etc/ossec-agent.conf -=================================================================== ---- ossec-hids-2.8.2.orig/etc/ossec-agent.conf 2015-06-10 15:38:32.000000000 +0000 -+++ ossec-hids-2.8.2/etc/ossec-agent.conf 2015-07-12 18:54:10.859134760 +0000 -@@ -25,40 +25,46 @@ - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt -+ /var/ossec/etc/shared/system_audit_rcl.txt - - - - syslog -- /var/log/messages -+ /var/log/syslog - - - - syslog -- /var/log/authlog -+ /var/log/auth.log - - - - syslog -- /var/log/secure -+ /var/log/dpkg.log - - - - syslog -- /var/log/xferlog -+ /var/log/kern.log - - -+ -+ - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/series b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/series deleted file mode 100644 index f65a253..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/patches/series +++ /dev/null @@ -1,2 +0,0 @@ -02_ossec-agent.conf.patch -01_makefile.patch diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/postinst b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/postinst deleted file mode 100644 index 701a9cc..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/postinst +++ /dev/null @@ -1,153 +0,0 @@ -#!/bin/sh -# postinst script for ossec-hids -# Santiago Bassett -# 03/25/2014 - -set -e - -case "$1" in - configure) - - DIR="/var/ossec/" - USER="ossec" - GROUP="ossec" - OSSEC_HIDS_TMP_DIR="/tmp/ossec-hids" - - OSMYSHELL="/sbin/nologin" - if [ ! -f ${OSMYSHELL} ]; then - if [ -f "/bin/false" ]; then - OSMYSHELL="/bin/false" - fi - fi - - if ! getent group | grep -q "^ossec" - then - addgroup --system ossec - fi - if ! getent passwd | grep -q "^ossec" - then - adduser --system --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER} > /dev/null 2>&1 - fi - - # Default for all directories - chmod -R 550 ${DIR} - chown -R root:${GROUP} ${DIR} - - # To the ossec queue (default for agentd to read) - chown -R ${USER}:${GROUP} ${DIR}/queue/ossec - chmod -R 770 ${DIR}/queue/ossec - - # For the logging user - chown -R ${USER}:${GROUP} ${DIR}/logs - chmod -R 750 ${DIR}/logs - chmod -R 775 ${DIR}/queue/rids - touch ${DIR}/logs/ossec.log - chown ${USER}:${GROUP} ${DIR}/logs/ossec.log - chmod 664 ${DIR}/logs/ossec.log - - chown -R ${USER}:${GROUP} ${DIR}/queue/diff - chmod -R 750 ${DIR}/queue/diff - chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 || true - - # For the etc dir - chmod 550 ${DIR}/etc - chown -R root:${GROUP} ${DIR}/etc - if [ -f /etc/localtime ]; then - cp -pL /etc/localtime ${DIR}/etc/; - chmod 555 ${DIR}/etc/localtime - chown root:${GROUP} ${DIR}/etc/localtime - fi - - if [ -f /etc/TIMEZONE ]; then - cp -p /etc/TIMEZONE ${DIR}/etc/; - chmod 555 ${DIR}/etc/TIMEZONE - fi - - # More files - chown root:${GROUP} ${DIR}/etc/internal_options.conf - chown root:${GROUP} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true - chown root:${GROUP} ${DIR}/etc/client.keys >/dev/null 2>&1 || true - chown root:${GROUP} ${DIR}/agentless/* - chown ${USER}:${GROUP} ${DIR}/.ssh - chown root:${GROUP} ${DIR}/etc/shared/* - - chmod 550 ${DIR}/etc - chmod 440 ${DIR}/etc/internal_options.conf - chmod 660 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true - chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1 || true - chmod 550 ${DIR}/agentless/* - chmod 700 ${DIR}/.ssh - chmod 770 ${DIR}/etc/shared - chmod 660 ${DIR}/etc/shared/* - - # For the /var/run - chmod 770 ${DIR}/var/run - chown root:${GROUP} ${DIR}/var/run - - # For util.sh - chown root:${GROUP} ${DIR}/bin/util.sh - chmod +x ${DIR}/bin/util.sh - - # For binaries and active response - chmod 755 ${DIR}/active-response/bin/* - chown root:${GROUP} ${DIR}/active-response/bin/* - chown root:${GROUP} ${DIR}/bin/* - chmod 550 ${DIR}/bin/* - - # For ossec.conf - chown root:${GROUP} ${DIR}/etc/ossec.conf - chmod 660 ${DIR}/etc/ossec.conf - - # Debconf - . /usr/share/debconf/confmodule - db_input high ossec-hids-agent/server-ip || true - db_go - - db_get ossec-hids-agent/server-ip - SERVER_IP=$RET - - sed -i "s/[^<]\+<\/server-ip>/${SERVER_IP}<\/server-ip>/" ${DIR}/etc/ossec.conf - db_stop - - # ossec-init.conf - if [ -e ${DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then - if [ -e /etc/ossec-init.conf ]; then - rm -f /etc/ossec-init.conf - fi - ln -s ${DIR}/etc/ossec-init.conf /etc/ossec-init.conf - fi - - # init.d/ossec file - if [ -x ${DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then - if [ -e /etc/init.d/ossec ]; then - rm -f /etc/init.d/ossec - fi - ln -s ${DIR}/etc/init.d/ossec /etc/init.d/ossec - fi - - # Service - if [ -x /etc/init.d/ossec ]; then - update-rc.d -f ossec defaults - fi - - # Delete tmp directory - if [ -d ${OSSEC_HIDS_TMP_DIR} ]; then - rm -r ${OSSEC_HIDS_TMP_DIR} - fi - - ;; - - - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - - *) - echo "postinst called with unknown argument \`$1'" >22 - exit 1 - ;; - -esac - -exit 0 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/postrm b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/postrm deleted file mode 100644 index 95bb969..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/postrm +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh -# postrm script for ossec-hids -# Santiago Bassett -# 03/25/2014 - - -set -e - -case "$1" in - purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) - if getent passwd | grep -q "^ossec" - then - deluser ossec - fi - if getent group | grep -q "^ossec" - then - delgroup ossec - fi - rm -f /etc/init.d/ossec - rm -f /etc/ossec-init.conf - update-rc.d -f ossec remove - - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - - ;; - -esac - -exit 0 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/preinst b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/preinst deleted file mode 100644 index d355f28..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/preinst +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh -# preinst script for ossec-hids -# Santiago Bassett -# 03/25/2014 - -set -e - -# configuration variables -OSSEC_HIDS_TMP_DIR="/tmp/ossec-hids" - -# environment configuration -if [ ! -d ${OSSEC_HIDS_TMP_DIR} ]; then - mkdir ${OSSEC_HIDS_TMP_DIR} -fi - -case "$1" in - install|upgrade) - # back up the current user rules - if [ -f /var/ossec/rules/local_rules.xml ]; then - cp /var/ossec/rules/local_rules.xml ${OSSEC_HIDS_TMP_DIR}/local_rules.xml - fi - ;; - - abort-upgrade) - - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - - ;; - -esac - -exit 0 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/rules b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/rules deleted file mode 100644 index 7e26af8..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/rules +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/make -f -# -*- makefile -*- -# Sample debian/rules that uses debhelper. -# -# This file was originally written by Joey Hess and Craig Small. -# As a special exception, when this file is copied by dh-make into a -# dh-make output file, you may use that output file without restriction. -# This special exception was added by Craig Small in version 0.37 of dh-make. -# -# Modified to make a template file for a multi-binary package with separated -# build-arch and build-indep targets by Bill Allombert 2001 - -# Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 - -# This has to be exported to make some magic below work. -export DH_OPTIONS - - -%: - dh $@ - -override_dh_auto_configure: - -override_dh_auto_build: - $(MAKE) all - -override_dh_auto_clean: - $(MAKE) clean diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/source/format b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/source/format deleted file mode 100644 index 163aaf8..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/source/format +++ /dev/null @@ -1 +0,0 @@ -3.0 (quilt) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/templates b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/templates deleted file mode 100644 index 3eb9934..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids-agent/debian/templates +++ /dev/null @@ -1,4 +0,0 @@ -Template: ossec-hids-agent/server-ip -Type: string -Default: 127.0.0.1 -Description: OSSEC server IP address for this agent. This server is also known as Manager and will receive information from the agent. You need to specify the IP address, the hostname is not valid. The agent still needs to be registered and started manually. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/changelog.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/changelog.gz deleted file mode 100644 index bf360ae..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/changelog.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/compat b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/compat deleted file mode 100644 index 7f8f011..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/compat +++ /dev/null @@ -1 +0,0 @@ -7 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/conffiles b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/conffiles deleted file mode 100644 index 8bda695..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/conffiles +++ /dev/null @@ -1 +0,0 @@ -/var/ossec/etc/ossec.conf diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/control b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/control deleted file mode 100644 index 4b86bb0..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/control +++ /dev/null @@ -1,15 +0,0 @@ -Source: ossec-hids -Section: admin -Priority: extra -Maintainer: Santiago Bassett -Build-Depends: debhelper (>= 7.0.50~), libssl-dev, linux-libc-dev -Standards-Version: 3.8.4 -Homepage: http://www.ossec.net - -Package: ossec-hids -Architecture: any -Depends: ${shlibs:Depends}, libc6 (>= 2.7), libssl1.0.0, expect, debconf -Conflicts: ossec-hids-agent -Description: OSSEC - Host Based Intrusion Detection System - OSSEC HIDS for log analysis, integrity checking, rootkits detection and - active response. This package includes the server and the agent. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/copyright b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/copyright deleted file mode 100644 index df7fd9a..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/copyright +++ /dev/null @@ -1,34 +0,0 @@ -This work was packaged for Debian by: - - Santiago Bassett on Fri, 29 Nov 2013 03:11:44 +0000 - -It was downloaded from: - - http://www.ossec.net - -Upstream Authors: - - dcid@dcid.me - Jia-BingJB_Cheng@trendmicro.com - vichargrave@gmail.com - ossec@michaelstarks.com - ddpbsd@gmail.com - scott@atomicorp.com - brad.lhotsky@gmail.com - jeremy@jeremyrossi.com - santiago.bassett@gmail.com - -Copyright: - - GNU General Public License version 2. - -License: - - GNU General Public License version 2. - -The Debian packaging is: - - Copyright (C) 2014 Santiago Bassett - -and is licensed under the GPL version 2, -see "/usr/share/common-licenses/GPL-2". diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/ossec-hids.lintian-overrides b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/ossec-hids.lintian-overrides deleted file mode 100644 index f7d8c24..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/ossec-hids.lintian-overrides +++ /dev/null @@ -1,9 +0,0 @@ -ossec-hids: embedded-library -ossec-hids: embedded-zlib -ossec-hids: possible-gpl-code-linked-with-openssl -ossec-hids: new-package-should-close-itp-bug -ossec-hids: possibly-insecure-handling-of-tmp-files-in-maintainer-script -ossec-hids: non-standard-dir-in-var -ossec-hids: file-in-unusual-dir -ossec-hids: hardening-no-fortify-functions -ossec-hids: hardening-no-relro diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/01_makefile.patch b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/01_makefile.patch deleted file mode 100644 index b1ec6b3..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/01_makefile.patch +++ /dev/null @@ -1,77 +0,0 @@ -Index: ossec-hids-2.8.2/Makefile -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ ossec-hids-2.8.2/Makefile 2015-08-10 04:36:27.819134760 +0000 -@@ -0,0 +1,72 @@ -+# -+# Santiago Bassett -+# 06/15/2015 -+# -+ -+DESTDIR?=/ -+DIR=$(DESTDIR)/var/ossec/ -+OSSEC_INIT=$(DIR)/etc/ossec-init.conf -+ -+all: -+ echo "HEXTRA=-DMAX_AGENTS=16384" >> src/Config.OS -+ (cd src; make all; make build) -+ -+clean: -+ rm bin/* || /bin/true -+ mkdir -p $(DIR)/rules/translated/ -+ chmod 750 $(DIR) || /bin/true -+ chmod 750 $(DIR)/* || /bin/true -+ chmod 750 $(DIR)/rules/translated/ || /bin/true -+ chmod 750 $(DIR)/rules/translated/* || /bin/true -+ (cd src; make clean) -+ rm -f src/Config.OS -+ rm -f src/analysisd/compiled_rules/compiled_rules.h -+ rm -f src/isbigendian.c -+ rm -f src/analysisd/ossec-makelists -+ rm -f src/analysisd/ossec-logtest -+ rm -f src/isbigendian -+ -+install: -+ mkdir -p $(DIR) -+ (cd $(DIR); mkdir -p logs logs/archives logs/alerts logs/firewall bin stats rules queue queue/alerts queue/ossec queue/fts queue/syscheck queue/rootcheck queue/diff queue/agent-info queue/agentless queue/rids tmp var var/run etc etc/init.d etc/shared active-response active-response/bin agentless .ssh contrib) -+ cp -pr etc/rules/* $(DIR)/rules/ -+ chmod -x $(DIR)/rules/*.xml -+ chmod -x $(DIR)/rules/log-entries/* -+ chmod -x $(DIR)/rules/translated/pure_ftpd/*.xml -+ cp -pL /etc/localtime $(DIR)/etc/ 2>/dev/null || /bin/true -+ cp -p /etc/TIMEZONE $(DIR)/etc/ 2>/dev/null || /bin/true -+ cp -p contrib/compile_alerts.pl $(DIR)/contrib/ -+ cp -p contrib/compile_alerts.txt $(DIR)/contrib/ -+ cp -p contrib/config2xml $(DIR)/contrib/ -+ cp -p contrib/ossec-batch-manager.pl $(DIR)/contrib/ -+ cp -p contrib/ossec-eps.sh $(DIR)/contrib/ -+ cp -pr bin/ossec* $(DIR)/bin/ -+ cp -pr bin/manage_agents $(DIR)/bin/ -+ cp -pr bin/syscheck_update $(DIR)/bin/ -+ cp -pr bin/verify-agent-conf $(DIR)/bin/ -+ cp -pr bin/clear_stats $(DIR)/bin/ -+ cp -pr bin/list_agents $(DIR)/bin/ -+ cp -pr bin/agent_control $(DIR)/bin/ -+ cp -pr bin/syscheck_control $(DIR)/bin/ -+ cp -pr bin/rootcheck_control $(DIR)/bin/ -+ cp -pr contrib/util.sh $(DIR)/bin/ -+ cp -pr src/init/ossec-server.sh $(DIR)/bin/ossec-control -+ cp -pr etc/decoder.xml $(DIR)/etc/ -+ chmod -x $(DIR)/etc/decoder.xml -+ cp -pr etc/local_decoder.xml $(DIR)/etc/ > /dev/null 2>&1 || /bin/true -+ cp -pr etc/local_internal_options.conf $(DIR)/etc/ > /dev/null 2>&1 || /bin/true -+ cp -pr etc/client.keys $(DIR)/etc/ > /dev/null 2>&1 ||/bin/true -+ cp -pr src/agentlessd/scripts/* $(DIR)/agentless/ -+ cp -pr etc/internal_options.conf $(DIR)/etc/ -+ chmod -x $(DIR)/etc/internal_options.conf -+ cp -pr etc/ossec-server.conf $(DIR)/etc/ossec.conf -+ chmod -x $(DIR)/etc/ossec.conf -+ cp -pr src/rootcheck/db/*.txt $(DIR)/etc/shared/ -+ chmod -x $(DIR)/etc/shared/*.txt -+ cp -p active-response/*.sh $(DIR)/active-response/bin/ -+ cp -p active-response/firewalls/*.sh $(DIR)/active-response/bin/ -+ cp -p src/init/ossec-hids-debian.init $(DIR)/etc/init.d/ossec -+ echo "DIRECTORY=\"/var/ossec\"" > $(OSSEC_INIT) -+ echo "VERSION=\"$(cat src/VERSION)" >> $(OSSEC_INIT) -+ echo "DATE=\"`date`\"" >> $(OSSEC_INIT) -+ echo "TYPE=\"server\"" >> $(OSSEC_INIT) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/02_ossec-server.conf.patch b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/02_ossec-server.conf.patch deleted file mode 100644 index 6685756..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/02_ossec-server.conf.patch +++ /dev/null @@ -1,100 +0,0 @@ -Index: ossec-hids-2.8.2/etc/ossec-server.conf -=================================================================== ---- ossec-hids-2.8.2.orig/etc/ossec-server.conf 2015-06-10 15:38:32.000000000 +0000 -+++ ossec-hids-2.8.2/etc/ossec-server.conf 2015-07-12 18:46:24.995134760 +0000 -@@ -2,10 +2,10 @@ - - - -- yes -- daniel.cid@example.com -- smtp.example.com. -- ossecm@ossec.example.com. -+ no -+ your_email_address@example.com -+ smtp.your_domain.com. -+ ossecm@ossec.your_domain.com. - - - -@@ -90,14 +90,11 @@ - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt -+ /var/ossec/etc/shared/system_audit_rcl.txt - - - - 127.0.0.1 -- 192.168.2.1 -- 192.168.2.190 -- 192.168.2.32 -- 192.168.2.10 - - - -@@ -138,6 +135,7 @@ - - level (severity) >= 6. - - The IP is going to be blocked for 600 seconds. - --> -+ yes - host-deny - local - 6 -@@ -149,6 +147,7 @@ - - 600 seconds on the firewall (iptables, - - ipfilter, etc). - --> -+ yes - firewall-drop - local - 6 -@@ -159,36 +158,41 @@ - - - syslog -- /var/log/messages -+ /var/log/syslog - - - - syslog -- /var/log/authlog -+ /var/log/auth.log - - - - syslog -- /var/log/secure -+ /var/log/dpkg.log - - - - syslog -- /var/log/xferlog -+ /var/log/kern.log - - -+ -+ - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/series b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/series deleted file mode 100644 index 97791bf..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/patches/series +++ /dev/null @@ -1,2 +0,0 @@ -02_ossec-server.conf.patch -01_makefile.patch diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/postinst.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/postinst.gz deleted file mode 100644 index 6751c0c..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/postinst.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/postrm b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/postrm deleted file mode 100644 index 267ffaa..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/postrm +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh -# postrm script for ossec-hids - -set -e - -case "$1" in - purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) - if getent passwd | grep -q "^ossecr" - then - deluser ossecr - fi - if getent passwd | grep -q "^ossecm" - then - deluser ossecm - fi - if getent passwd | grep -q "^ossec" - then - deluser ossec - fi - if getent group | grep -q "^ossec" - then - delgroup ossec - fi - rm -f /etc/init.d/ossec - rm -f /etc/ossec-init.conf - update-rc.d -f ossec remove - - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - - ;; - -esac - -exit 0 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/preinst b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/preinst deleted file mode 100644 index ba4880d..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/preinst +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh -# preinst script for ossec-hids - -set -e - -# configuration variables -OSSEC_HIDS_TMP_DIR="/tmp/ossec-hids" - -# environment configuration -if [ ! -d ${OSSEC_HIDS_TMP_DIR} ]; then - mkdir ${OSSEC_HIDS_TMP_DIR} -fi - -case "$1" in - install|upgrade) - # back up the current user rules - if [ -f /var/ossec/rules/local_rules.xml ]; then - cp /var/ossec/rules/local_rules.xml ${OSSEC_HIDS_TMP_DIR}/local_rules.xml - fi - ;; - - abort-upgrade) - - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - - ;; - -esac - -exit 0 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/rules b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/rules deleted file mode 100644 index 7e26af8..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/rules +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/make -f -# -*- makefile -*- -# Sample debian/rules that uses debhelper. -# -# This file was originally written by Joey Hess and Craig Small. -# As a special exception, when this file is copied by dh-make into a -# dh-make output file, you may use that output file without restriction. -# This special exception was added by Craig Small in version 0.37 of dh-make. -# -# Modified to make a template file for a multi-binary package with separated -# build-arch and build-indep targets by Bill Allombert 2001 - -# Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 - -# This has to be exported to make some magic below work. -export DH_OPTIONS - - -%: - dh $@ - -override_dh_auto_configure: - -override_dh_auto_build: - $(MAKE) all - -override_dh_auto_clean: - $(MAKE) clean diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/source/format b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/source/format deleted file mode 100644 index 163aaf8..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/source/format +++ /dev/null @@ -1 +0,0 @@ -3.0 (quilt) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/templates b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/templates deleted file mode 100644 index 0602cae..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/debian-packages/ossec-hids/debian/templates +++ /dev/null @@ -1,20 +0,0 @@ -Template: ossec-hids/email_notification -Type: select -Choices: yes, no -Default: no -Description: Enable email notification when an alert is triggered. - -Template: ossec-hids/email_to -Type: string -Default: root@localhost -Description: This is the email address where alerts will be sent to. - -Template: ossec-hids/email_from -Type: string -Default: ossecm@localhost -Description: This is the from email address used to send alerts. - -Template: ossec-hids/smtp_server -Type: string -Default: localhost -Description: SMTP server IP address or hostname. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/iis-logs.bat b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/iis-logs.bat deleted file mode 100644 index b7f55c9..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/iis-logs.bat +++ /dev/null @@ -1,57 +0,0 @@ -@echo off - -rem Searching for IIS logs. -rem If we find any log in the NCSA or W3C extended format, -rem change the config to support that. If not, let the user know. -rem Example of log to look: nc060215.log or ex060723.log - -echo. -echo Looking for IIS log files to monitor. -echo For more information visit: -echo http://www.ossec.net/en/manual.html#iis -echo. -echo. - -IF EXIST %WinDir%\System32\LogFiles\W3SVC1\nc??????.log ( - echo * IIS NCSA log found. Changing config to read it. - echo. >> ossec.conf - echo ^ >> ossec.conf - echo ^ >> ossec.conf - echo ^%WinDir%\System32\LogFiles\W3SVC1\nc%%y%%m%%d.log^ >> ossec.conf - echo ^iis^ >> ossec.conf - echo ^ >> ossec.conf - echo ^ >> ossec.conf - pause - ) - -IF EXIST %WinDir%\System32\LogFiles\W3SVC1\ex??????.log ( - echo * IIS W3C extended log found. Changing config to read it. - echo. >> ossec.conf - echo ^ >> ossec.conf - echo ^ >> ossec.conf - echo ^%WinDir%\System32\LogFiles\W3SVC1\ex%%y%%m%%d.log^ >> ossec.conf - echo ^iis^ >> ossec.conf - echo ^ >> ossec.conf - echo ^ >> ossec.conf - pause - ) - -IF EXIST %WinDir%\System32\LogFiles\W3SVC3\ex??????.log ( - echo * IIS W3C extended log found. Changing config to read it. - echo. >> ossec.conf - echo ^ >> ossec.conf - echo ^ >> ossec.conf - echo ^%WinDir%\System32\LogFiles\W3SVC3\nc%%y%%m%%d.log^ >> ossec.conf - echo ^iis^ >> ossec.conf - echo ^ >> ossec.conf - echo ^ >> ossec.conf - pause - ) - -IF EXIST %WinDir%\System32\LogFiles\W3SVC1 ( - echo * IIS Log found. Look at the link above if you want to monitor it. - pause - exit ) - -rem EOF - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/1/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/1/log deleted file mode 100644 index eb7e201..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/1/log +++ /dev/null @@ -1 +0,0 @@ -Nov 2 13:24:34 melancia pam: gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/1/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/1/res deleted file mode 100644 index a62202e..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/1/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Nov 2 13:24:34 melancia pam: gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11' - hostname: 'melancia' - program_name: 'pam' - log: 'gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/10/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/10/log deleted file mode 100644 index 74ad821..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/10/log +++ /dev/null @@ -1 +0,0 @@ -Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/10/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/10/res deleted file mode 100644 index d8aa869..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/10/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty' - hostname: 'triumph' - program_name: 'PAM-securetty' - log: 'Couldn't open /etc/securetty' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '1001' - Level: '2' - Description: 'File missing. Root access unrestricted.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/11/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/11/log deleted file mode 100644 index 34594c7..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/11/log +++ /dev/null @@ -1 +0,0 @@ -Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/11/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/11/res deleted file mode 100644 index f6cb867..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/11/res +++ /dev/null @@ -1,18 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0' - hostname: 'bogus.com' - program_name: 'su' - log: 'ericx to root on /dev/ttyu0' - -**Phase 2: Completed decoding. - decoder: 'su' - srcuser: 'ericx' - dstuser: 'root' - -**Phase 3: Completed filtering (rules). - Rule id: '5305' - Level: '4' - Description: 'First time (su) is executed by user.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/12/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/12/log deleted file mode 100644 index e1baedb..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/12/log +++ /dev/null @@ -1 +0,0 @@ -May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/12/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/12/res deleted file mode 100644 index 81143bf..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/12/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root' - hostname: 'melancia' - program_name: '(null)' - log: 'May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '2501' - Level: '5' - Description: 'User authentication failure.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/13/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/13/log deleted file mode 100644 index a9bffd1..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/13/log +++ /dev/null @@ -1 +0,0 @@ -May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/13/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/13/res deleted file mode 100644 index 83f79a0..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/13/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test' - hostname: 'melancia' - program_name: '(null)' - log: 'May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '2501' - Level: '5' - Description: 'User authentication failure.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/14/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/14/log deleted file mode 100644 index 86d4c56..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/14/log +++ /dev/null @@ -1 +0,0 @@ -Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/14/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/14/res deleted file mode 100644 index d6fcaae..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/14/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)' - hostname: 'melancia' - program_name: '(null)' - log: 'Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/15/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/15/log deleted file mode 100644 index 60cc1e1..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/15/log +++ /dev/null @@ -1 +0,0 @@ -Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/15/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/15/res deleted file mode 100644 index 5dcfd9f..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/15/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)' - hostname: 'melancia' - program_name: '(null)' - log: 'Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/16/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/16/log deleted file mode 100644 index 305dc61..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/16/log +++ /dev/null @@ -1 +0,0 @@ -Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/16/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/16/res deleted file mode 100644 index 6388ef2..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/16/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root' - hostname: 'melancia' - program_name: '(null)' - log: 'Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/17/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/17/log deleted file mode 100644 index b9f0336..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/17/log +++ /dev/null @@ -1 +0,0 @@ -Jul 5 12:13:15 lili su[2614]: Authentication failed for root diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/17/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/17/res deleted file mode 100644 index 5d2368e..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/17/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Jul 5 12:13:15 lili su[2614]: Authentication failed for root' - hostname: 'melancia' - program_name: '(null)' - log: 'Jul 5 12:13:15 lili su[2614]: Authentication failed for root' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '2501' - Level: '5' - Description: 'User authentication failure.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/18/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/18/log deleted file mode 100644 index 721b97b..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/18/log +++ /dev/null @@ -1 +0,0 @@ -Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/18/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/18/res deleted file mode 100644 index 1dd1cf8..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/18/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root' - hostname: 'melancia' - program_name: '(null)' - log: 'Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/19/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/19/log deleted file mode 100644 index a0843f8..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/19/log +++ /dev/null @@ -1 +0,0 @@ -May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/19/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/19/res deleted file mode 100644 index 64a4ab6..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/19/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006' - hostname: 'niban' - program_name: 'useradd' - log: 'new group: name=test, gid=5006' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '5901' - Level: '8' - Description: 'New group added to the system' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/2/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/2/log deleted file mode 100644 index 6059c8f..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/2/log +++ /dev/null @@ -1 +0,0 @@ -Nov 1 14:54:03 melancia runuser: pam_unix(runuser:session): session opened for user root by (uid=0) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/2/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/2/res deleted file mode 100644 index ed00e95..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/2/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Nov 1 14:54:03 melancia runuser: pam_unix(runuser:session): session opened for user root by (uid=0)' - hostname: 'melancia' - program_name: 'runuser' - log: 'pam_unix(runuser:session): session opened for user root by (uid=0)' - -**Phase 2: Completed decoding. - decoder: 'pam' - -**Phase 3: Completed filtering (rules). - Rule id: '5501' - Level: '3' - Description: 'Login session opened.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/20/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/20/log deleted file mode 100644 index 7cb06f5..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/20/log +++ /dev/null @@ -1 +0,0 @@ -May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/20/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/20/res deleted file mode 100644 index b0b4458..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/20/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000' - hostname: 'niban' - program_name: 'useradd' - log: 'new group: name=logr, gid=12000' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '5901' - Level: '8' - Description: 'New group added to the system' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/21/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/21/log deleted file mode 100644 index 5842364..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/21/log +++ /dev/null @@ -1 +0,0 @@ -Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/21/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/21/res deleted file mode 100644 index 74dd5bb..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/21/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001' - hostname: 'niban' - program_name: 'useradd' - log: 'new group: name=test2, gid=12001' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '5901' - Level: '8' - Description: 'New group added to the system' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/22/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/22/log deleted file mode 100644 index d769abb..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/22/log +++ /dev/null @@ -1 +0,0 @@ -Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/22/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/22/res deleted file mode 100644 index 1f3de22..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/22/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002' - hostname: 'melancia' - program_name: '(null)' - log: 'Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/23/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/23/log deleted file mode 100644 index bab3655..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/23/log +++ /dev/null @@ -1 +0,0 @@ -Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/23/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/23/res deleted file mode 100644 index 2829a5f..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/23/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002' - hostname: 'melancia' - program_name: '(null)' - log: 'Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/24/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/24/log deleted file mode 100644 index d52ac7a..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/24/log +++ /dev/null @@ -1 +0,0 @@ -Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/24/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/24/res deleted file mode 100644 index 0e45275..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/24/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash' - hostname: 'melancia' - program_name: '(null)' - log: 'Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/25/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/25/log deleted file mode 100644 index 6871b31..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/25/log +++ /dev/null @@ -1 +0,0 @@ -Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/25/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/25/res deleted file mode 100644 index 6c61ac8..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/25/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls' - hostname: 'melancia' - program_name: '(null)' - log: 'Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/26/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/26/log deleted file mode 100644 index 328e46f..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/26/log +++ /dev/null @@ -1 +0,0 @@ -Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/26/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/26/res deleted file mode 100644 index c8fe17a..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/26/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls' - hostname: 'enigma' - program_name: 'sudo' - log: 'dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls' - -**Phase 2: Completed decoding. - decoder: 'sudo' - -**Phase 3: Completed filtering (rules). - Rule id: '5404' - Level: '10' - Description: 'Three failed attempts to run sudo' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/27/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/27/log deleted file mode 100644 index b156e56..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/27/log +++ /dev/null @@ -1 +0,0 @@ -May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/27/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/27/res deleted file mode 100644 index a23d943..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/27/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls' - hostname: 'enigma' - program_name: 'sudo' - log: 'dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls' - -**Phase 2: Completed decoding. - decoder: 'sudo' - -**Phase 3: Completed filtering (rules). - Rule id: '5404' - Level: '10' - Description: 'Three failed attempts to run sudo' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/28/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/28/log deleted file mode 100644 index b0dea84..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/28/log +++ /dev/null @@ -1 +0,0 @@ -Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/28/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/28/res deleted file mode 100644 index a5a97d8..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/28/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls' - hostname: 'melancia' - program_name: '(null)' - log: 'Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/29/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/29/log deleted file mode 100644 index 03a69c9..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/29/log +++ /dev/null @@ -1 +0,0 @@ -Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/29/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/29/res deleted file mode 100644 index 8d55df2..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/29/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1' - hostname: 'melancia' - program_name: '(null)' - log: 'Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/3/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/3/log deleted file mode 100644 index 60a16a2..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/3/log +++ /dev/null @@ -1 +0,0 @@ -Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/3/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/3/res deleted file mode 100644 index 5586f89..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/3/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4' - hostname: 'localhost' - program_name: 'vsftpd' - log: 'pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4' - -**Phase 2: Completed decoding. - decoder: 'pam' - srcip: '1.2.3.4' - -**Phase 3: Completed filtering (rules). - Rule id: '5503' - Level: '5' - Description: 'User login failed.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/30/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/30/log deleted file mode 100644 index eeb35ef..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/30/log +++ /dev/null @@ -1 +0,0 @@ -Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/30/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/30/res deleted file mode 100644 index 87eec28..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/30/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin' - hostname: 'melancia' - program_name: '(null)' - log: 'Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/31/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/31/log deleted file mode 100644 index e5eb9d1..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/31/log +++ /dev/null @@ -1 +0,0 @@ -May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/31/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/31/res deleted file mode 100644 index 9ad2d73..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/31/res +++ /dev/null @@ -1,20 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure' - hostname: 'enigma' - program_name: 'sudo' - log: 'dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure' - -**Phase 2: Completed decoding. - decoder: 'sudo' - dstuser: 'dcid' - url: '/var/www/htdocs' - srcuser: 'root' - status: '/usr/bin/tail /var/log/secure' - -**Phase 3: Completed filtering (rules). - Rule id: '5403' - Level: '4' - Description: 'First time user executed sudo.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/32/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/32/log deleted file mode 100644 index 83041fb..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/32/log +++ /dev/null @@ -1 +0,0 @@ -May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/32/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/32/res deleted file mode 100644 index 986a2fd..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/32/res +++ /dev/null @@ -1,20 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers' - hostname: 'lili' - program_name: 'sudo' - log: 'dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers' - -**Phase 2: Completed decoding. - decoder: 'sudo' - dstuser: 'dcid' - url: '/home/dcid' - srcuser: 'root' - status: '/usr/bin/vi /etc/sudoers' - -**Phase 3: Completed filtering (rules). - Rule id: '5403' - Level: '4' - Description: 'First time user executed sudo.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/33/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/33/log deleted file mode 100644 index ee9b225..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/33/log +++ /dev/null @@ -1 +0,0 @@ -Oct 26 18:07:45 ccs rpc.statd[189]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/33/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/33/res deleted file mode 100644 index 69d8c5a..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/33/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Oct 26 18:07:45 ccs rpc.statd[189]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220' - hostname: 'ccs' - program_name: 'rpc.statd' - log: 'gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '1002' - Level: '2' - Description: 'Unknown problem somewhere in the system.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/34/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/34/log deleted file mode 100644 index 691ce2a..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/34/log +++ /dev/null @@ -1 +0,0 @@ -May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/34/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/34/res deleted file mode 100644 index a249697..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/34/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com' - hostname: 'server' - program_name: 'ftpd' - log: 'ANONYMOUS FTP LOGIN FROM emaca.here.com' - -**Phase 2: Completed decoding. - decoder: 'ftpd' - srcip: 'emaca.here.com' - -**Phase 3: Completed filtering (rules). - Rule id: '11106' - Level: '3' - Description: 'Remote host connected to FTP server.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/35/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/35/log deleted file mode 100644 index 6e81c7e..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/35/log +++ /dev/null @@ -1 +0,0 @@ -May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/35/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/35/res deleted file mode 100644 index 290e8e1..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/35/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped' - hostname: 'victim-host' - program_name: 'inetd' - log: '/usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '40107' - Level: '14' - Description: 'Heap overflow in the Solaris cachefsd service.' - Info - CVE: '2002-0033' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/36/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/36/log deleted file mode 100644 index a08d835..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/36/log +++ /dev/null @@ -1 +0,0 @@ -May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/36/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/36/res deleted file mode 100644 index 2899796..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/36/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped' - hostname: 'victim-host' - program_name: 'inetd' - log: '/usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '40107' - Level: '14' - Description: 'Heap overflow in the Solaris cachefsd service.' - Info - CVE: '2002-0033' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/37/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/37/log deleted file mode 100644 index 3c30aae..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/37/log +++ /dev/null @@ -1 +0,0 @@ -Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/37/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/37/res deleted file mode 100644 index 61c466e..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/37/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0' - hostname: 'hostj' - program_name: 'named' - log: 'security: notice: dropping source port zero packet from [64.211.251.254].0' - -**Phase 2: Completed decoding. - decoder: 'named' - srcip: '64.211.251.254' - -**Phase 3: Completed filtering (rules). - Rule id: '12101' - Level: '12' - Description: 'Invalid DNS packet. Possibility of attack.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/38/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/38/log deleted file mode 100644 index 9c1608c..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/38/log +++ /dev/null @@ -1 +0,0 @@ -sshd[7386]: error: Bad prime description in line 73 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/38/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/38/res deleted file mode 100644 index ddd59dd..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/38/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'sshd[7386]: error: Bad prime description in line 73' - hostname: 'melancia' - program_name: '(null)' - log: 'sshd[7386]: error: Bad prime description in line 73' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '1002' - Level: '2' - Description: 'Unknown problem somewhere in the system.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/39/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/39/log deleted file mode 100644 index 3685e94..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/39/log +++ /dev/null @@ -1 +0,0 @@ -Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/39/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/39/res deleted file mode 100644 index 2f740cc..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/39/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11)' - hostname: 'elrond' - program_name: 'sshd' - log: 'refused connect from accsys.elink.net.au (203.31.101.11)' - -**Phase 2: Completed decoding. - decoder: 'sshd' - srcip: '203.31.101.11' - -**Phase 3: Completed filtering (rules). - Rule id: '2503' - Level: '5' - Description: 'Connection blocked by Tcp Wrappers.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/4/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/4/log deleted file mode 100644 index 5571201..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/4/log +++ /dev/null @@ -1 +0,0 @@ -Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/4/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/4/res deleted file mode 100644 index cf3a8d6..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/4/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.' - hostname: 'hostname' - program_name: 'cimserver' - log: 'PGS17200: Authentication failed for user jones_b.' - -**Phase 2: Completed decoding. - decoder: 'cimserver' - dstuser: 'jones_b' - -**Phase 3: Completed filtering (rules). - Rule id: '9610' - Level: '5' - Description: 'Compaq Insight Manager authentication failure.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/40/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/40/log deleted file mode 100644 index 4da5f03..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/40/log +++ /dev/null @@ -1 +0,0 @@ -Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/40/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/40/res deleted file mode 100644 index cde3af4..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/40/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2' - hostname: 'melancia' - program_name: '(null)' - log: 'Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '1002' - Level: '2' - Description: 'Unknown problem somewhere in the system.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/41/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/41/log deleted file mode 100644 index ec267f9..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/41/log +++ /dev/null @@ -1 +0,0 @@ -Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/41/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/41/res deleted file mode 100644 index 145936e..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/41/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2' - hostname: 'melancia' - program_name: '(null)' - log: 'Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2' - -**Phase 2: Completed decoding. - No decoder matched. - -**Phase 3: Completed filtering (rules). - Rule id: '1002' - Level: '2' - Description: 'Unknown problem somewhere in the system.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/42/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/42/log deleted file mode 100644 index 47f2fd4..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/42/log +++ /dev/null @@ -1 +0,0 @@ -[Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/42/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/42/res deleted file mode 100644 index c228b7b..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/42/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: '[Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)' - hostname: 'melancia' - program_name: '(null)' - log: '[error] [client 127.0.0.1] request failed: URI too long (longer than 8190)' - -**Phase 2: Completed decoding. - decoder: 'apache-errorlog' - srcip: '127.0.0.1' - -**Phase 3: Completed filtering (rules). - Rule id: '30117' - Level: '10' - Description: 'Invalid URI, file name too long.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/43/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/43/log deleted file mode 100644 index 7a1ba34..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/43/log +++ /dev/null @@ -1 +0,0 @@ -[Mon Sep 11 16:55:08 2006] [error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/43/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/43/res deleted file mode 100644 index 392f224..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/43/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: '[Mon Sep 11 16:55:08 2006] [error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed' - hostname: 'melancia' - program_name: '(null)' - log: '[error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed' - -**Phase 2: Completed decoding. - decoder: 'apache-errorlog' - srcip: '127.0.0.1' - -**Phase 3: Completed filtering (rules). - Rule id: '30117' - Level: '10' - Description: 'Invalid URI, file name too long.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/44/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/44/log deleted file mode 100644 index 2d503b9..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/44/log +++ /dev/null @@ -1 +0,0 @@ -Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443] diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/44/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/44/res deleted file mode 100644 index fcd8b85..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/44/res +++ /dev/null @@ -1,8 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]' - hostname: 'melancia' - program_name: '(null)' - log: 'Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]' - -**Phase 2: Completed decoding. - No decoder matched. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/5/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/5/log deleted file mode 100644 index c545162..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/5/log +++ /dev/null @@ -1 +0,0 @@ -Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/5/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/5/res deleted file mode 100644 index ae59790..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/5/res +++ /dev/null @@ -1,20 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast' - hostname: 'niban' - program_name: 'sudo' - log: ' dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast' - -**Phase 2: Completed decoding. - decoder: 'sudo' - dstuser: 'dcid' - url: '/home/dcid' - srcuser: 'root' - status: '/usr/bin/tail /var/log/snort/alert.fast' - -**Phase 3: Completed filtering (rules). - Rule id: '5403' - Level: '4' - Description: 'First time user executed sudo.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/6/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/6/log deleted file mode 100644 index 821e304..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/6/log +++ /dev/null @@ -1 +0,0 @@ -Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/6/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/6/res deleted file mode 100644 index 45c6a43..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/6/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec' - hostname: 'melancia' - program_name: '(null)' - log: 'Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec' - -**Phase 2: Completed decoding. - decoder: 'vsftpd' - dstuser: 'xx' - status: 'OK UPLOAD' - srcip: '1.2.3.4' - url: '/a.php' - -**Phase 3: Completed filtering (rules). - Rule id: '11404' - Level: '0' - Description: 'FTP server file upload.' diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/7/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/7/log deleted file mode 100644 index 37f5735..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/7/log +++ /dev/null @@ -1 +0,0 @@ -MySQL log: 060516 22:38:46 mysqld ended diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/7/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/7/res deleted file mode 100644 index 5ad1443..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/7/res +++ /dev/null @@ -1,16 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'MySQL log: 060516 22:38:46 mysqld ended' - hostname: 'melancia' - program_name: '(null)' - log: 'MySQL log: 060516 22:38:46 mysqld ended' - -**Phase 2: Completed decoding. - decoder: 'mysql_log' - -**Phase 3: Completed filtering (rules). - Rule id: '50120' - Level: '12' - Description: 'Database shutdown message.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/8/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/8/log deleted file mode 100644 index 1779e50..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/8/log +++ /dev/null @@ -1 +0,0 @@ -Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4] diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/8/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/8/res deleted file mode 100644 index 8d62b8d..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/8/res +++ /dev/null @@ -1,17 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]' - hostname: 'gandalf' - program_name: 'pop3d' - log: 'LOGIN FAILED, ip=[::ffff:1.2.3.4]' - -**Phase 2: Completed decoding. - decoder: 'courier' - srcip: '::ffff:1.2.3.4' - -**Phase 3: Completed filtering (rules). - Rule id: '3902' - Level: '5' - Description: 'Courier (imap/pop3) authentication failed.' -**Alert to be generated. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/9/log b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/9/log deleted file mode 100644 index 250fedb..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/9/log +++ /dev/null @@ -1 +0,0 @@ -type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp" diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/9/res b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/9/res deleted file mode 100644 index 2f97bf0..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/9/res +++ /dev/null @@ -1,12 +0,0 @@ -**Phase 1: Completed pre-decoding. - full event: 'type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"' - hostname: 'melancia' - program_name: '(null)' - log: 'type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"' - -**Phase 2: Completed decoding. - decoder: 'auditd' - action: 'SYSCALL' - id: '148' - status: 'yes' - extra_data: '/tmp/wget' diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/dotests.sh b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/dotests.sh deleted file mode 100644 index 2d40853..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/dotests.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/sh - -hostname=`hostname` -hostname melancia - -cleanup() { - hostname $hostname - rm -f ./tmpres -} - -trap "cleanup" INT TERM EXIT -exitcode=0 - -if diff --help 2>&1 | grep -q -- --color; then - diff_cmd='diff --color' -else - diff_cmd='diff' -fi - -echo "Starting log unit tests (must be run as root and on a system with OSSEC installed)." -echo "(it will make sure the current rules are working as they should)." -rm -f ./tmpres -for i in ./*/log; do - idir=`dirname $i` - - rm -f ./tmpres || exit "Unable to remove tmpres."; - cat $i | /var/ossec/bin/ossec-logtest 2>&1|grep -av ossec-testrule |grep -aA 500 "Phase 1:" > ./tmpres - - if [ ! -f $idir/res ]; then - echo "** Creating entry for $i - Not set yet." - cat ./tmpres > $idir/res - rm -f tmpres - continue; - fi - MD1=`md5sum ./tmpres | cut -d " " -f 1` - MD2=`md5sum $idir/res | cut -d " " -f 1` - - if [ ! $MD1 = $MD2 ]; then - exitcode=1 - echo - echo - echo - echo "**ERROR: Unit testing failed. Output for the test $i failed." - echo "== DIFF OUTPUT: ==" - $diff_cmd -Na -U `wc -l $idir/res` tmpres - rm -f tmpres - fi - -done - -echo "" -if [ $exitcode -eq 0 ]; then - echo "Log unit tests completed. Everything seems ok (nothing changed since last test regarding the outputs)." -else - echo "Log unit tests completed. Some tests failed." -fi -exit $exitcode diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-batch-manager.pl.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-batch-manager.pl.gz deleted file mode 100644 index dd7d0b8..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-batch-manager.pl.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-configure.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-configure.gz deleted file mode 100644 index 33cad27..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-configure.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-eps.sh b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-eps.sh deleted file mode 100644 index 248d5a0..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-eps.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/sh -# Calculate OSSEC events per second -# Author Michael Starks ossec [at] michaelstarks [dot] com -# License: GPLv3 - -if [ ! -e /etc/ossec-init.conf ]; then - echo OSSEC does not appear to be installed on this system. Goodbye. - exit 1 -else - grep -q agent /etc/ossec-init.conf && echo This script can only be run on the manager. Goodbye. && exit 1 -fi - -#Reset counters -COUNT=0 -EPSSUM=0 -EPSAVG=0 -#Source OSSEC Dir -. /etc/ossec-init.conf - -for i in $(grep 'Total events for day' ${DIRECTORY}/stats/totals/*/*/ossec-totals-*.log | cut -d: -f3); do - COUNT=$((COUNT+1)) - DAILYEVENTS=$i - EPSSUM=$(($DAILYEVENTS+$EPSSUM)) -done - -EPSAVG=$(($EPSSUM/$COUNT/(86400))) - -echo Your total lifetime number of events collected is: $EPSSUM -echo Your total daily number of events average is: $(($EPSSUM/$COUNT)) -echo Your daily events per second average is: $EPSAVG diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-pcre2-config.pl b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-pcre2-config.pl deleted file mode 100644 index 39bf193..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-pcre2-config.pl +++ /dev/null @@ -1,78 +0,0 @@ -#! /usr/bin/perl -w - -use strict; -use warnings; - -use Cwd qw/getcwd realpath/; -use File::Basename; -use File::Find; -use File::Temp qw/tempfile/; - -my $ossec_regex_convert = realpath(dirname($0) . '/../src/ossec-regex-convert'); - -sub get_install_dir () { - open(FILE, '<', 'src/LOCATION') || die("Cannot find INSTALL DIR"); - my $dir = '/var/ossec'; - - while () { - if (m{^DIR\s*=\s*(["']?)(.*)\g1$}p) { - $dir = $2; - last; - } - } - - return $dir; -} - -my $old_tags = join('|', split(/\n/m, `$ossec_regex_convert -t`)); - -sub convert_file ($) { - my $filename = shift(); - print("Converting ${filename}...\n"); - - unless (open(SRC, '<', $filename)) { - print(STDERR "Cannot read '${filename}'\n"); - return; - } - my ($tmp_fh, $tmp_filename) = tempfile('tmp-ossec-config-convert.XXXXX', DIR => '/tmp', SUFFIX => '.xml'); - - while () { - if (m{^(\s*)<\s*($old_tags)([^>]*)>(.*?)<\s*/\s*\g2\s*>}pg) { - my ($indent, $old_type, $options, $old_regex) = ($1, $2, $3, $4); - $old_regex =~ s/'/'\\''/g; - my $out = qx/$ossec_regex_convert -b -- $old_type '$old_regex'/; - chomp($out); - my ($type, $regex) = split(/ /, $out, 2); - if ($old_regex) { - print($tmp_fh "$indent<$type$options>$regex\n"); - } else { - print($tmp_fh "$indent<$type$options>\n"); - } - } else { - print($tmp_fh $_); - } - } - - close(SRC); - close($tmp_fh); - - rename($tmp_filename, $filename); -} - -sub wanted() { - my $filename = $File::Find::name; - - if ($filename =~ m/[.]xml$/) { - convert_file($filename); - } -} - -my $INSTALL_DIR = get_install_dir(); -if (! -d ${INSTALL_DIR}) { - print(STDERR "Please install OSSEC first\n"); - exit(1); -} - -find({wanted => \&wanted, no_chdir => 1}, $INSTALL_DIR); - -exit(0); diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/runtests.py b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/runtests.py deleted file mode 100644 index bf821ce..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/runtests.py +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/bin/env python -import ConfigParser -import subprocess -import os -import sys -import os.path - - -class OssecTester(object): - def __init__(self): - self._error = False - self._debug = False - self._quiet = False - self._ossec_conf = "/var/ossec/etc/ossec.conf" - self._base_dir = "/var/ossec/" - self._ossec_path = "/var/ossec/bin/" - self._test_path = "./tests" - - def buildCmd(self, rule, alert, decoder): - cmd = ['%s/ossec-logtest' % (self._ossec_path), ] - cmd += ['-q'] - if self._ossec_conf: - cmd += ["-c", self._ossec_conf] - if self._base_dir: - cmd += ["-D", self._base_dir] - cmd += ['-U', "%s:%s:%s" % (rule, alert, decoder)] - return cmd - - def runTest(self, log, rule, alert, decoder, section, name, negate=False): - #print self.buildCmd(rule, alert, decoder) - p = subprocess.Popen( - self.buildCmd(rule, alert, decoder), - stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, - stdin=subprocess.PIPE, - shell=False) - std_out = p.communicate(log)[0] - if (p.returncode != 0 and not negate) or (p.returncode == 0 and negate): - self._error = True - print "" - print "-" * 60 - print "Failed: Exit code = %s" % (p.returncode) - print " Alert = %s" % (alert) - print " Rule = %s" % (rule) - print " Decoder = %s" % (decoder) - print " Section = %s" % (section) - print " line name = %s" % (name) - print " " - print std_out - elif self._debug: - print "Exit code= %s" % (p.returncode) - print std_out - else: - sys.stdout.write(".") - - def run(self, selective_test=False): - for aFile in os.listdir(self._test_path): - aFile = os.path.join(self._test_path, aFile) - if aFile.endswith(".ini"): - if selective_test and not aFile.endswith(selective_test): - continue - print "- [ File = %s ] ---------" % (aFile) - tGroup = ConfigParser.ConfigParser() - tGroup.read([aFile]) - tSections = tGroup.sections() - for t in tSections: - rule = tGroup.get(t, "rule") - alert = tGroup.get(t, "alert") - decoder = tGroup.get(t, "decoder") - for (name, value) in tGroup.items(t): - if name.startswith("log "): - if self._debug: - print "-" * 60 - if name.endswith("pass"): - neg = False - elif name.endswith("fail"): - neg = True - else: - neg = False - self.runTest(value, rule, alert, decoder, - t, name, negate=neg) - print "" - if self._error: - sys.exit(1) - -if __name__ == "__main__": - if len(sys.argv) == 2: - selective_test = sys.argv[1] - if not selective_test.endswith('.ini'): - selective_test += '.ini' - else: - selective_test = False - OT = OssecTester() - OT.run(selective_test) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apache.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apache.ini deleted file mode 100644 index 1fd79a6..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apache.ini +++ /dev/null @@ -1,81 +0,0 @@ -[Attempt to access forbidden directory index.] -log 1 pass = [error] [client 80.230.208.105] Directory index forbidden by rule: /home/ -rule = 30106 -alert = 5 -decoder = apache-errorlog - -[Code Red attack] -log 1 pass = [error] [client 64.94.163.159] Client sent malformed Host header -rule = 30107 -alert = 6 -decoder = apache-errorlog - -[Attempt to access an non-existent file] -log 1 pass = [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida -rule = 30112 -alert = 0 -decoder = apache-errorlog - -[Apache notice messages grouped] -log 1 pass = [notice] Apache configured -rule = 30103 -alert = 0 -decoder = apache-errorlog - -[Apache 2.2 error messages grouped] -log 1 pass = [Fri Dec 13 06:59:54 2013] [error] [client 12.34.65.78] PHP Notice: -rule = 30101 -alert = 0 -decoder = apache-errorlog - -[Apache 2.4 error messages grouped] -log 1 pass = [Tue Sep 30 11:30:13.262255 2014] [core:error] [pid 20101] [client 99.47.227.95:34567] AH00037: Symbolic link not allowed or link target not accessible: /usr/share/awstats/icon/mime/document.png -log 2 pass = [Tue Sep 30 12:11:21.258612 2014] [ssl:error] [pid 30473] AH02032: Hostname www.example.com provided via SNI and hostname ssl://www.example.com provided via HTTP are different -rule = 30301 -alert = 0 -decoder = apache-errorlog - -[Apache 2.4 warn messages grouped] -log 1 pass = [Tue Sep 30 12:24:22.891366 2014] [proxy:warn] [pid 2331] [client 77.127.180.111:54082] AH01136: Unescaped URL path matched ProxyPass; ignoring unsafe nocanon, referer: http://www.easylinker.co.il/he/links.aspx?user=bguyb -rule = 30302 -alert = 0 -decoder = apache-errorlog - -[Attempt to access forbidden file or directory] -log 1 pass = [Tue Sep 30 14:25:44.895897 2014] [authz_core:error] [pid 31858] [client 99.47.227.95:38870] AH01630: client denied by server configuration: /var/www/example.com/docroot/ -rule = 30305 -alert = 5 -decoder = apache-errorlog - -[Apache messages grouped] -log 1 pass = [Thu Oct 23 15:17:55.926067 2014] [ssl:info] [pid 18838] [client 36.226.119.49:2359] AH02008: SSL library error 1 in handshake (server www.example.com:443) -log 2 pass = [Thu Oct 23 15:17:55.926123 2014] [ssl:info] [pid 18838] SSL Library Error: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request -- speaking HTTP to HTTPS port!? -rule = 30100 -alert = 0 -decoder = apache-errorlog - -[PHP Notices in Apache 2.4 errorlog] -log 1 pass = [Sun Nov 23 18:49:01.713508 2014] [:error] [pid 15816] [client 141.8.147.9:51507] PHP Notice: A non well formed numeric value encountered in /path/to/file.php on line 123 -rule = 30318 -alert = 5 -decoder = apache-errorlog - -[auth fail] -log 1 pass = [Tue Feb 07 08:50:22.679122 2017] [auth_basic:error] [pid 14446] [client 10.101.1.50:33168] AH01617: user pupkin: authentication failure for "/secret/": Password Mismatch -rule = 30308 -alert = 5 -decoder = apache-errorlog - -[script 404] -log 1 pass = [Tue Feb 07 02:43:19.799723 2017] [cgi:error] [pid 9721] [client 10.101.1.50:44324] AH02811: script not found or unable to stat: /var/www/html/showmail.pl -rule = 30321 -alert = 2 -decoder = apache-errorlog - -[permission denied] -log 1 pass = [Thu Feb 02 01:44:27.699327 2017] [access_compat:error] [pid 7934] [client ::1:50058] AH01797: client denied by server configuration: /var/www/html/' -log 2 pass = [Thu Feb 02 00:59:02.285651 2017] [core:error] [pid 20009] (13)Permission denied: [client ::1:49934] AH00132: file permissions deny server access: /var/www/html/1 -rule = 30320 -alert = 2 -decoder = apache-errorlog - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apparmor.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apparmor.ini deleted file mode 100644 index bcada3d..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/apparmor.ini +++ /dev/null @@ -1,35 +0,0 @@ -[Ignore ALLOWED or STATUS] -log 1 pass = Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003 - -rule = 52001 -alert = 0 -decoder = iptables - -[Apparmor ALLOWED or STATUS] -log 1 pass = Jun 23 20:46:15 hostname kernel: [ 11.103248] audit: type=1400 audit(1403549175.177:2): apparmor="STATUS" operation="profile_load" name="/sbin/klogd" pid=2185 comm="apparmor_parser" - -rule = 52001 -alert = 0 -decoder = iptables - -[Apparmor DENIED] -log 1 pass = Jul 14 11:03:47 hostname kernel: [ 8665.951930] type=1400 audit(1405328627.702:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xfce4/defaults.list" pid=16418 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 - -rule = 52002 -alert = 3 -decoder = iptables - -[Apparmor DENIED mknod operation.] -log 1 pass = Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33 - -rule = 52004 -alert = 4 -decoder = iptables - -[Apparmor DENIED exec operation.] -log 1 pass = Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type =1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0 - -rule = 52003 -alert = 5 -decoder = iptables - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/asterisk.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/asterisk.ini deleted file mode 100644 index fffff08..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/asterisk.ini +++ /dev/null @@ -1,15 +0,0 @@ -[login failed] -log 1 pass = Aug 29 07:21:05 hostname asterisk[3284]: NOTICE[3734]: chan_sip.c:28088 in handle_request_register: Registration from '"3810" ' failed for '37.8.26.31:5065' - Wrong password -log 2 pass = Dec 16 18:02:04 asterisk1 asterisk[31774]: NOTICE[31787]: chan_sip.c:11242 in handle_request_register: Registration from '"503"' failed for '192.168.1.137' - Wrong password - -rule = 6210 -alert = 5 -decoder = asterisk - -[invalid extension] -log 1 pass = Aug 30 16:02:29 hostname asterisk[3284]: NOTICE[3734][C-00001c7a]: chan_sip.c:25650 in handle_request_invite: Call from '' (89.163.146.112:5071) to extension '70046313115067' rejected because extension not found in context 'default'. - -rule = 6258 -alert = 5 -decoder = asterisk - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cimserver.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cimserver.ini deleted file mode 100644 index 80717c6..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cimserver.ini +++ /dev/null @@ -1,9 +0,0 @@ -[rshd: illegal] -log 1 pass = Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b. -log 2 fail = Dec 18 18:06:29 hostname vimserver[18575]: PGS17200: Authentication failed for user domain\jones_b. - - -rule = 9610 -alert = 5 -decoder = cimserver - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cisco_ios.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cisco_ios.ini deleted file mode 100644 index e4a7a1e..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cisco_ios.ini +++ /dev/null @@ -1,21 +0,0 @@ -[cisco ios ids: sig] -log 1 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:51654 -> 10.10.10.10:4444] -log 2 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80] -log 3 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:2 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:60797 -> 10.10.10.10:80] - - -rule = 20100 -alert = 8 -decoder = cisco-ios - - -[cisco ios: acl ] -log 1 pass = Sep 1 10:25:29 10.10.10.1 %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet -log 2 pass = Sep 1 10:25:29 10.10.10.1 %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet - - -rule = 4100 -alert = 0 -decoder = cisco-ios - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cpanel.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cpanel.ini deleted file mode 100644 index ae036ef..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cpanel.ini +++ /dev/null @@ -1,38 +0,0 @@ -[successful login] -log 1 fail = [2016-04-18 13:07:02 -0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd -log 2 fail = [2016-04-18 13:07:15 -0400] info [cpsrvd] 10.1.5.19 - reseller (possessor: root) - SUCCESS LOGIN cpaneld -log 3 fail = [2016-04-18 13:08:27 -0400] info [cpsrvd] 10.1.5.19 - emailaccount@reseller.com (possessor: reseller) - SUCCESS LOGIN webmaild - -rule = 11007 -alert = 3 -decoder = postgresql_log - - -[cpanel attacks] -log 1 fail = [2017-01-25 06:01:10 -0500] info [cpsrvd] 10.1.5.19 - test "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user test (loadcpdata failed) - -rule = 11001 -alert = 5 -decoder = postgresql_log - -[cpanel attacks 2] -log 1 fail = [2016-11-18 09:32:19 +0000] info [cpsrvd] 10.1.5.19 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist) - -rule = 11000 -alert = 5 -decoder = cpanel-login - -[successful login 2] -log 1 fail = [2016-04-18 13:07:02 +0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd - -rule = 11006 -alert = 3 -decoder = cpanel-login - -[session purge] -log 1 fail = [2017-01-25 06:15:38 -0500] info [cpsrvd] 10.1.5.19 PURGE root:Nmm4xzhSpA2Sddv3 logout - -rule = 11009 -alert = 3 -decoder = postgresql_log - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dnsmasq.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dnsmasq.ini deleted file mode 100644 index 96f2236..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dnsmasq.ini +++ /dev/null @@ -1,9 +0,0 @@ -[dnsmasq group] -log 1 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 query[A] server.example.com from 10.10.10.33 -log 2 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 forwarded server.example.com to 10.20.20.10 -log 3 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 reply server.example.com is - -rule = 53551 -alert = 0 -decoder = dnsmasq - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/doas.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/doas.ini deleted file mode 100644 index db1d04a..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/doas.ini +++ /dev/null @@ -1,28 +0,0 @@ -[failed command] -log 1 fail = Apr 13 08:49:20 ix doas: failed command for ddp2: ls - -rule = 51554 -alert = 5 -decoder = doas - -[command run as root] -log 1 fail = Mar 22 07:21:58 ix doas: ddp ran command /bin/ksh as root from /data/ddp/projects/git/sysconf/ossec/rules - -rule = 51556 -alert = 2 -decoder = doas - -[failed auth] -log 1 fail = Feb 29 14:58:39 ix doas: failed auth for ddp - -rule = 51557 -alert = 5 -decoder = doas - -[doas command run] -log 1 fail = Aug 13 15:16:40 ix doas: ddp ran command as ddpnfs: ls - -rule = 51555 -alert = 1 -decoder = doas - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dovecot.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dovecot.ini deleted file mode 100644 index 691bc82..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dovecot.ini +++ /dev/null @@ -1,81 +0,0 @@ -[auth failed] -log 1 pass = Dec 19 06:21:06 ny dovecot: imap-login: Disconnected (auth failed, 7 attempts in 111 secs): user=, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<+hgd5vxDBMZtycjJ> -log 2 pass = Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user -log 3 pass = Jan 11 03:42:09 hostname dovecot: auth(default): pam(user@example.com,1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module - -rule = 9705 -alert = 5 -decoder = dovecot - -[dovecot is starting] -log 1 pass = Jun 17 10:15:24 hostname dovecot: Dovecot v1.2.rc3 starting up (core dumps disabled) - -rule = 9703 -alert = 3 -decoder = dovecot - -[fatal error] -log 1 pass = Jun 17 10:15:24 hostname dovecot: Fatal: auth(default): Support not compiled in for passdb driver 'ldap' -log 2 pass = Jun 17 10:15:24 hostname dovecot: Fatal: Auth process died too early - shutting down - -rule = 9704 -alert = 2 -decoder = dovecot - -[user authentication failure] -log 1 pass = Jun 23 15:04:05 Info: imap-login: Login: user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.5 Authentication Failure: - -rule = 9770 -alert = 0 -decoder = dovecot-info - -[dovecot auth failed] -log 1 pass = Jan 11 03:42:09 hostname dovecot: auth-worker(default): sql(user@example.com,1.2.3.4): Password mismatch - -rule = 9702 -alert = 5 -decoder = dovecot - -[XXX nothing] -log 1 fail = Jan 07 14:46:28 Warn: auth(default): userdb(username,::ffff:127.0.0.1): user not found from userdb -log 3 fail = May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5, secured - -rule = 1002 -alert = 2 -decoder = - -[XXX unknown 1002] -log 1 pass = Mar 13 15:25:07 Info: auth(default): pam(user@example.com,::ffff:1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module - -rule = 9771 -alert = 5 -decoder = dovecot-info - -[session disconnected] -log 1 pass = Jul 4 17:30:51 hostname dovecot[2992]: pop3-login: Disconnected: rip=1.2.3.4, lip=1.2.3.5 - -rule = 9706 -alert = 3 -decoder = dovecot - -[aborted login] -log 1 pass = Jan 30 09:37:55 hostname dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5 - -rule = 9707 -alert = 5 -decoder = dovecot - -[XXX logged out] -log 1 fail = Jun 23 15:04:06 Info: IMAP(username): Disconnected: Logged out bytes=59/566 - -rule = 1002 -alert = 2 -decoder = dovecot-info - -[unknown user] -log 1 pass = Mar 13 15:25:07 Info: auth(default): passwd-file(user@example.com,::ffff:1.2.3.4): unknown user - -rule = 9771 -alert = 5 -decoder = dovecot-info - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dpkg.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dpkg.ini deleted file mode 100644 index 61890b6..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dpkg.ini +++ /dev/null @@ -1,8 +0,0 @@ -[dpkg log] -log 1 pass = 2018-05-31 12:09:56 upgrade vlc-plugin-visualization:amd64 3.0.2-1+b1 3.0.3-1 -log 2 pass = 2018-05-11 09:41:49 conffile /etc/redis/redis.conf keep - -rule = 2900 -alert = 0 -decoder = windows-date-format - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dropbear.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dropbear.ini deleted file mode 100644 index b48008f..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/dropbear.ini +++ /dev/null @@ -1,7 +0,0 @@ -[already listening] -log 1 pass = Jun 25 14:04:30 10.0.0.1 dropbear[30746]: Failed listening on '7001': Error listening: Address already in use - -rule = 51011 -alert = 1 -decoder = dropbear - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/exim.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/exim.ini deleted file mode 100644 index f685365..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/exim.ini +++ /dev/null @@ -1,29 +0,0 @@ -[auth failure] -log 1 pass = 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user) -log 2 pass = 2017-01-24 05:22:29 dovecot_plain authenticator failed for (test) [::1]:39454: 535 Incorrect authentication data (set_id=test) - -rule = 13006 -alert = 5 -decoder = windows-date-format - -[exim connection] -log 1 pass = 2017-01-24 03:09:46 SMTP connection from [10.101.1.10]:55010 (TCP/IP connection count = 1) - -rule = 13008 -alert = 0 -decoder = windows-date-format - -[exim connection lost] -log 1 pass = 2017-01-24 02:53:13 SMTP connection from (hydra) [10.101.1.10]:53682 lost - -rule = 13009 -alert = 1 -decoder = windows-date-format - -[exim syntax/protocol error] -log 1 pass = 2017-01-24 05:36:23 SMTP call from (000000) [::1]:39480 dropped: too many syntax or protocol errors (last command was "123") - -rule = 13010 -alert = 5 -decoder = windows-date-format - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/firewalld.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/firewalld.ini deleted file mode 100644 index ceb925c..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/firewalld.ini +++ /dev/null @@ -1,21 +0,0 @@ -[Incorrect chain/target/match.] -log 3 fail = Jul 18 10:51:43 localhost firewalld: 2014-07-18 10:51:43 ERROR: '/sbin/iptables -D INPUT_ZONES -t filter -i enp1s0 -g IN_public' failed: iptables: No chain/target/match by that name. - -rule = 40902 -alert = 3 -decoder = - -[Incorrect chain/target/match.] -log 3 fail = Jul 18 10:51:43 localhost firewalld: 2014-07-18 10:51:43 ERROR: COMMAND_FAILED: '/sbin/iptables -D INPUT_ZONES -t filter -i enp1s0 -g IN_public' failed: iptables: No chain/target/match by that name. - -rule = 40902 -alert = 3 -decoder = - -[firewalld: zone already set] -log 3 fail = Jul 18 11:04:51 localhost firewalld: 2014-07-18 11:04:51 ERROR: ZONE_ALREADY_SET - -rule = 40903 -alert = 2 -decoder = - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/mailscanner.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/mailscanner.ini deleted file mode 100644 index 725bbbe..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/mailscanner.ini +++ /dev/null @@ -1,6 +0,0 @@ -[update phishing] -log 1 fail = Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites list updated -rule = 3752 -alert = 0 -decoder = - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/modsecurity.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/modsecurity.ini deleted file mode 100644 index 7331dd2..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/modsecurity.ini +++ /dev/null @@ -1,20 +0,0 @@ -[ModSecurity Warning messages grouped] -log 1 pass = [Mon Feb 09 16:47:55.974089 2015] [:error] [pid 17675] [client 172.16.10.87] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"] [hostname "172.16.10.91"] [uri "/wordpress/wp-includes/rss-functions.php"] [unique_id "VNkA238AAQEAAEULYMwAAAAA"] -log 2 pass = [Thu Jan 22 14:33:30.959520 2015] [:error] [pid 2406] [client 172.16.10.87] ModSecurity: Warning. Pattern match "^(?i)(?:ft|htt)ps?(.*?)\\\\?+$" at ARGS:path_prefix. [file "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "160"] [id "950119"] [rev "2"] [msg "Remote File Inclusion Attack"] [data "Matched Data: http://cirt.net/rfiinc.txt? found within ARGS:path_prefix: http://cirt.net/rfiinc.txt?"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/RFI"] [hostname "172.16.10.91"] [uri "/wordpress/web/BetaBlockModules//Module/Module.php"] [unique_id "VMEmWn8AAQEAAAlmdHgAAAAI"] -rule = 30401 -alert = 0 -decoder = apache-errorlog - -[ModSecurity Audit log messages grouped] -log 1 pass = [Mon Feb 09 21:17:06.798110 2015] [:error] [pid 8608] [client 172.16.10.57] ModSecurity: Audit log: Failed writing (requested 83 bytes, written 24): No space left on device [hostname "172.16.10.91"] [uri "/403.php"] [unique_id "VNk-8n8AAQEAACGg7LEAAAAE"] -log 2 pass = [Wed Feb 11 19:46:12.759594 2015] [:error] [pid 1130] [client 172.16.10.91] ModSecurity: Audit log: Failed to lock global mutex: Identifier removed [hostname "172.16.10.91"] [uri "/wordpress/wp-cron.php"] [unique_id "VNvLw38AAQEAAARqTXsAAAAD"] -rule = 30403 -alert = 0 -decoder = apache-errorlog - -[ModSecurity rejected a query] -log 1 pass = [Mon Feb 09 16:47:55.908176 2015] [:error] [pid 17679] [client 172.16.10.91] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "172.16.10.91"] [uri "/wordpress/wp-cron.php"] [unique_id "VNkA238AAQEAAEUP9hIAAAAI"] -log 2 pass = [Mon Feb 09 16:47:55.973954 2015] [:error] [pid 17675] [client 172.16.10.87] ModSecurity: Access denied with code 403 (phase 4). Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_50_outbound.conf"] [line "53"] [id "970901"] [rev "2"] [msg "The application is not available"] [data "Matched Data: 500 found within RESPONSE_STATUS: 500"] [severity "ERROR"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "172.16.10.91"] [uri "/wordpress/wp-includes/rss-functions.php"] [unique_id "VNkA238AAQEAAEULYMwAAAAA"] -rule = 30411 -alert = 7 -decoder = apache-errorlog diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/named.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/named.ini deleted file mode 100644 index 98e3dd6..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/named.ini +++ /dev/null @@ -1,11 +0,0 @@ -[Query cache denied] -log 1 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied -log 2 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.4#32769: query (cache) denied -log 3 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied -log 4 fail = Aug 29 15:33:13 ns3 name[464]: client 217.148.39.4#32769: query (cache) denied -log 5 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) -log 6 pass = Mar 13 01:42:45 net19 named[6147]: client 31.150.218.239#6173 (odcdavcxkvin.games.yuanyou8.com): query (cache) 'odcdavcxkvin.games.yuanyou8.com/A/IN' denied - -rule = 12108 -alert = 5 -decoder = named diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/netscreen.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/netscreen.ini deleted file mode 100644 index 92de03d..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/netscreen.ini +++ /dev/null @@ -1,28 +0,0 @@ -[Firewall configuration changed.] -log 1 pass = 2014-05-23T10:25:58.681222-04:00 10.10.10.1 ssg5-serial: NetScreen device_id=0275112227993284 [Root]system-information-00767: System configuration saved by netscreen via web from host 10.10.10.101 to 10.10.10.1:443 by netscreen. (2014-05-23 10:58:17) - -rule = 4509 -alert = 8 -decoder = netscreenfw - -[Firewall policy changed.] -log 1 pass = 2014-05-23T10:29:55.704201-04:00 10.10.10.1 ssg5-serial: NetScreen device_id=0275112227993284 [Root]system-notification-00018: Policy (5, Trust->Untrust, 10.10.10.0/24->172.16.19.0/24,ANY, Permit) was modified by netscreen via web from host 10.10.10.101 to 10.10.10.1:443. (2014-05-23 11:02:13) - -rule = 4508 -alert = 8 -decoder = netscreenfw - -[Successfull admin login to the Netscreen firewall] -log 1 pass = 2014-05-23T10:39:20.681154-04:00 10.10.10.1 ssg5-serial: NetScreen device_id=0275112227993284 [Root]system-warning-00515: Management session via SSH from 10.10.10.100:0 for admin netscreen has timed out (2014-05-23 11:11:39) - -rule = 4507 -alert = 8 -decoder = netscreenfw - -[syn flood] -log 1 pass = Jul 7 05:02:34 ssg5.17.168.192.in-addr.arpa ssg5: NetScreen device_id=ssg5 [Root]system-emergency-00005: SYN flood! From 192.168.18.53:41437 to 192.168.17.251:9612, proto TCP (zone Untrust int ethernet0/0). Occurred 1 times. (2016-07-07 05:02:32) - -rule = 4560 -alert = 3 -decoder = netscreenfw - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/nginx.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/nginx.ini deleted file mode 100644 index 91aa780..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/nginx.ini +++ /dev/null @@ -1,79 +0,0 @@ -; YYYY/MM/DD HH:MM:SS [LEVEL] PID:TID yadda yadda -[Nginx messages grouped.] -log 1 pass = 2014/12/30 06:07:37 [yadda] 80:2 yadda yadda - -rule = 31300 -alert = 0 -decoder = nginx-errorlog - -[Nginx error message.] -log 1 pass = 2014/12/30 06:07:37 [error] 80:2 yadda yadda - -rule = 31301 -alert = 3 -decoder = nginx-errorlog - -[Nginx warning message.] -log 1 pass = 2014/12/30 06:07:37 [warn] 80:2 yadda yadda - -rule = 31302 -alert = 3 -decoder = nginx-errorlog - -[Nginx critical message.] -log 1 pass = 2014/12/30 06:07:37 [crit] 80:2 - -rule = 31303 -alert = 5 -decoder = nginx-errorlog - -[Server returned 404 (reported in the access.log).] -log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah failed (2: No such file or directory) -log 2 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah is not found (2: No such file or directory) - -rule = 31310 -alert = 0 -decoder = nginx-errorlog - -[Incomplete client request.] -log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah accept() failed (53: Software caused connection abort) - -rule = 31311 -alert = 0 -decoder = nginx-errorlog - -[Initial 401 authentication request.] -log 1 pass = 2015/01/08 11:31:23 [error] 80:2 no user/password was provided for basic authentication - -rule = 31312 -alert = 0 -decoder = nginx-errorlog - -[Web authentication failed.] -log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda password mismatch, client yadda -log 2 pass = 2015/01/08 11:31:23 [error] 80:2 yadda was not found in yadda - -rule = 31315 -alert = 5 -decoder = nginx-errorlog - -# Can't yet test frequency -;[Multiple web authentication failures.] -; -;rule = 31316 -;alert = 10 -;decoder = nginx-errorlog - -[Common cache error when files were removed.] -log 1 pass = 2015/01/08 11:31:23 [crit] 80:2 yadda yadda failed (2: No such file or directory - -rule = 31317 -alert = 0 -decoder = nginx-errorlog - -[Invalid URI, file name too long.] -log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda yadda failed (36: File name too long) - -rule = 31320 -alert = 10 -decoder = nginx-errorlog diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd-dhcpd.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd-dhcpd.ini deleted file mode 100644 index 799bab6..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd-dhcpd.ini +++ /dev/null @@ -1,25 +0,0 @@ -[lease release] -log 1 pass = Jan 26 18:12:55 junction dhcpd[4842]: IP address 192.168.1.16 answers a ping after sending a release -log 2 pass = Jan 26 18:12:40 junction dhcpd[4842]: Possible release spoof - Not releasing address 192.168.17.160 - -rule = 53003 -alert = 5 -decoder = dhcpd - -[no free leases] -log 1 pass = Jan 26 17:42:32 junction dhcpd[4842]: no free leases on subnet 192.168.17.0 - -rule = 53011 -alert = 7 -decoder = dhcpd - -[normal dhcp stuff] -log 1 pass = Jan 27 09:25:36 junction dhcpd[71391]: DHCPREQUEST for 192.168.17.164 from f4:8c:50:9d:eb:35 via em1 -log 2 pass = Jan 27 09:25:36 junction dhcpd[71391]: DHCPDISCOVER from f4:8c:50:9d:eb:35 via em1 -log 3 pass = Jan 27 09:25:31 junction dhcpd[71391]: DHCPOFFER on 192.168.17.164 to f4:8c:50:9d:eb:35 via em1 - -rule = 53001 -alert = 1 -decoder = dhcpd - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd-httpd.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd-httpd.ini deleted file mode 100644 index 5bbdd19..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd-httpd.ini +++ /dev/null @@ -1,14 +0,0 @@ -[access] -log 1 pass = wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:29:48 -0400] "GET / HTTP/1.0" 302 0 -log 2 pass = wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:32:57 -0400] "GET /nmaplowercheck1531024375 HTTP/1.1" 302 0 -rule = 31100 -alert = 0 -decoder = openbsd-httpd - -[POST] -log 1 pass = www.wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:33:13 -0400] "POST /sdk HTTP/1.1" 404 0 - -rule = 31530 -alert = 3 -decoder = openbsd-httpd - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd.ini deleted file mode 100644 index 77ae661..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/openbsd.ini +++ /dev/null @@ -1,7 +0,0 @@ -[sendsyslog drop] -log 1 fail = Oct 16 08:15:07 ix sendsyslog: dropped 2 messages, error 55 - -rule = 51558 -alert = 4 -decoder = - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/opensmtpd.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/opensmtpd.ini deleted file mode 100644 index 6bb28d5..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/opensmtpd.ini +++ /dev/null @@ -1,49 +0,0 @@ -[message failed] -log 1 pass = Aug 14 10:15:25 junction.example.com smtpd[28882]: smtp-in: Failed command on session 1f55bdcdf16e28a3: "MAIL FROM: " => 421 4.3.0: Temporary Error - -rule = 53501 -alert = 3 -decoder = smtpd - -[new session] -log 1 pass = Aug 17 01:26:02 ix smtpd[22704]: smtp-in: New session 08d856b172f69c5c from host ix.example.com [local] - -rule = 53502 -alert = 0 -decoder = smtpd - -[message accepted] -log 1 pass = Aug 17 01:26:02 ix smtpd[22704]: smtp-in: Accepted message 4296f490 on session 08d856b172f69c5c: from=, to=, size=1746, ndest=1, proto=ESMTP - -rule = 53504 -alert = 0 -decoder = smtpd - -[session closed] -log 1 pass = Aug 17 01:26:02 ix smtpd[22704]: smtp-in: Closing session 08d856b172f69c5c - -rule = 53503 -alert = 0 -decoder = smtpd - -[disconnect] -log 1 pass = Mar 4 00:11:00 ix smtpd[22421]: smtp-in: Received disconnect from session 427e7493ebe154ae - -rule = 53500 -alert = 0 -decoder = smtpd - -[no ssl] -log 1 pass = Mar 4 00:13:55 ix smtpd[22421]: smtp-in: Disconnecting session 427e7497e03518ef: IO error: No SSL error - -rule = 53507 -alert = 2 -decoder = smtpd - -[started tls] -log 1 pass = Mar 4 00:13:55 ix smtpd[22421]: smtp-in: Started TLS on session 427e749c2e46f809: version=TLSv1.2, cipher=EDH-RSA-DES-CBC3-SHA, bits=112 - -rule = 53500 -alert = 0 -decoder = smtpd - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/ossec.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/ossec.ini deleted file mode 100644 index 20c95c5..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/ossec.ini +++ /dev/null @@ -1,41 +0,0 @@ -[ossec: active response: add host] -log 1 pass = Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 172.16.0.1 1304756247.60385 31151 -rule = 603 -alert = 3 -decoder = ar_log - -[ossec: active response: add firewall] -log 2 pass = Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 172.16.0.1 1304756247.60385 31151 -rule = 601 -alert = 3 -decoder = ar_log - - -[ossec: active response: delete host] -log 3 pass = Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/host-deny.sh delete - 172.16.0.1 1304756247.60385 31151 -rule = 604 -alert = 3 -decoder = ar_log - - -[ossec: active response: delete firewall] -log 4 pass = Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151 - -rule = 602 -alert = 3 -decoder = ar_log - -[ossec-logcollector: ignore informational messages at startup] -log 1 pass = 2015/01/29 21:09:49 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/error_log'. - -rule = 701 -alert = 0 -decoder = ossec-logcollector - -[agent started] -log 1 pass = ossec: Agent started: 'any' - -rule = 501 -alert = 3 -decoder = ossec - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/pam.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/pam.ini deleted file mode 100644 index a6e1eae..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/pam.ini +++ /dev/null @@ -1,36 +0,0 @@ -[User login failed.] -log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit -log 2 pass = Jun 28 23:01:27 xxxx auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lipjigaglgihgoeadcdaa.p.salmon@xxx.xxx.xxx.xxx rhost=91.195.103.44 - -rule = 5503 -alert = 5 -decoder = pam - -[Attempt to login with an invalid user.] -log 1 pass = Nov 11 22:46:29 localhost vsftpd(pam_unix)[25073]: check pass; user unknown - -rule = 5504 -alert = 5 -decoder = pam - -[Login session opened.] -log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[14592]: session opened for user news by (uid=0) - -rule = 5501 -alert = 3 -decoder = pam - -[Login session closed.] -log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[14592]: session closed for user news - -rule = 5502 -alert = 3 -decoder = pam - -[User missed the password more than one time] -log 1 pass = Nov 11 22:46:29 localhost sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.3.1 user=root - -rule = 2502 -alert = 10 -decoder = pam - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/postfix.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/postfix.ini deleted file mode 100644 index f8e45ce..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/postfix.ini +++ /dev/null @@ -1,14 +0,0 @@ -[reject rcpt] -log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; from=, to=, proto=ESMTP, helo= - -rule = 3306 -alert = 6 -decoder = postfix-reject - -[domain not found] -log 1 pass = Jun 18 20:59:29 mybox postfix/postscreen[12181]: NOQUEUE: reject: RCPT from [213.158.187.41]:45263: 450 4.3.2 Service currently unavailable; from=, to=, proto=ESMTP, helo= - -rule = 3303 -alert = 5 -decoder = postfix-reject - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/proftpd.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/proftpd.ini deleted file mode 100644 index 84a26a2..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/proftpd.ini +++ /dev/null @@ -1,32 +0,0 @@ -[unable to open incoming connection (reason may vary)] -log 1 pass = Jan 04 22:51:57 server proftpd[26169] server.example.net: Fatal: unable to open incoming connection: Der Socket ist nicht verbunden -rule = 11222 -alert = 4 -decoder = proftpd - -[FTP Authentication success] -log 1 pass = Jan 04 22:51:57 hayaletgemi proftpd[26916]: hayaletgemi (85.101.218.135[85.101.218.135]) - ANON anonymous: Login successful. -log 2 pass = Jan 04 22:51:57 juf01 proftpd[12564]: juf01 (pD9EE35B1.dip.t-dialin.net[217.238.53.177]) - USER jufu: Login successful -log 3 pass = Jan 04 22:51:57 xx.yy.zz proftpd[30362] xx.yy.zz (aa.bb.cc[aa.bb.vv.dd]): USER backup: Login successful. -rule = 11205 -alert = 3 -decoder = proftpd - -[Connection refused by TCP Wrappers] -log 1 pass = Jan 04 22:51:57 server proftpd[2344]: refused connect from 192.168.1.2 (192.168.1.2) -rule = 11207 -alert = 5 -decoder = proftpd - -[Connection denied by ProFTPD configuration] -log 1 pass = Jan 04 22:51:57 valhalla proftpd[15181]: valhalla (crawl-66-249-66-80.googlebot.com[66.249.66.80]) - Connection from crawl-66-249-66-80.googlebot.com [66.249.66.80] denied. -rule = 11206 -alert = 5 -decoder = proftpd - -[Login failed accessing the FTP server] -log 1 pass = 2015-04-16 21:51:02,805 zuse proftpd[26189] zuse.domain.com (182.100.67.115[182.100.67.115]): USER root (Login failed): Incorrect password -rule = 11204 -alert = 5 -decoder = proftpd - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/rsh.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/rsh.ini deleted file mode 100644 index 9804df0..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/rsh.ini +++ /dev/null @@ -1,8 +0,0 @@ -[rshd: illegal] -log 1 pass = Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port -log 2 fail = Dec 17 10:49:23 hostname rhsd[347339]: Connection from 10.217.223.31 on illegal port - -rule = 2551 -alert = 10 -decoder = rshd - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/samba.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/samba.ini deleted file mode 100644 index 23a3372..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/samba.ini +++ /dev/null @@ -1,23 +0,0 @@ -[samba: denied connect] -log 1 pass = Dec 18 18:06:28 hostname smbd[832]: Denied connection from (192.168.3.23) - - -rule = 13102 -alert = 5 -decoder = smbd - -[samba: connect denied] -log 1 pass = Dec 18 18:06:28 hostname smbd[832]: Denied connection from (192.168.3.23) - - -rule = 13102 -alert = 5 -decoder = smbd - -[samba: permission denied] -log 1 fail = Dec 18 18:06:28 hostname smbd[17535]: Permission denied user not allowed to delete, pause, or resume print job. User name: ahmet. Printer name: prnq1. -log 2 fail = Dec 18 18:06:28 hostname smbd[17535]: Permission denied\-\- user not allowed to delete, pause, or resume print job. User name: ahmet. Printer name: prnq1. - -rule = 13102 -alert = 5 -decoder = smbd diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sshd.ini.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sshd.ini.gz deleted file mode 100644 index 020ece1..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sshd.ini.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/su.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/su.ini deleted file mode 100644 index 023106b..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/su.ini +++ /dev/null @@ -1,27 +0,0 @@ -[su: failed ] -log 1 pass = Apr 27 15:22:23 niban su[2921936]: failed: ttyq4 changing from ldap to root -log 2 pass = Jun 20 17:19:59 dactyl su: FAILED SU (to root) mmoorcro on pts/0 -rule = 5302 -alert = 9 -decoder = su - -[su: bad pass] -log 1 pass = Apr 27 15:22:23 niban su[234]: BAD SU ger to fwmaster on /dev/ttyp0 -rule = 5301 -alert = 5 -decoder = su - -[su: pam - auth fail] -log 1 fail = Apr 27 15:22:23 niban su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit -log 2 fail = Apr 27 15:22:23 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root -rule = 5503 -alert = 5 -decoder = su - - -[su: work fts] -log 1 pass = Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1 -rule = 5305 -alert = 4 -decoder = su - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sudo.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sudo.ini deleted file mode 100644 index f0eedc5..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sudo.ini +++ /dev/null @@ -1,38 +0,0 @@ -[sudo: all] -log 1 pass = Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast -log 2 pass = Apr 14 10:59:01 enigma sudo: dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudit ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin -log 3 pass = Apr 19 14:52:02 enigma sudo: dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid . -log 4 pass = Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash - -rule = 5403 -alert = 4 -decoder = sudo - -[Failed attempt to run sudo] -log 1 pass = Jun 25 15:51:13 precise32 sudo: mike : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls - -rule = 5401 -alert = 5 -decoder = sudo - -[First time user executed sudo] -log 1 pass = Jun 25 15:48:21 precise32 sudo: mike : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/su - - -rule = 5403 -alert = 4 -decoder = sudo - -[3 incorrect password attempts] -log 1 pass = Jun 25 16:15:45 precise32 sudo: mike : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls - -rule = 5404 -alert = 10 -decoder = sudo - -[unauthorized user] -log 1 pass = Apr 13 08:36:31 ix sudo: ddp2 : user NOT in sudoers ; TTY=ttypZ ; PWD=/home/ddp2 ; USER=root ; COMMAND=/bin/ls - -rule = 5405 -alert = 5 -decoder = sudo - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/syslog.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/syslog.ini deleted file mode 100644 index 44c2029..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/syslog.ini +++ /dev/null @@ -1,43 +0,0 @@ -[Uninteresting nouveau error.] -log 1 fail = Jul 18 09:21:57 localhost kernel: nouveau E[ PGRAPH][0000:0f:00.0] DATA_ERROR BEGIN_END_ACTIVE - -rule = 2944 -alert = 1 -decoder = - -[Uninteresting nouveau error.] -log 1 fail = Jul 18 09:21:57 localhost kernel: nouveau E[ PGRAPH][0000:0f:00.0] DATA_ERROR - -rule = 2944 -alert = 1 -decoder = - -[Incorrect chain/target/match.] -log 3 fail = Jul 18 10:51:43 localhost NetworkManager[1366]: (enp1s0) firewall zone remove failed: (32) COMMAND_FAILED: '/sbin/iptables -D INPUT_ZONES -t filter -i enp1s0 -g IN_public' failed: ipta -bles: No chain/target/match by that name. - -rule = 2941 -alert = 3 -decoder = NetworkManager - -[rsyslog may be dropping messages due to rate-limiting.] -log 1 fail = Feb 5 13:07:52 plugh rsyslogd-2177: imuxsock begins to drop messages from pid 12105 due to rate-limiting - -rule = 2945 -alert = 4 -decoder = - -[Non-standard syslog-ng format with year.] -log 1 fail = 2015 2015 Nov 13 13:40:01 ether rsyslogd-2177: imuxsock begins to drop messages from pid 17840 due to rate-limiting - -rule = 2945 -alert = 4 -decoder = - -[useradd failed] -log 1 fail = May 4 18:21:10 collectd useradd[15178]: failed adding user 'ansible', data deleted - -rule = 5905 -alert = 0 -decoder = - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sysmon.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sysmon.ini deleted file mode 100644 index 7483659..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sysmon.ini +++ /dev/null @@ -1,18 +0,0 @@ -[Sysmon EventID#1 - Suspicious svchost process] -log 1 pass = 2014 Dec 20 14:29:48 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 2:29 PM ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image: C:\Windows\system32\svchost.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log User: WIN-U93G48C7BOP\Administrator LogonGuid: {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage: C:\Windows\Explorer.EXE ParentCommandLine: C:\Windows\Explorer.EXE -rule = 18501 -alert = 12 -decoder = Sysmon-EventID#1 - -[Sysmon EventID#1 - non-Suspicious svchost process] -log 1 pass = 2014 Dec 20 12:15:13 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 12:15 PM ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image: C:\Windows\system32\svchost.exe CommandLine: "C:\windows\system32\svchost.exe -k defragsvc" User: NT AUTHORITY\SYSTEM LogonGuid: {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage: C:\Windows\System32\services.exe ParentCommandLine: C:\Windows\System32\services.exe -rule = 18502 -alert = 0 -decoder = Sysmon-EventID#1 - -[Windows Event] -2015 Mar 30 15:47:04 WinEvtLog: System: INFORMATION(1): Sysmon: UserName: SYSTEM-NAME: SYSTEM-NAME: Process Create: UtcTime: 3/30/2015 10:47:04.494 PM ProcessGuid: {7531FA7E-D268-5519-0000-00105DF81A06} ProcessId: 4388 Image: C:\WINDOWS\system32\cmd.exe CommandLine: "C:\windows\system32\cmd.exe" User: SYSTEM-NAME\UserName LogonGuid: {7531FA7E-CFE1-5519-0000-0020F62C1906} LogonId: 0x6192cf6 TerminalSessionId: 3 IntegrityLevel: no level HashType: SHA1 Hash: 254E37EC33C921C5AB253F14F9274F349B3CCC2D ParentProcessGuid: {7531FA7E-CFE2-5519-0000-0010CC5A1906} ParentProcessId: 1008 ParentImage: C:\WINDOWS\explorer.exe ParentCommandLine: C:\windows\Explorer.EXE -rule = 18101 -alert = 0 -decoder = Sysmon-EventID#1 - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/systemd.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/systemd.ini deleted file mode 100644 index 73b9f50..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/systemd.ini +++ /dev/null @@ -1,7 +0,0 @@ -[Stale file handle.] -log 3 fail = Jul 19 07:28:02 localhost systemd: Failed to mark scope session-1024.scope as abandoned : Stale file handle - -rule = 40701 -alert = 0 -decoder = - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/unbound.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/unbound.ini deleted file mode 100644 index d82ba11..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/unbound.ini +++ /dev/null @@ -1,30 +0,0 @@ -;[Can't assign requested address.] -;log 1 pass = 2014-05-20T09:01:07.283219-04:00 arrakis unbound: [9405:0] notice: sendto failed: Can't assign requested address -; -;rule = 500100 -;alert = 2 -;decoder = unbound -; -;[DNS A request] -;log 1 pass = 2014-07-14T14:00:02.814490-04:00 arrakis unbound: [2541:0] info: 127.0.0.1 talkgadget.google.com. A IN -; -;rule = 500101 -;alert = 0 -;decoder = unbound -; -;[Info grouping.] -;log 1 pass = 2014-07-14T14:00:05.507848-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: 3 queries, 2 answers from cache, 1 recursions, 0 prefetch -; -;rule = 500002 -;alert = 1 -;decoder = unbound -; -;[Info grouping.] -;log 1 pass = 2014-07-14T14:00:05.507955-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0 -; -;rule = 500002 -;alert = 1 -;decoder = unbound -; - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/vsftpd.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/vsftpd.ini deleted file mode 100644 index 32edb78..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/vsftpd.ini +++ /dev/null @@ -1,16 +0,0 @@ -[CONNECT] -log 1 pass = Wed Jul 27 18:32:27 2016 [pid 2] CONNECT: Client "fe80::baac:6fff:fe7d:d2e0" -log 2 pass = Wed Jul 27 18:32:27 2016 [pid 2] CONNECT: Client "10.11.12.13" - -rule = 11401 -alert = 3 -decoder = vsftpd - -[LOGIN] -log 1 pass = Mon Oct 24 11:32:53 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101" -log 2 pass = Mon Oct 24 11:32:53 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "fe80::baac:6fff:fe7d:d2e0" - -rule = 11403 -alert = 5 -decoder = vsftpd - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/web_appsec.ini.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/web_appsec.ini.gz deleted file mode 100644 index f209534..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/web_appsec.ini.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/web_rules.ini.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/web_rules.ini.gz deleted file mode 100644 index bd22113..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/web_rules.ini.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysql.conf b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysql.conf deleted file mode 100644 index 45fa23c..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysql.conf +++ /dev/null @@ -1,11 +0,0 @@ -# PARAMS USED BY OSSEC2BASED -dbhost=localhost -database=ossecbase -debug=5 -dbport=3306 -dbpasswd=yourpassword -dbuser=youruser -daemonize=0 -sensor=centralserver -hids_interface=ossec -resolve=1 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysql.pl.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysql.pl.gz deleted file mode 100644 index 10993b2..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysql.pl.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysql.sql b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysql.sql deleted file mode 100644 index 40f934b..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysql.sql +++ /dev/null @@ -1,96 +0,0 @@ - --- --- Table structure for table `acid_event` --- - -CREATE TABLE `acid_event` ( - `sid` int(10) unsigned NOT NULL, - `cid` int(10) unsigned NOT NULL, - `signature` varchar(255) NOT NULL, - `sig_name` varchar(255) default NULL, - `sig_class_id` int(10) unsigned default NULL, - `sig_priority` int(10) unsigned default NULL, - `timestamp` datetime NOT NULL, - `ip_src` int(10) unsigned default NULL, - `ip_dst` int(10) unsigned default NULL, - `ip_proto` int(11) default NULL, - `layer4_sport` int(10) unsigned default NULL, - `layer4_dport` int(10) unsigned default NULL, - `username` varchar(255) default NULL, - PRIMARY KEY (`sid`,`cid`), - KEY `signature` (`signature`), - KEY `sig_name` (`sig_name`), - KEY `sig_class_id` (`sig_class_id`), - KEY `sig_priority` (`sig_priority`), - KEY `timestamp` (`timestamp`), - KEY `ip_src` (`ip_src`), - KEY `ip_dst` (`ip_dst`), - KEY `ip_proto` (`ip_proto`), - KEY `layer4_sport` (`layer4_sport`), - KEY `layer4_dport` (`layer4_dport`) -) ENGINE=MyISAM DEFAULT CHARSET=latin1; - --- -------------------------------------------------------- - --- --- Table structure for table `data` --- - -CREATE TABLE `data` ( - `sid` int(10) unsigned NOT NULL, - `cid` int(10) unsigned NOT NULL, - `data_payload` text, - PRIMARY KEY (`sid`,`cid`) -) ENGINE=MyISAM DEFAULT CHARSET=latin1; - --- -------------------------------------------------------- - --- --- Table structure for table `event` --- - -CREATE TABLE `event` ( - `sid` int(10) unsigned NOT NULL, - `cid` int(10) unsigned NOT NULL, - `signature` int(10) unsigned NOT NULL, - `timestamp` datetime NOT NULL, - PRIMARY KEY (`sid`,`cid`), - KEY `sig` (`signature`), - KEY `time` (`timestamp`) -) ENGINE=MyISAM DEFAULT CHARSET=latin1; - --- -------------------------------------------------------- - --- --- Table structure for table `sensor` --- - -CREATE TABLE `sensor` ( - `sid` int(10) unsigned NOT NULL auto_increment, - `hostname` text, - `interface` text, - `filter` text, - `detail` tinyint(4) default NULL, - `encoding` tinyint(4) default NULL, - `last_cid` int(10) unsigned NOT NULL, - PRIMARY KEY (`sid`) -) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=6 ; - --- -------------------------------------------------------- - --- --- Table structure for table `signature` --- - -CREATE TABLE `signature` ( - `sig_id` int(10) unsigned NOT NULL auto_increment, - `sig_name` varchar(255) NOT NULL, - `sig_class_id` int(10) unsigned NOT NULL, - `sig_priority` int(10) unsigned default NULL, - `sig_rev` int(10) unsigned default NULL, - `sig_sid` int(10) unsigned default NULL, - `sig_gid` int(10) unsigned default NULL, - PRIMARY KEY (`sig_id`), - KEY `sign_idx` (`sig_name`(20)), - KEY `sig_class_id_idx` (`sig_class_id`) -) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=47 ; diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysqld.pl.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysqld.pl.gz deleted file mode 100644 index cffc1c4..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2mysqld.pl.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2rss.php b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2rss.php deleted file mode 100644 index c5ab83a..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec2rss.php +++ /dev/null @@ -1,124 +0,0 @@ - 30000) -{ - fseek($fh, -30000, SEEK_END); - $line = fgets($fh, 4096); -} - - -$lastlines = array(); -$event = array(); -while($line = fgets($fh, 4096)) -{ - $line = trim($line); - if($line == "") - { - continue; - } - - if(strncmp($line, "** Alert ", 9) == 0) - { - if(strncmp($event, "** Alert ", 9) == 0) - { - array_push($lastlines, $event); - } - unset($event); - $event = array(); - $event[] = htmlspecialchars($line); - } - else - { - $event[] = htmlspecialchars($line); - } -} -fclose($fh); - -$lastlines = array_reverse($lastlines); -$myhost = gethostname(); -if($myhost === FALSE) -{ - $myhost = ""; -} - -echo ' - - - -OSSEC '.$myhost.' RSS Feed -http://ossec.net -OSSEC RSS Feed for '.$myhost.' -en-us -'.date("r", $timelp).' -'.date("r", $timelp).' -(C) OSSEC.net 2008-2011 -OSSEC.net RSS feed -30 -dcid@ossec.net - - - OSSEC Alert Feed - http://www.ossec.net/img/ossec_logo.jpg - http://ossec.net - -'; - -foreach($lastlines as $myentry) -{ -echo $myentry; - - if(preg_match("/^.. Alert (\d+)\./", $myentry[0], $regs, PREG_OFFSET_CAPTURE, 0)) - { - $myunixtime = $regs[1][0]; - } - else - { - continue; - } - - - echo ' - - '.$myentry[2]." ,from ".substr($myentry[1], 20).' - http://ossec.net - '.$myentry[0].' - \n"; } - - echo ' - ]]> - '.date("r", $myunixtime).' - - '; -} - -echo ' - - -'; - - -?> diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec_report.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec_report.txt deleted file mode 100644 index 6cfa383..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec_report.txt +++ /dev/null @@ -1,26 +0,0 @@ -OSSEC report tool 0.1 -Licensed under GPL -Contributor Meir Michanie -ossec_report_contrib.pl [-h|--help] # This text you read now -ossec_report_contrib.pl [-r|--report] # prints a report for each element -ossec_report_contrib.pl [-s|--summary] # prints a summary report -ossec_report_contrib.pl [-t|--top] #prints the top list - -How To: -======= - -ossec_report_contrib.pl OSSEC report tool 0.1 -ossec_report_contrib.pl is a GNU style program. -It reads from STDIN and write to stdout. This gives you the advantage to use it in pipes. -i.e. -cat ossec-alerts-05.log | ossec_report_contrib.pl -r | mail root -s 'OSSEC detailed report' -cat ossec-alerts-05.log | ossec_report_contrib.pl -s | mail root -s 'OSSEC summary report' -cat | ossec_report_contrib.pl -t | head -n 15 (for top 15) -cat | ossec_report_contrib.pl -s (for summary) - -Crontab entry: -58 23 * * * (cat ossec-alerts-05.log | ossec_report_contrib.pl -s) - - -The could be any one of the variables used in ossec log: -mail,alerthost,datasource,rule,level,description,srcip,user. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec_report_contrib.pl.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec_report_contrib.pl.gz deleted file mode 100644 index 790d900..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec_report_contrib.pl.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec_rules_list.py b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec_rules_list.py deleted file mode 100644 index 45b0d3a..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec_rules_list.py +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/python -# OSSEC Rules list -# Simple script to get a short brief of every rule in OSSEC rules folder -# Written Feb 25, 2016 and released under the GNU/GPLv2 license ## -# By pedro@wazuh.com @ Wazuh, Inc. - -import sys -import re -import os - -rules_directory = "/var/ossec/rules/" - -def GetRulesList(fulldir, filename): - rule_detected = 0 - rule_description = 0 - level = "" - sidid = "" - description = "" - pattern_idlevel = re.compile(r'(.+?)') - pattern_endrule = re.compile(r'') - try: - with open(fulldir) as f: - lines = f.readlines() - for line in lines: - if rule_detected == 0: - match = re.findall(pattern_idlevel, line) - if match: - rule_detected = 1 - sidid = match[0][0] - level = match[0][1] - else: - if rule_description == 0: - match = re.findall(pattern_description, line) - if match: - rule_description = 1 - description = match[0] - if rule_description == 1: - match = re.findall(pattern_endrule, line) - if match: - print "%s - Rule %s - Level %s -> %s" % (filename,sidid,level,description) - rule_detected = 0 - rule_description = 0 - level = "" - sidid = "" - description = "" - except EnvironmentError: - print ("Error: OSSEC rules directory does not appear to exist") - -if __name__ == "__main__": - print ("Reading rules from directory %s") % (rules_directory) - for root, directories, filenames in os.walk(rules_directory): - for filename in filenames: - if filename[-4:] == ".xml": - GetRulesList(os.path.join(root,filename), filename) diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossecmysql.pm b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossecmysql.pm deleted file mode 100644 index 260c3e2..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossecmysql.pm +++ /dev/null @@ -1,75 +0,0 @@ -use DBI; -use strict; -package ossecmysql; - -sub new(){ - my $type = shift; - my %conf=@_; - my $self={}; - my $flag; - $self->{database}=$conf{database}; - $self->{dbhost}=$conf{dbhost}; - $self->{dbport}=$conf{dbport}; - $self->{dbuser}=$conf{dbuser}; - $self->{dbpasswd}=$conf{dbpasswd}; - - $self->{dsn} = "DBI:mysql:database=$self->{database};host=$self->{dbhost};port=$self->{dbport}"; - $self->{dbh} = DBI->connect($self->{dsn}, $self->{dbuser},$self->{dbpasswd}); - bless $self, $type; -} -sub fetchrecord(){ - my $self= shift ; - my ($rows)=@_; - my ($pointer,$numrows,$fields)=(${$rows}[0],${$rows}[1],${$rows}[2]); - my @result; - return if $pointer == $numrows; - for (my $i=0; $i < $fields; $i ++){ - my $field= @{$rows}[($pointer * $fields) + 3 + $i ]; - push (@result, $field); - } - ${$rows}[0] ++; - - return @result; -} -sub fetchrows(){ - my $self = shift ; - my ($query)=shift; - my @params= @_; - my @rows; - my $numFields; - my $numRows; - $numRows=$numFields=0; - $self->{sth}=$self->{dbh}->prepare($query); - $self->{sth}->execute(@params) ; - $numRows = $self->{sth}->rows; - my @row=(); - return @rows unless $numRows>0; - $numFields = $self->{sth}->{'NUM_OF_FIELDS'}; - push (@rows,0,$numRows,$numFields); - while(@row=$self->{sth}->fetchrow_array){ - push (@rows,@row); - } - - $self->{sth}->finish; - return @rows; - -} - -sub execute(){ - my $self = shift ; - my $flag; - my ($query)=shift; - my @params= @_; - my @rows= (); - my $numFields; - my $numRows; - $numRows=$numFields=0; - $self->{sth} = $self->{dbh}->prepare($query); - return $self->{sth}->execute(@params) ; -} - -sub lastid(){ - my $self = shift ; - return $self->{sth}->{mysql_insertid}; -} -1 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossectop.pl.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossectop.pl.gz deleted file mode 100644 index 8c21ba8..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossectop.pl.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/rename_agent.sh b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/rename_agent.sh deleted file mode 100644 index 1404c8c..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/rename_agent.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/sh - -# Rename an OSSEC agent (must be run on both agent and server) - -# Sanity checks - -if [ $# -ne 2 ]; then - echo Usage: $0 old-name new-name - exit 1 -fi - -if ! [ -e /etc/ossec-init.conf ]; then - echo ossec-init.conf not found. Exiting... - exit 1 -fi - -. /etc/ossec-init.conf -KEYFILE=$DIRECTORY/etc/client.keys - -# Get the IP address from the key file -IPADDR=`grep -w "${1}" $KEYFILE | cut -d " " -f 3` -if [ -z ${IPADDR} ]; then - echo Agent ${1} not found. Exiting... - exit 1 -fi - -# stop OSSEC -/var/ossec/bin/ossec-control stop - -# Update the key record -sed -i $KEYFILE -e "s/${1}/${2}/" - -# Rename files and directories (manager) - -cd $DIRECTORY/queue - -if [ -e "agent-info/${1}-${IPADDR}" ]; then - mv "agent-info/${1}-${IPADDR}" \ - "agent-info/${2}-${IPADDR}" -fi - -if [ -e "diff/${1}" ]; then - mv "diff/${1}" \ - "diff/${2}" -fi - -if [ -e "rootcheck/(${1}) ${IPADDR}->rootcheck" ]; then - mv "rootcheck/(${1}) ${IPADDR}->rootcheck" \ - "rootcheck/(${2}) ${IPADDR}->rootcheck" -fi - -if [ -e "syscheck/(${1}) ${IPADDR}->syscheck" ]; then - mv "syscheck/(${1}) ${IPADDR}->syscheck" \ - "syscheck/(${2}) ${IPADDR}->syscheck" -fi - -if [ -e "syscheck/.(${1}) ${IPADDR}->syscheck.cpt" ]; then - mv "syscheck/.(${1}) ${IPADDR}->syscheck.cpt" \ - "syscheck/.(${2}) ${IPADDR}->syscheck.cpt" -fi - -# Restart OSSEC -/var/ossec/bin/ossec-control start diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/renumber_agent.sh b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/renumber_agent.sh deleted file mode 100644 index 45e8a80..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/renumber_agent.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/sh - -# Renumber (change IP address) an OSSEC agent (must be run on both agent -# and server) - -# Sanity checks - -if [ $# -ne 2 ]; then - echo Usage: $0 agent-name new-IP-address - exit 1 -fi - -if ! [ -e /etc/ossec-init.conf ]; then - echo ossec-init.conf not found. Exiting... - exit 1 -fi - -. /etc/ossec-init.conf -KEYFILE=$DIRECTORY/etc/client.keys - -# Get the IP address from the key file -IPADDR=`grep -w "${1}" $KEYFILE | cut -d " " -f 3` -if [ -z ${IPADDR} ]; then - echo Agent ${1} not found. Exiting... - exit 1 -fi - -# stop OSSEC -/var/ossec/bin/ossec-control stop - -# Update the key record -sed -i $KEYFILE -e "s/${IPADDR}/${2}/" - -# Rename files and directories (manager) - -cd $DIRECTORY/queue - -if [ -e "agent-info/${1}-${IPADDR}" ]; then - mv "agent-info/${1}-${IPADDR}" \ - "agent-info/${1}-${2}" -fi - -if [ -e "rootcheck/(${1}) ${IPADDR}->rootcheck" ]; then - mv "rootcheck/(${1}) ${IPADDR}->rootcheck" \ - "rootcheck/(${1}) ${2}->rootcheck" -fi - -if [ -e "syscheck/(${1}) ${IPADDR}->syscheck" ]; then - mv "syscheck/(${1}) ${IPADDR}->syscheck" \ - "syscheck/(${1}) ${2}->syscheck" -fi - -if [ -e "syscheck/.(${1}) ${IPADDR}->syscheck.cpt" ]; then - mv "syscheck/.(${1}) ${IPADDR}->syscheck.cpt" \ - "syscheck/.(${1}) ${2}->syscheck.cpt" -fi - -# Restart OSSEC -/var/ossec/bin/ossec-control start diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/README.md b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/README.md deleted file mode 100644 index 45b3116..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/README.md +++ /dev/null @@ -1,17 +0,0 @@ -## Ossec-agent SELinux module -SELinux module provides additional security protection for ossec application - -## Installation -1. Run semodule -i ossec\_agent.pp.bz2 on a running SELinux installation -2. Run restorecon -R /var/ossec -3. Restart ossec agent via systemd/init/etc -4. Check if it get right context ( ps -AZ ) - -You should do chcon manually if your put ossec installation in different place, see .fc file for details - -## Configuration -Nothing to configure :) - -## Bug reports & contribution -Contact: ivan.agarkov@gmail.com - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent.pp.bz2 b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent.pp.bz2 deleted file mode 100644 index 098a0fe..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent.pp.bz2 and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.fc b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.fc deleted file mode 100644 index e09fb9a..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.fc +++ /dev/null @@ -1,23 +0,0 @@ -/var/ossec/bin/agent-auth -- system_u:object_r:ossec_admin_exec_t:s0 -/var/ossec/bin/manage_client -- system_u:object_r:ossec_admin_exec_t:s0 -/var/ossec/bin/ossec-client.sh -- system_u:object_r:ossec_admin_exec_t:s0 -/var/ossec/bin/ossec-configure -- system_u:object_r:ossec_admin_exec_t:s0 -/var/ossec/bin/ossec-control system_u:object_r:ossec_admin_exec_t:s0 -/var/ossec/bin/ossec-fix-id.sh -- system_u:object_r:ossec_admin_exec_t:s0 - -/var/ossec/bin/ossec-logcollector system_u:object_r:ossec_logcollector_exec_t:s0 -/var/ossec/bin/client-logcollector system_u:object_r:ossec_logcollector_exec_t:s0 -/var/ossec/bin/client-syscheckd system_u:object_r:ossec_syscheck_exec_t:s0 -/var/ossec/bin/ossec-agentd -- system_u:object_r:ossec_agent_exec_t:s0 -/var/ossec/bin/ossec-syscheckd system_u:object_r:ossec_syscheck_exec_t:s0 -/var/ossec/bin/ossec-execd -- system_u:object_r:ossec_exec_exec_t:s0 - -/var/ossec system_u:object_r:usr_t:s0 -/var/ossec/bin system_u:object_r:bin_t:s0 -/var/ossec/agentless(/.*)? system_u:object_r:bin_t:s0 -/var/ossec/active-response(/.*)? system_u:object_r:bin_t:s0 -/var/ossec/etc(/.*)? system_u:object_r:ossec_conf_t:s0 -/var/ossec/queue(/.*)? system_u:object_r:ossec_queue_t:s0 -/var/ossec/logs(/.*)? system_u:object_r:ossec_log_t:s0 -/var/ossec/tmp(/.*)? system_u:object_r:ossec_tmp_t:s0 -/var/ossec/var(/.*)? system_u:object_r:ossec_var_t:s0 diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.if b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.if deleted file mode 100644 index 3eb6a30..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.if +++ /dev/null @@ -1 +0,0 @@ -## diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.te b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.te deleted file mode 100644 index 1b012ad..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/selinux/ossec_agent/ossec_agent.te +++ /dev/null @@ -1,100 +0,0 @@ -policy_module(ossec_agent, 1.0.4) -# selinux module for OSSEC (tm) agent -# (C) Ivan Agarkov, 2017 -# exec file types -type ossec_agent_exec_t; -type ossec_exec_exec_t; -type ossec_logcollector_exec_t; -type ossec_syscheck_exec_t; -type ossec_admin_exec_t; -# data file types -type ossec_log_t; # logs/ -type ossec_conf_t; # /etc -type ossec_queue_t; # /queue -type ossec_tmp_t; # /tmp -type ossec_var_t; # /var -# process attributes -attribute ossec_process; -# process types -type ossec_agent_t, ossec_process; -type ossec_exec_t, ossec_process; -type ossec_logcollector_t, ossec_process; -type ossec_syscheck_t, ossec_process; -type ossec_admin_t; - -# types definitions -init_daemon_domain(ossec_agent_t, ossec_agent_exec_t) -init_daemon_domain(ossec_logcollector_t, ossec_logcollector_exec_t) -init_daemon_domain(ossec_syscheck_t, ossec_syscheck_exec_t) -init_daemon_domain(ossec_exec_t, ossec_exec_exec_t) -application_domain(ossec_admin_t, ossec_admin_exec_t) - -files_type(ossec_queue_t) -files_type(ossec_var_t) -logging_log_file(ossec_log_t) -files_config_file(ossec_conf_t) -files_tmp_file(ossec_tmp_t) -# type transition for all -files_tmp_filetrans(ossec_process, ossec_tmp_t, {file dir lnk_file}) -filetrans_pattern(ossec_process, ossec_queue_t, ossec_queue_t, {file dir lnk_file sock_file}) -filetrans_pattern(ossec_process, ossec_var_t, ossec_var_t, {file dir lnk_file }) -filetrans_pattern(ossec_process, ossec_conf_t, ossec_conf_t, {file dir lnk_file }) -filetrans_pattern(ossec_process, ossec_tmp_t, ossec_tmp_t, {file dir lnk_file }) -# allow ossec agent to read & edit all -read_files_pattern(ossec_process, ossec_conf_t, ossec_conf_t) -admin_pattern(ossec_process, ossec_queue_t, ossec_queue_t) - -admin_pattern(ossec_process, ossec_log_t, ossec_log_t) -admin_pattern(ossec_process, ossec_var_t, ossec_var_t) -optional_policy(` - gen_require(` - type passwd_file_t, etc_t; - ') - read_files_pattern(ossec_process, etc_t, passwd_file_t) -') -allow ossec_process ossec_process:unix_dgram_socket all_unix_dgram_socket_perms; -sysnet_dns_name_resolve(ossec_process) -allow ossec_process self:capability { dac_override setgid setuid sys_chroot }; -# for agent -admin_pattern(ossec_agent_t, ossec_conf_t, ossec_conf_t) -admin_pattern(ossec_agent_t, ossec_tmp_t, ossec_tmp_t) - -# logcollector read all logs -logging_read_all_logs(ossec_logcollector_t) -logging_read_audit_log(ossec_logcollector_t) -# syscheck read all file -files_read_all_files(ossec_syscheck_t) -allow ossec_syscheck_t self:process setsched; -allow ossec_syscheck_t self:capability sys_nice; -# admin policy -admin_pattern(ossec_admin_t, ossec_conf_t, ossec_conf_t) -admin_pattern(ossec_admin_t, ossec_queue_t, ossec_queue_t) -admin_pattern(ossec_admin_t, ossec_var_t, ossec_var_t) -# allow to kill -allow ossec_admin_t ossec_process:process { signal sigkill ptrace sigstop getattr setrlimit noatsecure }; -# for different roles -optional_policy(` - gen_require(` - type unconfined_t; - role unconfined_r; - ') - role unconfined_r types ossec_admin_t; - domtrans_pattern(unconfined_t, ossec_admin_exec_t, ossec_admin_t) -') -optional_policy(` - gen_require(` - type sysadm_t; - role sysadm_r; - ') - role sysadm_r types ossec_admin_t; - domtrans_pattern(sysadm_t, ossec_admin_exec_t, ossec_admin_t) -') -optional_policy(` - gen_require(` - type staff_t; - role staff_r; - ') - role staff_r types ossec_admin_t; - domtrans_pattern(staff_t, ossec_admin_exec_t, ossec_admin_t) -') - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/agent/ossec-hids-agent.spec.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/agent/ossec-hids-agent.spec.gz deleted file mode 100644 index 79259f2..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/agent/ossec-hids-agent.spec.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/agent/preloaded-vars.conf b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/agent/preloaded-vars.conf deleted file mode 100644 index fdf2c8c..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/agent/preloaded-vars.conf +++ /dev/null @@ -1,121 +0,0 @@ -# preloaded-vars.conf, Daniel B. Cid (dcid @ ossec.net). -# -# RPM: server/local/agent version, 1.2, 2007.07.23 -# -# -# Use this file to customize your installations. -# It will make the install.sh script pre-load some -# specific options to make it run automatically -# or with less questions. - -# PLEASE NOTE: -# When we use "n" or "y" in here, it should be changed -# to "n" or "y" in the language your are doing the -# installation. For example, in portuguese it would -# be "s" or "n". - - -# USER_LANGUAGE defines to language to be used. -# It can be "en", "br", "tr", "it", "de" or "pl". -# In case of an invalid language, it will default -# to English "en" -USER_LANGUAGE="en" # For english -#USER_LANGUAGE="br" # For portuguese - - -# If USER_NO_STOP is set to anything, the confirmation -# messages are not going to be asked. -USER_NO_STOP="y" - - -# USER_INSTALL_TYPE defines the installation type to -# be used during install. It can only be "local", -# "agent" or "server". -#USER_INSTALL_TYPE="local" -USER_INSTALL_TYPE="agent" -#USER_INSTALL_TYPE="server" - - -# USER_DIR defines the location to install ossec -USER_DIR="/var/ossec" - - -# If USER_DELETE_DIR is set to "y", the directory -# to install OSSEC will be removed if present. -USER_DELETE_DIR="y" - - -# If USER_ENABLE_ACTIVE_RESPONSE is set to "n", -# active response will be disabled. -USER_ENABLE_ACTIVE_RESPONSE="n" - - -# If USER_ENABLE_SYSCHECK is set to "y", -# syscheck will be enabled. Set to "n" to -# disable it. -USER_ENABLE_SYSCHECK="y" - - -# If USER_ENABLE_ROOTCHECK is set to "y", -# rootcheck will be enabled. Set to "n" to -# disable it. -USER_ENABLE_ROOTCHECK="y" - - -# If USER_UPDATE is set to anything, the update -# installation will be done. -#USER_UPDATE="y" - -# If USER_UPDATE_RULES is set to anything, the -# rules will also be updated. -USER_UPDATE_RULES="y" - -# If USER_BINARYINSTALL is set, the installation -# is not going to compile the code, but use the -# binaries from ./bin/ -#USER_BINARYINSTALL="x" - - -### Agent Installation variables. ### - -# USER_AGENT_SERVER_IP specifies the IP address of the -# ossec server. Only used on agent installations. -USER_AGENT_SERVER_IP="127.0.0.1" - - - -### Server/Local Installation variables. ### - -# USER_ENABLE_EMAIL enables or disables email alerting. -USER_ENABLE_EMAIL="n" - -# USER_EMAIL_ADDRESS defines the destination e-mail of the alerts. -#USER_EMAIL_ADDRESS="dcid@test.ossec.net" - -# USER_EMAIL_SMTP defines the SMTP server to send the e-mails. -#USER_EMAIL_SMTP="test.ossec.net" - - -# USER_ENABLE_SYSLOG enables or disables remote syslog. -USER_ENABLE_SYSLOG="n" - - -# USER_ENABLE_FIREWALL_RESPONSE enables or disables -# the firewall response. -USER_ENABLE_FIREWALL_RESPONSE="n" - - -# Enable PF firewall (OpenBSD, FreeBSD and Darwin only) -USER_ENABLE_PF="n" - - -# PF table to use (OpenBSD, FreeBSD and Darwin only). -#USER_PF_TABLE="ossec_fwtable" - - -# USER_WHITE_LIST is a list of IPs or networks -# that are going to be set to never be blocked. -#USER_WHITE_LIST="192.168.2.1 192.168.1.0/24" - - -#### exit ? ### diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/getattr.pl b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/getattr.pl deleted file mode 100644 index 3b05a89..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/getattr.pl +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/perl -w - -# -# find /var/ossec/ -exec ./getattr.pl {} \; -# - -use File::stat; - -my %UID; -my %GUID; - -$filename = shift || die "\nsyntax: $0 \n\n"; - -get_uid(); -get_gid(); - -$sb = stat($filename); - -die "\nUID $sb->uid doesn't exist?! ($filename)\n\n" if (! exists($UID[$sb->uid])); -die "\nGID $sb->uid doesn't exist?! ($filename)\n\n" if (! exists($GID[$sb->gid])); - -if ( -d $filename ) { ### directory - print '%dir ' . $filename . "\n"; -} elsif ( -f $filename ) { ### file - print $filename . "\n"; -} else { - die("\nI can't handle: $filename\n\n"); -} - -# %attr(550, root, ossec) /var/ossec/etc - -printf "%%attr(%03o, %s, %s) %s\n", - $sb->mode & 07777, - $UID[$sb->uid], $GID[$sb->gid], $filename; - -#printf "%s: perm %04o, owner: %s, group: %s \n", -# $filename, $sb->mode & 07777, -# $UID[$sb->uid], $GID[$sb->gid]; - -sub get_uid -{ - open(FP,') { - ($name,$id) = (split(/:/,$line,))[0,2]; - $UID[$id] = $name; - } - close(FP); -} - -sub get_gid -{ - open(FP,') { - ($name,$id) = (split(/:/,$line,))[0,2]; - $GID[$id] = $name; - } - close(FP); -} - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/local/ossec-hids-local.spec.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/local/ossec-hids-local.spec.gz deleted file mode 100644 index 9b3bd9f..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/local/ossec-hids-local.spec.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/local/preloaded-vars.conf b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/local/preloaded-vars.conf deleted file mode 100644 index 0aebb4d..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/local/preloaded-vars.conf +++ /dev/null @@ -1,121 +0,0 @@ -# preloaded-vars.conf, Daniel B. Cid (dcid @ ossec.net). -# -# RPM: server/local/agent version, 1.2, 2007.07.23 -# -# -# Use this file to customize your installations. -# It will make the install.sh script pre-load some -# specific options to make it run automatically -# or with less questions. - -# PLEASE NOTE: -# When we use "n" or "y" in here, it should be changed -# to "n" or "y" in the language your are doing the -# installation. For example, in portuguese it would -# be "s" or "n". - - -# USER_LANGUAGE defines to language to be used. -# It can be "en", "br", "tr", "it", "de" or "pl". -# In case of an invalid language, it will default -# to English "en" -USER_LANGUAGE="en" # For english -#USER_LANGUAGE="br" # For portuguese - - -# If USER_NO_STOP is set to anything, the confirmation -# messages are not going to be asked. -USER_NO_STOP="y" - - -# USER_INSTALL_TYPE defines the installation type to -# be used during install. It can only be "local", -# "agent" or "server". -USER_INSTALL_TYPE="local" -#USER_INSTALL_TYPE="agent" -#USER_INSTALL_TYPE="server" - - -# USER_DIR defines the location to install ossec -USER_DIR="/var/ossec" - - -# If USER_DELETE_DIR is set to "y", the directory -# to install OSSEC will be removed if present. -USER_DELETE_DIR="y" - - -# If USER_ENABLE_ACTIVE_RESPONSE is set to "n", -# active response will be disabled. -USER_ENABLE_ACTIVE_RESPONSE="n" - - -# If USER_ENABLE_SYSCHECK is set to "y", -# syscheck will be enabled. Set to "n" to -# disable it. -USER_ENABLE_SYSCHECK="y" - - -# If USER_ENABLE_ROOTCHECK is set to "y", -# rootcheck will be enabled. Set to "n" to -# disable it. -USER_ENABLE_ROOTCHECK="y" - - -# If USER_UPDATE is set to anything, the update -# installation will be done. -#USER_UPDATE="y" - -# If USER_UPDATE_RULES is set to anything, the -# rules will also be updated. -USER_UPDATE_RULES="y" - -# If USER_BINARYINSTALL is set, the installation -# is not going to compile the code, but use the -# binaries from ./bin/ -#USER_BINARYINSTALL="x" - - -### Agent Installation variables. ### - -# USER_AGENT_SERVER_IP specifies the IP address of the -# ossec server. Only used on agent installations. -#USER_AGENT_SERVER_IP="1.2.3.4" - - - -### Server/Local Installation variables. ### - -# USER_ENABLE_EMAIL enables or disables email alerting. -USER_ENABLE_EMAIL="n" - -# USER_EMAIL_ADDRESS defines the destination e-mail of the alerts. -#USER_EMAIL_ADDRESS="dcid@test.ossec.net" - -# USER_EMAIL_SMTP defines the SMTP server to send the e-mails. -#USER_EMAIL_SMTP="test.ossec.net" - - -# USER_ENABLE_SYSLOG enables or disables remote syslog. -USER_ENABLE_SYSLOG="n" - - -# USER_ENABLE_FIREWALL_RESPONSE enables or disables -# the firewall response. -USER_ENABLE_FIREWALL_RESPONSE="n" - - -# Enable PF firewall (OpenBSD, FreeBSD and Darwin only) -USER_ENABLE_PF="n" - - -# PF table to use (OpenBSD, FreeBSD and Darwin only). -#USER_PF_TABLE="ossec_fwtable" - - -# USER_WHITE_LIST is a list of IPs or networks -# that are going to be set to never be blocked. -#USER_WHITE_LIST="192.168.2.1 192.168.1.0/24" - - -#### exit ? ### diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/remove_ossec b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/remove_ossec deleted file mode 100644 index 980633c..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/remove_ossec +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -rpm -e ossec-hids-server-FC7 -rpm -e ossec-hids-local-FC7 -rpm -e ossec-hids-agent-FC7 - -rm -fr /var/ossec/ - -for A in ossec ossecm ossecr ; do /usr/sbin/userdel -r $A ; done - -/usr/sbin/groupdel ossec - -/sbin/chkconfig ossec off -/sbin/chkconfig --del ossec - -# Remove init.d file -[ -f /etc/init.d/ossec ] && rm /etc/init.d/ossec - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/server/ossec-hids-server.spec.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/server/ossec-hids-server.spec.gz deleted file mode 100644 index 46cc24b..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/server/ossec-hids-server.spec.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/server/preloaded-vars.conf b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/server/preloaded-vars.conf deleted file mode 100644 index c19c3e4..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/specs/server/preloaded-vars.conf +++ /dev/null @@ -1,121 +0,0 @@ -# preloaded-vars.conf, Daniel B. Cid (dcid @ ossec.net). -# -# RPM: server/local/agent version, 1.2, 2007.07.23 -# -# -# Use this file to customize your installations. -# It will make the install.sh script pre-load some -# specific options to make it run automatically -# or with less questions. - -# PLEASE NOTE: -# When we use "n" or "y" in here, it should be changed -# to "n" or "y" in the language your are doing the -# installation. For example, in portuguese it would -# be "s" or "n". - - -# USER_LANGUAGE defines to language to be used. -# It can be "en", "br", "tr", "it", "de" or "pl". -# In case of an invalid language, it will default -# to English "en" -USER_LANGUAGE="en" # For english -#USER_LANGUAGE="br" # For portuguese - - -# If USER_NO_STOP is set to anything, the confirmation -# messages are not going to be asked. -USER_NO_STOP="y" - - -# USER_INSTALL_TYPE defines the installation type to -# be used during install. It can only be "local", -# "agent" or "server". -#USER_INSTALL_TYPE="local" -#USER_INSTALL_TYPE="agent" -USER_INSTALL_TYPE="server" - - -# USER_DIR defines the location to install ossec -USER_DIR="/var/ossec" - - -# If USER_DELETE_DIR is set to "y", the directory -# to install OSSEC will be removed if present. -USER_DELETE_DIR="y" - - -# If USER_ENABLE_ACTIVE_RESPONSE is set to "n", -# active response will be disabled. -USER_ENABLE_ACTIVE_RESPONSE="n" - - -# If USER_ENABLE_SYSCHECK is set to "y", -# syscheck will be enabled. Set to "n" to -# disable it. -USER_ENABLE_SYSCHECK="y" - - -# If USER_ENABLE_ROOTCHECK is set to "y", -# rootcheck will be enabled. Set to "n" to -# disable it. -USER_ENABLE_ROOTCHECK="y" - - -# If USER_UPDATE is set to anything, the update -# installation will be done. -#USER_UPDATE="y" - -# If USER_UPDATE_RULES is set to anything, the -# rules will also be updated. -USER_UPDATE_RULES="y" - -# If USER_BINARYINSTALL is set, the installation -# is not going to compile the code, but use the -# binaries from ./bin/ -#USER_BINARYINSTALL="x" - - -### Agent Installation variables. ### - -# USER_AGENT_SERVER_IP specifies the IP address of the -# ossec server. Only used on agent installations. -#USER_AGENT_SERVER_IP="1.2.3.4" - - - -### Server/Local Installation variables. ### - -# USER_ENABLE_EMAIL enables or disables email alerting. -USER_ENABLE_EMAIL="n" - -# USER_EMAIL_ADDRESS defines the destination e-mail of the alerts. -#USER_EMAIL_ADDRESS="dcid@test.ossec.net" - -# USER_EMAIL_SMTP defines the SMTP server to send the e-mails. -#USER_EMAIL_SMTP="test.ossec.net" - - -# USER_ENABLE_SYSLOG enables or disables remote syslog. -USER_ENABLE_SYSLOG="n" - - -# USER_ENABLE_FIREWALL_RESPONSE enables or disables -# the firewall response. -USER_ENABLE_FIREWALL_RESPONSE="y" - - -# Enable PF firewall (OpenBSD, FreeBSD and Darwin only) -USER_ENABLE_PF="n" - - -# PF table to use (OpenBSD, FreeBSD and Darwin only). -#USER_PF_TABLE="ossec_fwtable" - - -# USER_WHITE_LIST is a list of IPs or networks -# that are going to be set to never be blocked. -#USER_WHITE_LIST="192.168.2.1 192.168.1.0/24" - - -#### exit ? ### diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/util.sh.gz b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/util.sh.gz deleted file mode 100644 index 7d2663a..0000000 Binary files a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/util.sh.gz and /dev/null differ diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/version_bump.sh b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/version_bump.sh deleted file mode 100644 index ae4986c..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/version_bump.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh - - -## Run this from src/ -## Do not add the "v" before the version number - -OLDVERSION=${1} -NEWVERSION=${2} - -if [ "X${OLDVERSION}" == "X" ]; then - echo "You must provide the version numbers" - echo "version_bump.sh x.0.0 x.1.0" - exit 1 -fi - -if [ "X${NEWVERSION}" == "X" ]; then - echo "You must provide the version numbers" - echo "version_bump.sh x.0.0 x.1.0" - exit 1 -fi - -echo "v${NEWVERSION}" > src/VERSION - -# OSSEC init scripts -sed -i -e "s/VERSION=\"v${OLDVERSION}/VERSION=\"v${NEWVERSION}/" src/init/ossec-client.sh -sed -i -e "s/VERSION=\"v${OLDVERSION}/VERSION=\"v${NEWVERSION}/" src/init/ossec-local.sh -sed -i -e "s/VERSION=\"v${OLDVERSION}/VERSION=\"v${NEWVERSION}/" src/init/ossec-server.sh - -# Win32 files -sed -i -e "s/VERSION \"${OLDVERSION}/VERSION \"${NEWVERSION}/" src/win32/ossec-installer.nsi -sed -i -e "s/Agent v${OLDVERSION}/Agent v${NEWVERSION}/" src/win32/help.txt - -# misc -sed -i -e "s/OSSEC v${OLDVERSION}/OSSEC v${NEWVERSION}/" INSTALL -sed -i -e "s/OSSEC v${OLDVERSION}/OSSEC v${NEWVERSION}/" README.md -sed -i -e "s/OSSEC v${OLDVERSION}/OSSEC v${NEWVERSION}/" CONFIG -sed -i -e "s/OSSEC v${OLDVERSION}/OSSEC v${NEWVERSION}/" BUGS - -# update defs.h -sed -i -e "s/v${OLDVERSION}/v${NEWVERSION}/" src/headers/defs.h - -# Update CONFIG - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/zeromq_pubsub.py b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/zeromq_pubsub.py deleted file mode 100644 index 6047777..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/zeromq_pubsub.py +++ /dev/null @@ -1,9 +0,0 @@ -import zmq - -context = zmq.Context() -s = context.socket(zmq.SUB) -s.connect("tcp://localhost:11999") -s.setsockopt(zmq.SUBSCRIBE, "") -while 1: - d = s.recv() - print d diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/copyright b/debian/ossec-hids/usr/share/doc/ossec-hids/copyright deleted file mode 100644 index 3d16931..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/copyright +++ /dev/null @@ -1,47 +0,0 @@ -This package was debianized by Dinko Korunic on -Mon, 01 Mar 2010 17:37:28 +0100. - -It was downloaded from http://www.ossec.net/ - -Upstream Authors: Daniel B. Cid - -Copyright: - - Copyright (C) 2010 Trend Micro Inc. All rights reserved. - - OSSEC HIDS is a free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License (version 2) as - published by the FSF - Free Software Foundation. - - Note that this license applies to the source code, as well as - decoders, rules and any other data file included with OSSEC (unless - otherwise specified). - - For the purpose of this license, we consider an application to constitute a - "derivative work" or a work based on this program if it does any of the - following (list not exclusive): - - * Integrates source code/data files from OSSEC. - * Includes OSSEC copyrighted material. - * Includes/integrates OSSEC into a proprietary executable installer. - * Links to a library or executes a program that does any of the above. - - This list is not exclusive, but just a clarification of our interpretation - of derived works. These restrictions only apply if you actually redistribute - OSSEC (or parts of it). - - We don't consider these to be added restrictions on top of the GPL, - but just a clarification of how we interpret "derived works" as it - applies to OSSEC. This is similar to the way Linus Torvalds has - announced his interpretation of how "derived works" applies to Linux kernel - modules. Our interpretation refers only to OSSEC - we don't speak - for any other GPL products. - - OSSEC HIDS is distributed in the hope that it will be useful, but WITHOUT - ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - FITNESS FOR A PARTICULAR PURPOSE. - See the GNU General Public License Version 3 below for more details. - - -On Debian systems, a copy of the GNU General Public License Version 3 may be -found in /usr/share/common-licenses/GPL-3. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/logs.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/logs.txt deleted file mode 100644 index 269068c..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/logs.txt +++ /dev/null @@ -1,53 +0,0 @@ -OSSEC v0.9 -Copyright (C) 2009 Trend Micro Inc. - - -OSSEC Logging - -== Introduction == - -Ossec supports three types of logs. Alert logging, firewall -logging and event (archiving) logging. - -Every message received is treated as an event. -Any log message, integrity report, system information will be treated -as such. Event logging is very expensive for the system because -it will archive every event. However, they can be usefull to get -the big picture if some attack happens. - -Alert logging is the most useful one. An alert is generated when -an event is matched against one of the detection rules. In addition -to the logging, OSSEC can also generate e-mail notifications or -execute external commands for them. - - -== Event logging == - -Inside the OSSEC default log directory (by default /var/ossec/logs) -there is an entry for "archives" (/var/ossec/logs/archives). Inside this -directory, all events will be stored by date. -For example, all events received on May 22 of 2004, will be stored on: - -/var/ossec/logs/archives/2004/May/events-22.log - -After each day, a hash will be created for this specific day at - -/var/ossec/logs/archives/2004/May/events-22.log.md5 - -This hash will be the hash of the file from the day 22 plus the hash -from the day 21. - -The hash from the day 1, will be the hash from the day 31 (or 30 or 28) -from the previous month. - -This will ensure that no log will be modified. Also, for this to happen, -all the logs (since the first day) will need to be modified. - - -== Alert logging == - -There will be a "alerts" directory on the OSSEC default logging directory. -It will be organized on the same way the event logging is. Please read -above to understand it. - - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/manager.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/manager.txt deleted file mode 100644 index 660c03b..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/manager.txt +++ /dev/null @@ -1,21 +0,0 @@ -OSSEC v0.9 -Copyright (C) 2009 Trend Micro Inc. - - -How do the server manager the agents. - --The server will open port 1514 (by default) and listen for - messages from the clients. Only the IP of the clients will be - allowed. - --Every 10 minutes, the client will send an status notification - to the server. This status message contain some information - about the agent system and information about the files it - has on the shared directory. - --The server will receive the status message, update the agent - status file and check if it has any file to be sent to the - agent. If it has, it will connect to the agent and send - the file. - --Every message will be encrypted. diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/nmap.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/nmap.txt deleted file mode 100644 index 9c8e1b1..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/nmap.txt +++ /dev/null @@ -1,59 +0,0 @@ -OSSEC -Copyright (C) 2009 Trend Micro Inc. - - -** Nmap correlation ** - -Ossec can read nmap grepable output files to use as a -correlation tool and also to alert based on host information -changes. Follow the step by step below on how to configure -ossec: - - -1- Add the nmap output file on ossec.conf (generally - at /var/ossec/etc/ossec.conf): - - - - nmapg - /var/log/nmap-out.log - - - - -2- If the file does not exist, touch it: - -ossec-test# touch /var/log/nmap-out.log - - -3- Restart ossec: - -ossec-test# /var/ossec/bin/ossec-control restart - - -4- Run your nmap scans (example scanning 192.168.2.0/24 network): - -ossec-test# nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255 - - - -*** Example of alert when a new host is found: - -** Alert 1152058913.238: mail -2006 Jul 04 20:21:53 /var/log/nmap-out.log -Rule: 15 (level 8) -> 'New host information added.' -Src IP: (none) -User: (none) -Host: 192.168.2.10, open ports: 21(tcp) 22(tcp) 80(tcp) 113(tcp) 514(udp) 1514(udp) 4500(udp) - - -*** Example of alert when a new a host information is changed: - -** Alert 1152058983.487: mail -2006 Jul 04 20:23:03 /var/log/nmap-out.log -Rule: 15 (level 8) -> 'Host information changed.' -Src IP: (none) -User: (none) -Host: 192.168.2.1, open ports: 54(udp) 8080(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp) -Previously open ports: 53(udp) 80(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp) - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/rootcheck.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/rootcheck.txt deleted file mode 100644 index 40e13a7..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/rootcheck.txt +++ /dev/null @@ -1,74 +0,0 @@ -Rootkit detection techniques used by the OSSEC HIDS -by Daniel B. Cid, daniel.cid@gmail.com - - -Starting on version 0.4, the OSSEC HIDS will perform -rootkit detection on every system where the agent is -installed. The rootcheck (rootkit detection engine) will -be executed every X minutes (user specified --by default -every 2 hours) to detect any possible rootkit installed. -Used witht the log analysis and the integrity checking -engine, it will become a very powerful monitoring solution -(the OSSEC HIDS performs log analysis and integrity -checking since version 0.1). - -Other feature included on version 0.4 is that the analysis -server will automatically forward the rootkit detection -signatures to the agents, reducing the administration -overhead for the system admin. The agents and server will -keep contact every 10 minutes and if the server is -updated with a new signature file, it will forward them -to all configured agents. Take a look at the management -documentation for more information. - -The rootcheck will perform the following steps on the -system trying to find rootkits: - - -1- Read the rootkit_files.txt which contains a big database - of rootkits and files used by them. It will try to stats, - fopen and opendir each specified file. We use all these - system calls, because some kernel-level rootkits, hide - files from some system calls. The more system calls we - try, the better the detection. This method is more like - an anti-virus rule that needs to be updated constantly. - The chances of false-positives are small, but false - negatives can be produced by modifying the rootkits. - -2- Read the rootkit_trojans.txt which contains a database - of signatures of files trojaned by rootkits. This - technique of modifying binaries with trojaned versions - was commonly used by most of the popular rootkits - available. This detection method will not find any - kernel level rootkit or any unknown rootkit. - -3- Scan the /dev directory looking for anomalies. The /dev - should only have device files and the Makedev script. - A lot of rootkits use the /dev to hide files. This - technique can detect even non-public rootkits. - -4- Scan the whole filesystem looking for unusual files and - permission problems. Files owned by root, with written - permission to others are very dangerous and the rootkit - detection will look for them. Suid files, hidden directories - and files will also be inspected. - -5- Look for the presence of hidden processes. We use getsid() - and kill() to check if any pid is being used or not. If - the pid is being used, but "ps" can't see it, it is the - indication of kernel-level rootkit or a trojaned version - of "ps". We also verify the output of kill and getsid that - should be the same. - -6- Look for the presence of hidden ports. We use bind() to - check every tcp and udp port on the system. If we can't - bind to the port (it's being used), but netstat does not - show it, we probably have a rootkit installed. - -7- Scan all interfaces on the system and look for the ones - with "promisc" mode enabled. If the interface is in promiscuous - mode, the output of "ifconfig" should show that. If not, - we probably have a rootkit installed. - - -EOF diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/rule_ids.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/rule_ids.txt deleted file mode 100644 index 8ae4b26..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/rule_ids.txt +++ /dev/null @@ -1,104 +0,0 @@ -# ossec Rules ids. -# -# Ossec official rules should be under some of these -# assignments. -# -# Local rules should go from 100000 to 120000. -# -# Every rule will also have a revision attribute (if modified). -# *default revision is 0 (when first added). - -00000 - 00999 Internally reserved for ossec -01000 - 01999 General syslog -02100 - 02299 NFS -02300 - 02499 Xinetd -02500 - 02699 Access control -02700 - 02729 Mail/procmail -02800 - 02829 Smartd -02830 - 02859 Crond -02860 - 02899 Mount/Automount - -03100 - 03299 Sendmail -03300 - 03499 Postfix -03500 - 03599 Spamd -03600 - 03699 Imapd -03700 - 03799 MailScanner - -04100 - 04299 Generic Firewall -04300 - 04499 Cisco PIX Firewall -04500 - 04699 Netscreen Firewall - -05100 - 05299 Kernels (Linux, Unix, etc) -05300 - 05399 Su -05400 - 05499 sudo -05500 - 05599 Pam unix -05600 - 05699 Telnetd -05700 - 05899 sshd -05900 - 05999 Adduser or user deletion. - -07100 - 07199 Tripwire -07200 - 07299 Arpwatch -07300 - 07399 Symantec Anti Virus - -09100 - 09199 PPTP -09200 - 09299 Squid syslog -09300 - 09399 Horde IMP - -10100 - 10199 FTS - -11100 - 11199 FTPd -11200 - 11299 ProFTPD -11300 - 11399 Pure-FTPD -11400 - 11499 vs-FTPD - -12100 - 12299 Named (bind DNS) - -13100 - 13299 Samba (smbd) - -14100 - 14199 Racoon SSL -14200 - 14299 Cisco VPN Concentrator - -17100 - 17399 Policy - -18100 - 18499 Windows system -18500 - 18650 Sysmon rules -18651 - 18750 MS IPSec rules -20100 - 20299 IDS -20300 - 20499 IDS (Snort specific) -20500 - 20509 Windows PowerShell - -30100 - 30999 Apache error log -31100 - 31199 Web access log - -31501 - 32000 Web Appsec rules - -35000 - 35999 Squid - -40100 - 40499 Attack patterns -40500 - 40599 Privilege escalation - -40600 - 40699 Scan patterns -40700 - 40899 Systemd -40900 - 40999 Firewalld - -51500 - 51999 OpenBSD rules -52000 - 52499 Apparmor rules -52500 - 53199 clam av rules -53200 - 53499 nsd rules -53500 - 53299 opensmtpd rules -53300 - 53399 owncloud rules -53400 - 53500 proxmox ve rules -53501 - 53550 OpenSMTPd rules -53551 - 53599 dnsmasq -53600 - 53625 linux usb detection rules -53626 - 53630 ms usb detection rules -53631 - 53699 ms firewall rules -53700 - 53749 PSAD rules -53750 - 53799 unbound rules -53800 - 53825 Kaspersky Endpoint Security 10 for Linux rules -53826 - 53829 MHN - Dionaea -53830 - 53840 MHN - Cowrie -56000 - 56200 FreeBSD rules - -100000 - 109999 User defined rules - diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/rules.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/rules.txt deleted file mode 100644 index 1fa2f9e..0000000 --- a/debian/ossec-hids/usr/share/doc/ossec-hids/rules.txt +++ /dev/null @@ -1,90 +0,0 @@ -OSSEC HIDS v0.9 -Copyright (C) 2009 Trend Micro Inc. - - - ---- Rules Classification --- - - --- Classification -- - -The rules are classified in multiple levels. From the lowest (00) to the maximum -level 16. Some levels are not used right now. Other levels can be added between -them or after them. - -**The rules will be read from the highest to the lowest level. ** - -00 - Ignored - No action taken. Used to avoid false positives. These rules - are scanned before all the others. They include events with no - security relevance. -01 - None - -02 - System low priority notification - System notification or - status messages. They have no security relevance. -03 - Successful/Authorized events - They include successful login attempts, - firewall allow events, etc. -04 - System low priority error - Errors related to bad configurations or - unused devices/applications. They have no security relevance and - are usually caused by default installations or software testing. -05 - User generated error - They include missed passwords, denied - actions, etc. By itself they have no security relevance. -06 - Low relevance attack - They indicate a worm or a virus that have - no affect to the system (like code red for apache servers, etc). - They also include frequently IDS events and frequently errors. -07 - "Bad word" matching. They include words like "bad", "error", etc. - These events are most of the time unclassified and may have - some security relevance. -08 - First time seen - Include first time seen events. First time - an IDS event is fired or the first time an user logged in. - If you just started using OSSEC HIDS these messages will - probably be frequently. After a while they should go away. - It also includes security relevant actions (like the starting - of a sniffer or something like that). -09 - Error from invalid source - Include attempts to login as - an unknown user or from an invalid source. May have security - relevance (specially if repeated). They also include errors - regarding the "admin" (root) account. -10 - Multiple user generated errors - They include multiple bad - passwords, multiple failed logins, etc. They may indicate an - attack or may just be that a user just forgot his credentials. -11 - Integrity checking warning - They include messages regarding - the modification of binaries or the presence of rootkits (by - rootcheck). If you just modified your system configuration - you should be fine regarding the "syscheck" messages. They - may indicate a successful attack. Also included IDS events - that will be ignored (high number of repetitions). -12 - High importancy event - They include error or warning messages - from the system, kernel, etc. They may indicate an attack against - a specific application. -13 - Unusual error (high importance) - Most of the times it matches a - common attack pattern. -14 - High importance security event. Most of the times done with - correlation and it indicates an attack. -15 - Severe attack - No chances of false positives. Immediate - attention is necessary. - - -== Rules Group == - --We can specify groups for specific rules. It's used for active -response reasons and for correlation. -- We currently use the following groups: - -- invalid_login -- authentication_success -- authentication_failed -- connection_attempt -- attacks -- adduser -- sshd -- ids -- firewall -- squid -- apache -- syslog - - - -== Rules Config == - -http://www.ossec.net/en/manual.html#rules - diff --git a/debian/ossec-hids/usr/share/lintian/overrides/ossec-hids b/debian/ossec-hids/usr/share/lintian/overrides/ossec-hids deleted file mode 100644 index e6232df..0000000 --- a/debian/ossec-hids/usr/share/lintian/overrides/ossec-hids +++ /dev/null @@ -1,6 +0,0 @@ -ossec-hids: possible-gpl-code-linked-with-openssl -ossec-hids: non-etc-file-marked-as-conffile var/ossec/rules/local_rules.xml -ossec-hids: non-etc-file-marked-as-conffile var/ossec/etc/ossec.conf -ossec-hids: non-etc-file-marked-as-conffile var/ossec/etc/internal_options.conf -ossec-hids: non-standard-dir-in-var var/ossec/ -ossec-hids: file-in-unusual-dir var/ossec/* diff --git a/debian/ossec-hids/var/ossec/active-response/bin/disable-account.sh b/debian/ossec-hids/var/ossec/active-response/bin/disable-account.sh deleted file mode 100755 index 70dd204..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/disable-account.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/sh -# Disable an account by setting "passwd -l" or chuser -# Requirements: System with a passwd that supports -l and -u -# or a system with chuser (AIX) -# Expect: username (can't be "root") -# Authors: Ahmet Ozturk and Daniel B. Cid -# Last modified: Jan 19, 2005 - - -UNAME=`uname` -PASSWD="/usr/bin/passwd" -CHUSER="/usr/bin/chuser" -ACTION=$1 -USER=$2 -IP=$3 - -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -PWD=`pwd` -echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log - - -if [ "x${USER}" = "x" ]; then - echo "$0: [ add | delete ] " - exit 1; -elif [ "x${USER}" = "xroot" ]; then - echo "$0: Invalid username." - exit 1; -fi - - -# We should run on linux and on SunOS the passwd -u/-l -if [ "X${UNAME}" = "XLinux" -o "X${UNAME}" = "XSunOS" ]; then - # Checking if passwd is present - ls ${PASSWD} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - CMD=${PASSWD} - if [ "x${ACTION}" = "xadd" ]; then - ARGS="-l" - elif [ "x${ACTION}" = "xdelete" ]; then - ARGS="-u" - else - echo "$0: invalid action: ${ACTION}" - exit 1; - fi - - -# On AIX, we run CHUSER -elif [ "X${UNAME}" = "XAIX" ]; then - # Checking if chuser is present - ls ${CHUSER} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - CMD=${CHUSER} - - # Disabling an account - if [ "x${ACTION}" = "xadd" ]; then - ARGS="account_locked=true" - # Unblock the account - elif [ "x${ACTION}" = "xdelete" ]; then - ARGS="account_locked=false" - # Invalid action - else - echo "$0: invalid action: ${ACTION}" - exit 1; - fi - - -# We only support Linux, SunOS and AIX -else - exit 0; -fi - - -# Execute the command -${CMD} ${ARGS} ${USER} - -exit 1; - diff --git a/debian/ossec-hids/var/ossec/active-response/bin/firewall-drop.sh b/debian/ossec-hids/var/ossec/active-response/bin/firewall-drop.sh deleted file mode 100755 index 5b5cd53..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/firewall-drop.sh +++ /dev/null @@ -1,300 +0,0 @@ -#!/bin/sh -# Adds an IP to the iptables drop list (if linux) -# Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd) -# Adds an IP to the ipsec drop list (if aix) -# Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec -# Expect: srcip -# Author: Ahmet Ozturk (ipfilter and IPSec) -# Author: Daniel B. Cid (iptables) -# Author: cgzones -# Last modified: Oct 04, 2012 - -UNAME=`uname` -ECHO="/bin/echo" -GREP="/bin/grep" -IPTABLES="" -IP4TABLES="/sbin/iptables" -IP6TABLES="/sbin/ip6tables" -IPFILTER="/sbin/ipf" -if [ "X$UNAME" = "XSunOS" ]; then - IPFILTER="/usr/sbin/ipf" -fi -GENFILT="/usr/sbin/genfilt" -LSFILT="/usr/sbin/lsfilt" -MKFILT="/usr/sbin/mkfilt" -RMFILT="/usr/sbin/rmfilt" -ARG1="" -ARG2="" -RULEID="" -ACTION=$1 -USER=$2 -IP=$3 -PWD=`pwd` -LOCK="${PWD}/fw-drop" -LOCK_PID="${PWD}/fw-drop/pid" -IPV4F="/proc/sys/net/ipv4/ip_forward" -IPV6F="/proc/sys/net/ipv6/conf/all/forwarding" - -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -filename=$(basename "$0") - -LOG_FILE="${PWD}/../logs/active-responses.log" - -echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOG_FILE} - - -# Checking for an IP -if [ "x${IP}" = "x" ]; then - echo "$0: " - exit 1; -fi - -case "${IP}" in - *:* ) IPTABLES=$IP6TABLES;; - *.* ) IPTABLES=$IP4TABLES;; - * ) echo "`date` Unable to run active response (invalid IP: '${IP}')." >> ${LOG_FILE} && exit 1;; -esac - -# This number should be more than enough (even if a hundred -# instances of this script is ran together). If you have -# a really loaded env, you can increase it to 75 or 100. -MAX_ITERATION="50" - -# Lock function -lock() -{ - i=0; - # Providing a lock. - while [ 1 ]; do - mkdir ${LOCK} > /dev/null 2>&1 - MSL=$? - if [ "${MSL}" = "0" ]; then - # Lock acquired (setting the pid) - echo "$$" > ${LOCK_PID} - return; - fi - - # Getting currently/saved PID locking the file - C_PID=`cat ${LOCK_PID} 2>/dev/null` - if [ "x" = "x${S_PID}" ]; then - S_PID=${C_PID} - fi - - # Breaking out of the loop after X attempts - if [ "x${C_PID}" = "x${S_PID}" ]; then - i=`expr $i + 1`; - fi - - sleep $i; - - i=`expr $i + 1`; - - # So i increments 2 by 2 if the pid does not change. - # If the pid keeps changing, we will increments one - # by one and fail after MAX_ITERACTION - - if [ "$i" = "${MAX_ITERATION}" ]; then - kill="false" - for pid in `pgrep -f "${filename}"`; do - if [ "x${pid}" = "x${C_PID}" ]; then - # Unlocking and exiting - kill -9 ${C_PID} - echo "`date` Killed process ${C_PID} holding lock." >> ${LOG_FILE} - kill="true" - unlock; - i=0; - S_PID=""; - break; - fi - done - - if [ "x${kill}" = "xfalse" ]; then - echo "`date` Unable kill process ${C_PID} holding lock." >> ${LOG_FILE} - # Unlocking and exiting - unlock; - exit 1; - fi - fi - done -} - -# Unlock function -unlock() -{ - rm -rf ${LOCK} -} - - - -# Blocking IP -if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then - echo "$0: invalid action: ${ACTION}" - exit 1; -fi - - - -# We should run on linux -if [ "X${UNAME}" = "XLinux" ]; then - if [ "x${ACTION}" = "xadd" ]; then - ARG1="-I INPUT -s ${IP} -j DROP" - ARG2="-I FORWARD -s ${IP} -j DROP" - else - ARG1="-D INPUT -s ${IP} -j DROP" - ARG2="-D FORWARD -s ${IP} -j DROP" - fi - - # Checking if iptables is present - if [ ! -x ${IPTABLES} ]; then - IPTABLES="/usr"${IPTABLES} - if [ ! -x ${IPTABLES} ]; then - echo "$0: can not find iptables" - exit 0; - fi - fi - - # Executing and exiting - COUNT=0; - lock; - while [ 1 ]; do - ${IPTABLES} ${ARG1} - RES=$? - if [ $RES = 0 ]; then - break; - else - COUNT=`expr $COUNT + 1`; - echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE} - sleep $COUNT; - - if [ $COUNT -gt 4 ]; then - break; - fi - fi - done - - COUNT=0; - while [ 1 ]; do - # - # Looking for IPV4 and IPV6 FORWARD - # - if [ -e "$IPV4F" ] - then - IPV4KEY="$(cat "$IPV4F")" - else - IPV4KEY="0" - fi - if [ -e "$IPV6F" ] - then - IPV6KEY="$(cat "$IPV6F")" - else - IPV6KEY="0" - fi - - if [ "$IPV4KEY" = "0" ] && [ "$IPV6KEY" = "0" ] - then - break - fi - - ${IPTABLES} ${ARG2} - RES=$? - if [ $RES = 0 ]; then - break; - else - COUNT=`expr $COUNT + 1`; - echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE} - sleep $COUNT; - - if [ $COUNT -gt 4 ]; then - break; - fi - fi - done - unlock; - - exit 0; - -# FreeBSD, SunOS or NetBSD with ipfilter -elif [ "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XSunOS" -o "X${UNAME}" = "XNetBSD" ]; then - - # Checking if ipfilter is present - ls ${IPFILTER} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - # Checking if echo is present - ls ${ECHO} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - if [ "x${ACTION}" = "xadd" ]; then - ARG1="\"@1 block out quick from any to ${IP}\"" - ARG2="\"@1 block in quick from ${IP} to any\"" - IPFARG="${IPFILTER} -f -" - else - ARG1="\"@1 block out quick from any to ${IP}\"" - ARG2="\"@1 block in quick from ${IP} to any\"" - IPFARG="${IPFILTER} -rf -" - fi - - # Executing it - eval ${ECHO} ${ARG1}| ${IPFARG} - eval ${ECHO} ${ARG2}| ${IPFARG} - - exit 0; - -# AIX with ipsec -elif [ "X${UNAME}" = "XAIX" ]; then - - # Checking if genfilt is present - ls ${GENFILT} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - # Checking if lsfilt is present - ls ${LSFILT} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - # Checking if mkfilt is present - ls ${MKFILT} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - # Checking if rmfilt is present - ls ${RMFILT} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - if [ "x${ACTION}" = "xadd" ]; then - ARG1=" -v 4 -a D -s ${IP} -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -w B -D \"Access Denied by OSSEC-HIDS\"" - #Add filter to rule table - eval ${GENFILT} ${ARG1} - - #Deactivate and activate the filter rules. - eval ${MKFILT} -v 4 -d - eval ${MKFILT} -v 4 -u - else - # removing a specific rule is not so easy :( - eval ${LSFILT} -v 4 -O | ${GREP} ${IP} | - while read -r LINE - do - RULEID=`${ECHO} ${LINE} | cut -f 1 -d "|"` - let RULEID=${RULEID}+1 - ARG1=" -v 4 -n ${RULEID}" - eval ${RMFILT} ${ARG1} - done - #Deactivate and activate the filter rules. - eval ${MKFILT} -v 4 -d - eval ${MKFILT} -v 4 -u - fi - -else - exit 0; -fi diff --git a/debian/ossec-hids/var/ossec/active-response/bin/firewalld-drop.sh b/debian/ossec-hids/var/ossec/active-response/bin/firewalld-drop.sh deleted file mode 100755 index 8ce3097..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/firewalld-drop.sh +++ /dev/null @@ -1,169 +0,0 @@ -#!/bin/sh -# Adds an IP to the firewalld drop list -# Requirements: Linux with firewalld -# Expect: srcip -# Author: Daniel B. Cid (iptables) -# Author: cgzones -# Author: ChristianBeer -# Last modified: Apr 10, 2015 - -UNAME=`uname` -ECHO="/bin/echo" -GREP="/bin/grep" -FWDCMD="/bin/firewall-cmd" -RULE="" -ARG1="" -# ARG2 can be used to specify the zone where the rich rule should be added otherwise it adds it to the default zone -ARG2="" -#ARG2="--zone=external" -RULEID="" -ACTION=$1 -USER=$2 -IP=$3 -PWD=`pwd` -LOCK="${PWD}/fw-drop" -LOCK_PID="${PWD}/fw-drop/pid" - - -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -filename=$(basename "$0") - -LOG_FILE="${PWD}/../logs/active-responses.log" - -echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOG_FILE} - - -# Checking for an IP -if [ "x${IP}" = "x" ]; then - echo "$0: " - exit 1; -fi - -case "${IP}" in - *:* ) RULE="rule family='ipv6' source address='${IP}' drop";; - *.* ) RULE="rule family='ipv4' source address='${IP}' drop";; - * ) echo "`date` Unable to run active response (invalid IP: '${IP}')." >> ${LOG_FILE} && exit 1;; -esac - -# This number should be more than enough (even if a hundred -# instances of this script is ran together). If you have -# a really loaded env, you can increase it to 75 or 100. -MAX_ITERATION="50" - -# Lock function -lock() -{ - i=0; - # Providing a lock. - while [ 1 ]; do - mkdir ${LOCK} > /dev/null 2>&1 - MSL=$? - if [ "${MSL}" = "0" ]; then - # Lock acquired (setting the pid) - echo "$$" > ${LOCK_PID} - return; - fi - - # Getting currently/saved PID locking the file - C_PID=`cat ${LOCK_PID} 2>/dev/null` - if [ "x" = "x${S_PID}" ]; then - S_PID=${C_PID} - fi - - # Breaking out of the loop after X attempts - if [ "x${C_PID}" = "x${S_PID}" ]; then - i=`expr $i + 1`; - fi - - sleep $i; - - i=`expr $i + 1`; - - # So i increments 2 by 2 if the pid does not change. - # If the pid keeps changing, we will increments one - # by one and fail after MAX_ITERACTION - - if [ "$i" = "${MAX_ITERATION}" ]; then - kill="false" - for pid in `pgrep -f "${filename}"`; do - if [ "x${pid}" = "x${C_PID}" ]; then - # Unlocking and exiting - kill -9 ${C_PID} - echo "`date` Killed process ${C_PID} holding lock." >> ${LOG_FILE} - kill="true" - unlock; - i=0; - S_PID=""; - break; - fi - done - - if [ "x${kill}" = "xfalse" ]; then - echo "`date` Unable kill process ${C_PID} holding lock." >> ${LOG_FILE} - # Unlocking and exiting - unlock; - exit 1; - fi - fi - done -} - -# Unlock function -unlock() -{ - rm -rf ${LOCK} -} - - - -# Blocking IP -if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then - echo "$0: invalid action: ${ACTION}" - exit 1; -fi - - - -# We should run on linux -if [ "X${UNAME}" = "XLinux" ]; then - if [ "x${ACTION}" = "xadd" ]; then - ARG1="--add-rich-rule=" - else - ARG1="--remove-rich-rule=" - fi - - # Checking if firewall-cmd is present - if [ ! -x ${FWDCMD} ]; then - FWDCMD="/usr"${FWDCMD} - if [ ! -x ${FWDCMD} ]; then - echo "$0: can not find firewall-cmd" - exit 1; - fi - fi - - # Executing and exiting - COUNT=0; - lock; - while [ 1 ]; do - ${FWDCMD} ${ARG1}"${RULE}" ${ARG2} >/dev/null - RES=$? - if [ $RES = 0 ]; then - break; - else - COUNT=`expr $COUNT + 1`; - echo "`date` Unable to run (firewall-cmd returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE} - sleep $COUNT; - - if [ $COUNT -gt 4 ]; then - break; - fi - fi - done - unlock; - - exit 0; -else - exit 0; -fi diff --git a/debian/ossec-hids/var/ossec/active-response/bin/host-deny.sh b/debian/ossec-hids/var/ossec/active-response/bin/host-deny.sh deleted file mode 100755 index 0893125..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/host-deny.sh +++ /dev/null @@ -1,147 +0,0 @@ -#!/bin/sh -# Adds an IP to the /etc/hosts.deny file -# Requirements: sshd and other binaries with tcp wrappers support -# Expect: srcip -# Author: Daniel B. Cid -# Last modified: Nov 09, 2005 - -ACTION=$1 -USER=$2 -IP=$3 - -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -PWD=`pwd` -LOCK="${PWD}/host-deny-lock" -LOCK_PID="${PWD}/host-deny-lock/pid" -UNAME=`uname` - - -# This number should be more than enough (even if a hundred -# instances of this script is ran together). If you have -# a really loaded env, you can increase it to 75 or 100. -MAX_ITERATION="50" - - -# Lock function -lock() -{ - i=0; - # Providing a lock. - while [ 1 ]; do - mkdir ${LOCK} > /dev/null 2>&1 - MSL=$? - if [ "${MSL}" = "0" ]; then - # Lock acquired (setting the pid) - echo "$$" > ${LOCK_PID} - return; - fi - - # Getting currently/saved PID locking the file - C_PID=`cat ${LOCK_PID} 2>/dev/null` - if [ "x" = "x${S_PID}" ]; then - S_PID=${C_PID} - fi - - # Breaking out of the loop after X attempts - if [ "x${C_PID}" = "x${S_PID}" ]; then - i=`expr $i + 1`; - fi - - sleep $i; - - i=`expr $i + 1`; - - # So i increments 2 by 2 if the pid does not change. - # If the pid keeps changing, we will increments one - # by one and fail after MAX_ITERACTION - if [ "$i" = "${MAX_ITERATION}" ]; then - echo "`date` Unable to execute. Locked: $0" \ - >> ${PWD}/ossec-hids-responses.log - - # Unlocking and exiting - unlock; - exit 1; - fi - done -} - -# Unlock function -unlock() -{ - rm -rf ${LOCK} -} - - -# Logging the call -echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log - - -# IP Address must be provided -if [ "x${IP}" = "x" ]; then - echo "$0: Missing argument (ip)" - exit 1; -fi - - -# Checking for invalid entries (lacking "." or ":", etc) -echo "${IP}" | egrep "\.|\:" > /dev/null 2>&1 -if [ ! $? = 0 ]; then - echo "`date` Invalid ip/hostname entry: ${IP}" >> ${PWD}/../logs/active-responses.log - exit 1; -fi - - -# Adding the ip to hosts.deny -if [ "x${ACTION}" = "xadd" ]; then - # Looking for duplication - IPKEY=$(grep -w "${IP}" /etc/hosts.deny) - if [ ! -z "$IPKEY" ]; then - echo "IP ${IP} already exists on host.deny..." >> ${PWD}/../logs/active-responses.log - exit 1 - fi - lock; - echo "${IP}" | grep "\:" > /dev/null 2>&1 - if [ $? = 0 ]; then - IP="[${IP}]" - fi - if [ "X$UNAME" = "XFreeBSD" ]; then - echo "ALL : ${IP} : deny" >> /etc/hosts.allow - else - echo "ALL:${IP}" >> /etc/hosts.deny - fi - unlock; - exit 0; - - -# Deleting from hosts.deny -elif [ "x${ACTION}" = "xdelete" ]; then - lock; - TMP_FILE=`mktemp ${PWD}/ossec-hosts.XXXXXXXXXX` - if [ "X${TMP_FILE}" = "X" ]; then - # Cheap fake tmpfile, but should be harder then no random data - TMP_FILE="${PWD}/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `" - fi - echo "${IP}" | grep "\:" > /dev/null 2>&1 - if [ $? = 0 ]; then - IP="\[${IP}\]" - fi - if [ "X$UNAME" = "XFreeBSD" ]; then - cat /etc/hosts.allow | grep -v "ALL : ${IP} : deny$"> ${TMP_FILE} - mv ${TMP_FILE} /etc/hosts.allow - else - cat /etc/hosts.deny | grep -v "ALL:${IP}$"> ${TMP_FILE} - cat ${TMP_FILE} > /etc/hosts.deny - rm ${TMP_FILE} - fi - unlock; - exit 0; - - -# Invalid action -else - echo "$0: invalid action: ${ACTION}" -fi - -exit 1; diff --git a/debian/ossec-hids/var/ossec/active-response/bin/ip-customblock.sh b/debian/ossec-hids/var/ossec/active-response/bin/ip-customblock.sh deleted file mode 100755 index 1210d50..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/ip-customblock.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh -# Custom OSSEC block / Easily modifiable for custom responses (touch a file, insert to db, etc). -# Expect: srcip -# Author: Daniel B. Cid -# Last modified: Feb 16, 2013 - -ACTION=$1 -USER=$2 -IP=$3 - -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -PWD=`pwd` - - -# Logging the call -echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log - - -# IP Address must be provided -if [ "x${IP}" = "x" ]; then - echo "$0: Missing argument (ip)" - exit 1; -fi - - -# Custom block (touching a file inside /ipblock/IP) -if [ "x${ACTION}" = "xadd" ]; then - if [ ! -d /ipblock ]; then - mkdir /ipblock - fi - touch "/ipblock/${IP}" -elif [ "x${ACTION}" = "xdelete" ]; then - rm -f "/ipblock/${IP}" - -# Invalid action -else - echo "$0: invalid action: ${ACTION}" -fi - -exit 1; diff --git a/debian/ossec-hids/var/ossec/active-response/bin/ipfw.sh b/debian/ossec-hids/var/ossec/active-response/bin/ipfw.sh deleted file mode 100755 index fb424cb..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/ipfw.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/sh -# Adds an IP to the IPFW drop list. -# Only works with IPFW. -# We use TABLE 00001. If you use this table for anything else, -# please change it here. -# Expect: srcip -# Author: Rafael Capovilla - under @ ( at ) underlinux.com.br -# Author: Daniel B. Cid - dcid @ ( at ) ossec.net -# Last modified: May 07, 2006 - -UNAME=`uname` -IPFW="/sbin/ipfw" -ARG1="" -ARG2="" -ACTION=$1 -USER=$2 -IP=$3 -TABLE_ID=00001 - -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -PWD=`pwd` -echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log - - -# Checking for an IP -if [ "x${IP}" = "x" ]; then - echo "$0: " - exit 1; -fi - - - -# Blocking IP -if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then - echo "$0: Invalid action: ${ACTION}" - exit 1; -fi - - -# We should run on FreeBSD -# We always use table 00001 and rule id 00001. -if [ "X${UNAME}" = "XFreeBSD" ]; then - ls ${IPFW} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - # Check if our table is set - ${IPFW} show | grep "^00001" | grep "table(1)" >/dev/null 2>&1 - if [ ! $? = 0 ]; then - # We need to add the table - ${IPFW} -q 00001 add deny ip from table\(${TABLE_ID}\) to any - ${IPFW} -q 00001 add deny ip from any to table\(${TABLE_ID}\) - fi - - - # Executing and exiting - ${IPFW} -q table ${TABLE_ID} ${ACTION} ${IP} - - exit 0; -fi - - -# Not FreeBSD -exit 1; diff --git a/debian/ossec-hids/var/ossec/active-response/bin/ipfw_mac.sh b/debian/ossec-hids/var/ossec/active-response/bin/ipfw_mac.sh deleted file mode 100755 index 8ef0682..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/ipfw_mac.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/sh -# Adds an IP to the IPFW drop list. -# Only works with IPFW. -# Expect: srcip -# Author: Rafael Capovilla - under @ ( at ) underlinux.com.br -# Author: Daniel B. Cid - dcid @ ( at ) ossec.net -# Author: Charles W. Kefauver ckefauver @ ( at ) ibacom.es -# changed for Mac OS X compatibility -# Last modified: August 14, 2006 - -UNAME=`uname` -IPFW="/sbin/ipfw" -ARG1="" -ARG2="" -ACTION=$1 -USER=$2 -IP=$3 - -# warning do NOT add leading 0 in SET_ID -SET_ID=2 - -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -PWD=`pwd` -echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log - - -# Checking for an IP -if [ "x${IP}" = "x" ]; then - echo "$0: " - exit 1; -fi - -# Blocking IP -if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then - echo "$0: Invalid action: ${ACTION}" - exit 1; -fi - - -# We should run on Darwin -if [ "X${UNAME}" = "XDarwin" ]; then - ls ${IPFW} >> /dev/null 2>&1 - if [ $? != 0 ]; then - exit 0; - fi - - - # Executing and exiting - if [ "x${ACTION}" = "xadd" ]; then - #${IPFW} set disable ${SET_ID} - ${IPFW} -q add set ${SET_ID} deny ip from ${IP} to any - ${IPFW} -q add set ${SET_ID} deny ip from any to ${IP} - ${IPFW} -q set enable ${SET_ID} - exit 0; - fi - - if [ "x${ACTION}" = "xdelete" ]; then - #${IPFW} -S show | grep "set ${SET_ID}" | grep "${IP}" >/dev/null 2>&1 - #get list of ipfw rules ID to delete - RULES_TO_DELETE=`${IPFW} -S show | grep "set ${SET_ID}" | grep "${IP}" | awk '{print $1}'` - - for RULE_ID in ${RULES_TO_DELETE} - do - ${IPFW} -q delete ${RULE_ID} - done - - exit 0; - fi - - exit 0; -fi - - -# Not Darwin -exit 1; - diff --git a/debian/ossec-hids/var/ossec/active-response/bin/npf.sh b/debian/ossec-hids/var/ossec/active-response/bin/npf.sh deleted file mode 100755 index 4eabb22..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/npf.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/sh -# Author: Gianni D'Aprile - -GREP=`which grep` - -ACTION=$1 -USER=$2 -IP=$3 - -# Finding path -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -PWD=`pwd` -echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log - -NPFCTL=/sbin/npfctl - -if [ ! -x ${NPFCTL} ]; then - echo "$0: NPF not present." - echo "$0: NPF not present." >> ${PWD}/ossec-hids-responses.log - exit 0; -fi - -NPF_ACTIVE=`${NPFCTL} show | grep "filtering:" | ${GREP} -c active` - -if [ "x1" != "x${NPF_ACTIVE}" ]; then - echo "$0: NPF not active." - echo "$0: NPF not active." >> ${PWD}/ossec-hids-responses.log - exit 0; -fi - -NPF_OSSEC_READY=`${NPFCTL} show | ${GREP} -c "table "` - -if [ "x1" != "x${NPF_OSSEC_READY}" ]; then - echo "$0: NPF not configured." - echo "$0: NPF not configured." >> ${PWD}/ossec-hids-responses.log - exit 0; -fi - -# Checking for an IP -if [ "x${IP}" = "x" ]; then - echo "$0: " - exit 1; -fi - -case "x${ACTION}" in - - # Blocking IP - xadd) - - ${NPFCTL} table ossec_blacklist add ${IP} >/dev/null 2>&1 - exit 0 - - ;; - - # Unblocking IP - xdelete) - - ${NPFCTL} table ossec_blacklist del ${IP} >/dev/null 2>&1 - exit 0 - - ;; - - # No matching action - *) - - echo "$0: invalid action: ${ACTION}" - echo "$0: invalid action: ${ACTION}" >> ${PWD}/ossec-hids-responses.log - exit 1 - - ;; - -esac diff --git a/debian/ossec-hids/var/ossec/active-response/bin/ossec-pagerduty.sh b/debian/ossec-hids/var/ossec/active-response/bin/ossec-pagerduty.sh deleted file mode 100755 index a732ba1..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/ossec-pagerduty.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -x - -# Change these values! -# APIKEY Your pagerduty api key - -APIKEY="xxxxxxx" -# Checking user arguments -if [ "x$1" = "xdelete" ]; then - exit 0; -fi -ALERTID=$4 -RULEID=$5 -LOCAL=`dirname $0`; -ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1` -ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2` - -# Logging -cd $LOCAL -cd ../ -PWD=`pwd` -echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log -ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'` - -ALERTLOG= ${PWD}/../logs/alerts/alerts.log - -postfile=`mktemp` - -echo '{ "service_key": "'$APIKEY'", "incident_key": "Alert: '$ALERTTIME' / Rule: '$RULEID'", "event_type": "trigger", "description": "OSSEC Alert: '$ALERTLAST'", "client": "OSSEC IDS", "client_url": "http://dcid.me/ossec", "details": { "location": "'$HOSTNAME'", "Rule":"'$RULEID'", "Description":"'$ALERTFULL'", "Log":"'$ALERTLOG'"} } ' > $postfile - -curl -H "Content-type: application/json" -X POST --data @$postfile "https://events.pagerduty.com/generic/2010-04-15/create_event.json" diff --git a/debian/ossec-hids/var/ossec/active-response/bin/ossec-slack.sh b/debian/ossec-hids/var/ossec/active-response/bin/ossec-slack.sh deleted file mode 100755 index 60900bb..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/ossec-slack.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh - -# Change these values! -# SLACKUSER user who posts notifications -# CHANNEL which channel it should be posted -# SITE is the URL provided by the Slack's WebHook, something like: -# https://hooks.slack.com/services/TOKEN" -SLACKUSER="" -CHANNEL="" -SITE="" -SOURCE="ossec2slack" - -# Checking user arguments -if [ "x$1" = "xdelete" ]; then - exit 0; -fi -ALERTID=$4 -RULEID=$5 -LOCAL=`dirname $0`; - -# Logging -cd $LOCAL -cd ../ -PWD=`pwd` -echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log -ALERTTITLE=`grep -A 1 "$ALERTID" ${PWD}/../logs/alerts/alerts.log | tail -1` -ALERTTEXT=`grep -A 10 "$ALERTID" ${PWD}/../logs/alerts/alerts.log | grep -v "Src IP: " | grep -v "User: " | grep "Rule: " -A 4 | sed '/^$/Q' | cut -c -139 | sed 's/\"//g'` - -LEVEL=`echo "${ALERTTEXT}" | head -1 | grep "(level [0-9]*)" | sed 's/^.*(level \([0-9]*\)).*$/\1/'` -COLOR="#D3D3D3" -if [ "${LEVEL}" ] -then - [ "${LEVEL}" -ge 4 ] && COLOR="#FFCC00" - [ "${LEVEL}" -ge 7 ] && COLOR="#FF9966" - [ "${LEVEL}" -ge 12 ] && COLOR="#CC3300" -fi - -PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "attachments": [ {"fallback": "'"$( printf "${ALERTTITLE}\n${ALERTTEXT}" )"'", "title": "'"${ALERTTITLE}"'", "text": "'"${ALERTTEXT}"'", "color": "'"${COLOR}"'"} ]}' - -ls "`which curl`" > /dev/null 2>&1 -if [ ! $? = 0 ]; then - ls "`which wget`" > /dev/null 2>&1 - if [ $? = 0 ]; then - wget --keep-session-cookies --post-data="${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log - exit 0; - fi -else - curl -s -X POST --data-urlencode "payload=${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log - exit 0; -fi - -echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../logs/active-responses.log -exit 1; diff --git a/debian/ossec-hids/var/ossec/active-response/bin/ossec-tweeter.sh b/debian/ossec-hids/var/ossec/active-response/bin/ossec-tweeter.sh deleted file mode 100755 index 8238c00..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/ossec-tweeter.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/sh -# Tweeter an alert - copy at /var/ossec/active-response/bin/ossec-tweeter.sh -# Author: Daniel Cid - - -# Change these values! -TWITTERUSER="" -TWITTERPASS='' -DIRECTMSGUSER="" -SOURCE="ossec2tweeter" - - - -# Checking user arguments -if [ "x$1" = "xdelete" ]; then - exit 0; -fi -ALERTID=$4 -RULEID=$5 -LOCAL=`dirname $0`; -ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1` -ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2` - - - -# Logging -cd $LOCAL -cd ../ -PWD=`pwd` -echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log -ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139` - - - -# Checking if we are sending direct message or not. -if [ "x" = "x$DIRECTMSGUSER" ]; then - SITE="http://twitter.com/statuses/update.xml" - REQUESTUSER="" - REQUESTMSG="status=$ALERTFULL" -else - SITE="http://twitter.com/direct_messages/new.xml" - REQUESTUSER="user=$DIRECTMSGUSER&" - REQUESTMSG="text=$ALERTFULL" -fi - - -ls "`which curl`" > /dev/null 2>&1 -if [ ! $? = 0 ]; then - ls "`which wget`" > /dev/null 2>&1 - if [ $? = 0 ]; then - wget --keep-session-cookies --http-user=$TWITTERUSER --http-password=$TWITTERPASS --post-data="source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE 2>>${PWD}/../logs/active-responses.log - exit 0; - fi -else - curl -u "$TWITTERUSER:$TWITTERPASS" -d "source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE 2>>${PWD}/../logs/active-responses.log - exit 0; -fi - -echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../logs/active-responses.log -exit 1; diff --git a/debian/ossec-hids/var/ossec/active-response/bin/pf.sh b/debian/ossec-hids/var/ossec/active-response/bin/pf.sh deleted file mode 100755 index df0f7bc..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/pf.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/sh -# Author: Rafael M. Capovilla -# Last modified: Daniel B. Cid - -UNAME=`uname` -GREP="/usr/bin/grep" -PFCTL="/sbin/pfctl" -PFCTL_RULES="/etc/pf.conf" -PFCTL_TABLE="ossec_fwtable" -ARG1="" -ARG2="" -CHECKTABLE="" -ACTION=$1 -USER=$2 -IP=$3 - -# Getting pf rules file. -if [ ! -f $PFCTL_RULES ]; then - echo "The pf rules file $PFCTL_RULES does not exist" - exit 1 -fi - -# Checking if ossec table is configured -CHECKTABLE=`cat ${PFCTL_RULES} | $GREP $PFCTL_TABLE` -if [ -z "$CHECKTABLE" ]; then - echo "Table $PFCTL_TABLE does not exist" - exit 1 -fi - -# Finding path -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -PWD=`pwd` -echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log - -# Checking for an IP -if [ "x${IP}" = "x" ]; then - echo "$0: " - exit 1; -fi - -# Blocking IP -if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then - echo "$0: invalid action: ${ACTION}" - echo "$0: invalid action: ${ACTION}" >> ${PWD}/ossec-hids-responses.log - exit 1; -fi - -# OpenBSD and FreeBSD pf -if [ "X${UNAME}" = "XOpenBSD" -o "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XDarwin" ]; then - - # Checking if pfctl is present - ls ${PFCTL} > /dev/null 2>&1 - if [ ! $? = 0 ]; then - echo "$0: PF not configured." - echo "$0: PF not configured." >> ${PWD}/ossec-hids-responses.log - exit 0; - fi - - # Checking if we have pf config file - if [ -e ${PFCTL_RULES} ]; then - - #Checking if we got the table to add the bad guys - if [ "x${PFCTL_TABLE}" = "x" ]; then - echo "$0: PF not configured." - echo "$0: PF not configured." >> ${PWD}/ossec-hids-responses.log - exit 0; - else - if [ "x${ACTION}" = "xadd" ]; then - ARG1="-t $PFCTL_TABLE -T add ${IP}" - ARG2="-k ${IP}" - else - ARG1="-t $PFCTL_TABLE -T delete ${IP}" - fi - fi - else - exit 0; - fi - - #Executing it - ${PFCTL} ${ARG1} > /dev/null 2>&1 - ${PFCTL} ${ARG2} > /dev/null 2>&1 - exit 0; - -else - exit 0; -fi diff --git a/debian/ossec-hids/var/ossec/active-response/bin/restart-ossec.sh b/debian/ossec-hids/var/ossec/active-response/bin/restart-ossec.sh deleted file mode 100755 index 25d5f77..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/restart-ossec.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh -# Restarts ossec. -# Requirements: none -# Author: Daniel B. Cid - -ACTION=$1 -USER=$2 -IP=$3 - -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -PWD=`pwd` -UNAME=`uname` - - -# Logging the call -echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log - - - -# Adding the ip to hosts.deny -if [ "x${ACTION}" = "xadd" ]; then - ${PWD}/../bin/ossec-control restart - exit 0; - - -# Deleting from hosts.deny -elif [ "x${ACTION}" = "xdelete" ]; then - exit 0; - - -# Invalid action -else - echo "$0: invalid action: ${ACTION}" -fi - -exit 1; diff --git a/debian/ossec-hids/var/ossec/active-response/bin/route-null.sh b/debian/ossec-hids/var/ossec/active-response/bin/route-null.sh deleted file mode 100755 index 4a336ee..0000000 --- a/debian/ossec-hids/var/ossec/active-response/bin/route-null.sh +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/sh -# Adds an IP to null route -# Requirements: ip route -# Expect: srcip -# Author: Ivan Lotina -# Modifyed script host-deny from Daniel B. Cid -# Last modified: Feb 16, 2007 - -ACTION=$1 -USER=$2 -IP=$3 - -LOCAL=`dirname $0`; -cd $LOCAL -cd ../ -PWD=`pwd` -LOCK="${PWD}/host-deny-lock" -LOCK_PID="${PWD}/host-deny-lock/pid" - -UNAME=`uname` - -# Logging the call -echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log - - -# IP Address must be provided -if [ "x${IP}" = "x" ]; then - echo "$0: Missing argument (ip)" - exit 1; -fi - -# Match the loopback address to the version of the provided IP address -LOOPBACK=127.0.0.1 -echo "${IP}" | grep "\:" > /dev/null 2>&1 -if [ $? = 0 ]; then - LOOPBACK=::1 -fi - -# Adding the ip to null route -if [ "x${ACTION}" = "xadd" ]; then - if [ "X${UNAME}" = "XLinux" ]; then - route add ${IP} reject - exit 0; - fi - - if [ "X${UNAME}" = "XFreeBSD" ]; then - route -q add ${IP} $LOOPBACK -blackhole - exit 0; - fi - -# Deleting from null route -# be carefull not to remove your default route -elif [ "x${ACTION}" = "xdelete" ]; then - if [ "X${UNAME}" = "XLinux" ]; then - route del ${IP} reject - exit 0; - fi - - if [ "X${UNAME}" = "XFreeBSD" ]; then - route -q delete ${IP} $LOOPBACK -blackhole - exit 0; - fi - -# Invalid action -else - echo "$0: invalid action: ${ACTION}" -fi - -exit 1; diff --git a/debian/ossec-hids/var/ossec/agentless/main.exp b/debian/ossec-hids/var/ossec/agentless/main.exp deleted file mode 100755 index e8daae5..0000000 --- a/debian/ossec-hids/var/ossec/agentless/main.exp +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -if {$argc <= 1} { - send_user "\nERROR: ssh_integrity_check \n"; - exit 1; -} - -# NOTE: this script must be called from within /var/ossec for it to work -set passlist "agentless/.passlist" -set sshsrc "agentless/ssh.exp" -set susrc "agentless/su.exp" -set sshloginsrc "agentless/sshlogin.exp" -set sshnopasssrc "agentless/ssh_nopass.exp" -set hostname [lindex $argv 0] -set args [lrange $argv 1 end] -set pass "x" -set use_su " " -set use_sudo " " -set addpass "x" -set timeout 20 - -# Do script test -if {[string compare $hostname "test"] == 0} { - if {[string compare $args "test"] == 0} { - exit 0; - } -} - -# Check if the hostname (first argument) is an option -if {[string compare $hostname "use_su"] == 0} { - set use_su "su;" - set hostname [lindex $argv 1] - set args [lrange $argv 2 end] -} -# Check if the hostname (first argument) is an option -if {[string compare $hostname "use_sudo"] == 0} { - set use_sudo "sudo sh;" - set hostname [lindex $argv 1] - set args [lrange $argv 2 end] -} - -# Read the password list -if [catch { - set in [open "$passlist" r] -} loc_error] { - send_user "\nERROR: Password list not present (use \"register_host\" first).\n" - exit 1; -} - -while {[gets $in line] != -1} { - set me [string first "|" $line] - set me2 [string last "|" $line] - set length [string length $line] - - if {$me == -1} { - continue; - } - if {$me2 == -1} { - continue; - } - if {$me == $me2} { - continue; - } - - set me [expr $me-1] - set me2 [expr $me2-1] - - set host_list [string range $line 0 $me] - set me [expr $me+2] - set pass_list [string range $line $me $me2] - set me2 [expr $me2+2] - set addpass_list [string range $line $me2 $length] - - if {[string compare $host_list $hostname] == 0} { - set pass "$pass_list" - set addpass "$addpass_list" - break - } -} -close $in - - -if {[string compare $pass "x"] == 0} { - send_user "\nERROR: Password for '$hostname' not found.\n" - exit 1; -} diff --git a/debian/ossec-hids/var/ossec/agentless/register_host.sh b/debian/ossec-hids/var/ossec/agentless/register_host.sh deleted file mode 100755 index 4a14c2b..0000000 --- a/debian/ossec-hids/var/ossec/agentless/register_host.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/sh - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -MYNAME="register_host.sh" -MYPASS=".passlist" - -# Check the location -ls -la $MYNAME > /dev/null 2>&1 -if [ ! $? = 0 ]; then - LOCALDIR=`dirname $0`; - cd ${LOCALDIR} - - ls -la $MYNAME > /dev/null 2>&1 - if [ ! $? = 0 ]; then - echo "ERROR: You must run this script from the same directory." - exit 1; - fi -fi - -# Arguments -if [ "x$1" = "x" -o "x$1" = "xhelp" -o "x$1" = "x-h" ]; then - echo "$0 options:" - echo " add [] ()" - echo " list (passwords)" - exit 0; -fi - -if [ "x$1" = "xlist" ]; then - echo "*Available hosts: " - if [ "x$2" = "xpasswords" ]; then - cat $MYPASS | sort | uniq; - else - cat $MYPASS | cut -d "|" -f 1 | sort | uniq; - fi - exit 0; - -elif [ "x$1" = "xadd" ]; then - if [ "x$2" = "x" ]; then - echo "ERROR: Missing hostname name."; - echo "ex: $0 add [] ()"; - exit 1; - fi - - grep "$2|" $MYPASS > /dev/null 2>&1 - if [ $? = 0 ]; then - echo "ERROR: Host '$2' already added."; - exit 1; - fi - - # Check if the password was supplied - if [ "x$3" = "x" ]; then - echo "Please provide password for host $2." - echo -n "Password: "; - stty -echo - read INPASS - stty echo - - echo "Please provide additional password for host $2 ( for empty)." - echo -n "Password: "; - stty -echo - read ADDPASS - stty echo - else - INPASS=$3 - ADDPASS=$4 - fi - - echo "$2|$INPASS|$ADDPASS" >> $MYPASS; - if [ ! $? = 0 ]; then - echo "ERROR: Unable to creating entry (echo failed)." - exit 1; - fi - chmod 744 $MYPASS - echo "*Host $2 added." - -else - echo "ERROR: Invalid argument."; - exit 1; - -fi - diff --git a/debian/ossec-hids/var/ossec/agentless/ssh.exp b/debian/ossec-hids/var/ossec/agentless/ssh.exp deleted file mode 100755 index a99fa97..0000000 --- a/debian/ossec-hids/var/ossec/agentless/ssh.exp +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -if {[string compare $pass "NOPASS"] == 0} { - source $sshnopasssrc - return -} - -expect { - "WARNING: REMOTE HOST" { - send_user "\nERROR: RSA host key for '$hostname' has changed. Unable to access.\n" - exit 1; - } - "*sure you want to continue connecting*" { - send "yes\r" - expect "*assword:*" { - send "$pass\r" - source $sshloginsrc - } - } - "ssh: connect to host*" { - send_user "\nERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "no address associated with name" { - send_user "\nERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Connection refused*" { - send_user "\nERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Connection closed by remote host*" { - send_user "\nERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*assword:*" { - send "$pass\r" - source $sshloginsrc - } - timeout { - send_user "\nERROR: Timeout while connecting to host: $hostname . \n" - exit 1; - } -} diff --git a/debian/ossec-hids/var/ossec/agentless/ssh_asa-fwsmconfig_diff b/debian/ossec-hids/var/ossec/agentless/ssh_asa-fwsmconfig_diff deleted file mode 100755 index a5c2790..0000000 --- a/debian/ossec-hids/var/ossec/agentless/ssh_asa-fwsmconfig_diff +++ /dev/null @@ -1,204 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -if {$argc < 1} { - send_user "ERROR: ssh_asa-fwsmconfig_diff \n"; - send_user "ERROR: Must be run from /var/ossec\n"; - exit 1; -} - -# NOTE: this script must be called from within /var/ossec for it to work -set passlist "agentless/.passlist" -set hostname [lindex $argv 0] -set commands [lrange $argv 1 end] -set pass "x" -set addpass "x" -set timeout 20 - -if {[string compare $hostname "test"] == 0} { - if {[string compare $commands "test"] == 0} { - exit 0; - } -} - -# Read the password list -if [catch { - set in [open "$passlist" r] -} loc_error] { - send_user "ERROR: Password list not present (use \"register_host\" first).\n" - exit 1; -} - -while {[gets $in line] != -1} { - set me [string first "|" $line] - set me2 [string last "|" $line] - set length [string length $line] - - if {$me == -1} { - continue; - } - if {$me2 == -1} { - continue; - } - if {$me == $me2} { - continue; - } - - set me [expr $me-1] - set me2 [expr $me2-1] - - set host_list [string range $line 0 $me] - set me [expr $me+2] - set pass_list [string range $line $me $me2] - set me2 [expr $me2+2] - set addpass_list [string range $line $me2 $length] - - if {[string compare $host_list $hostname] == 0} { - set pass "$pass_list" - set addpass "$addpass_list" - break - } -} -close $in - -if {[string compare $pass "x"] == 0} { - send_user "ERROR: Password for '$hostname' not found.\n" - exit 1; -} - -# SSH to the box and pass the directories to check -if [catch { - spawn ssh -c des $hostname -} loc_error] { - send_user "ERROR: Opening connection: $loc_error.\n" - exit 1; -} - -expect { - "WARNING: REMOTE HOST" { - send_user "ERROR: RSA host key for '$hostname' has changed. Unable to access.\n" - exit 1; - } - "*sure you want to continue connecting*" { - send "yes\r" - expect "* password:*" { - send "$pass\r" - - expect { - "Permission denied" { - send_user "ERROR: Incorrect password to remote host: $hostname .\n" - exit 1; - } - timeout { - send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n" - exit 1; - } - "*>" { - send_user "\nINFO: Starting.\n" - } - } - } - } - "ssh: connect to host*" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "no address associated with name" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Connection refused*" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Connection closed by remote host*" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "* password:*" { - send "$pass\r" - - expect { - "Permission denied" { - send_user "ERROR: Incorrect password to remote host: $hostname .\n" - exit 1; - } - timeout { - send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n" - exit 1; - } - "*>" { - send_user "INFO: Starting.\n" - } - } - } - timeout { - send_user "ERROR: Timeout while connecting to host: $hostname . \n" - exit 1; - } -} - -# Go into enable mode -send "enable\r" -expect { - "Password:" { - send "$addpass\r" - - expect { - "*asswor*" { - send_user "ERROR: Incorrect enable password to remote host: $hostname .\n" - exit 1; - } - "*rror in authenticatio*" { - send_user "ERROR: Incorrect enable password to remote host: $hostname .\n" - exit 1; - } - timeout { - send_user "ERROR: Timeout while going to enable mode on host: $hostname .\n" - exit 1; - } - "*#" { - send_user "ok on enable pass\n" - } - } - } - timeout { - send_user "ERROR: Timeout while running enable on host: $hostname .\n" - exit 1; - } -} - -# Send commands -set timeout 60 -send_user "\nSTORE: now\n" - -send "term pager 0\r" - -# Exclude uptime from the output -send "show version | grep -v Configuration last| up\r" -send "show running-config\r" -send "$commands\r" -send "exit\r" - -expect { - timeout { - send_user "ERROR: Timeout while running commands on host: $hostname .\n" - exit 1; - } - eof { - send_user "\nINFO: Finished.\n" - exit 0; - } -} - -send_user "ERROR: Unable to finish properly.\n" -exit 1; diff --git a/debian/ossec-hids/var/ossec/agentless/ssh_foundry_diff b/debian/ossec-hids/var/ossec/agentless/ssh_foundry_diff deleted file mode 100755 index 666451b..0000000 --- a/debian/ossec-hids/var/ossec/agentless/ssh_foundry_diff +++ /dev/null @@ -1,204 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -if {$argc < 1} { - send_user "ERROR: ssh_pixconfig_diff \n"; - exit 1; -} - -# NOTE: this script must be called from within /var/ossec for it to work -set passlist "agentless/.passlist" -set hostname [lindex $argv 0] -set commands [lrange $argv 1 end] -set pass "x" -set addpass "x" -set timeout 20 - -if {[string compare $hostname "test"] == 0} { - if {[string compare $commands "test"] == 0} { - exit 0; - } -} - -# Read the password list -if [catch { - set in [open "$passlist" r] -} loc_error] { - send_user "ERROR: Password list not present (use \"register_host\" first).\n" - exit 1; -} - -while {[gets $in line] != -1} { - set me [string first "|" $line] - set me2 [string last "|" $line] - set length [string length $line] - - if {$me == -1} { - continue; - } - if {$me2 == -1} { - continue; - } - if {$me == $me2} { - continue; - } - - set me [expr $me-1] - set me2 [expr $me2-1] - - set host_list [string range $line 0 $me] - set me [expr $me+2] - set pass_list [string range $line $me $me2] - set me2 [expr $me2+2] - set addpass_list [string range $line $me2 $length] - - if {[string compare $host_list $hostname] == 0} { - set pass "$pass_list" - set addpass "$addpass_list" - break - } -} -close $in - -if {[string compare $pass "x"] == 0} { - send_user "ERROR: Password for '$hostname' not found.\n" - exit 1; -} - -# SSH to the box and pass the directories to check -if [catch { - spawn ssh $hostname -} loc_error] { - send_user "ERROR: Opening connection: $loc_error.\n" - exit 1; -} - -expect { - "WARNING: REMOTE HOST" { - send_user "ERROR: RSA host key for '$hostname' has changed. Unable to access.\n" - exit 1; - } - "*sure you want to continue connecting*" { - send "yes\r" - expect "* password:*" { - send "$pass\r" - - expect { - "Permission denied" { - send_user "ERROR: Incorrect password to remote host: $hostname .\n" - exit 1; - } - timeout { - send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n" - exit 1; - } - "*>" { - send_user "\nINFO: Starting.\n" - } - } - } - } - "ssh: connect to host*" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "no address associated with name" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Connection refused*" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Connection closed by remote host*" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "* password:*" { - send "$pass\r" - - expect { - "Permission denied" { - send_user "ERROR: Incorrect password to remote host: $hostname .\n" - exit 1; - } - timeout { - send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n" - exit 1; - } - "*>" { - send_user "INFO: Starting.\n" - } - } - } - timeout { - send_user "ERROR: Timeout while connecting to host: $hostname . \n" - exit 1; - } -} - -if {[string compare $addpass ""] != 0} { - # Go into enable mode - send "enable\r" - expect { - "Password:" { - send "$addpass\r" - - expect { - "*asswor*" { - send_user "ERROR: Incorrect enable password to remote host: $hostname .\n" - exit 1; - } - "*rror - incorrect password*" { - send_user "ERROR: Incorrect enable password to remote host: $hostname .\n" - exit 1; - } - timeout { - send_user "ERROR: Timeout while going to enable mode on host: $hostname .\n" - exit 1; - } - "*#" { - send_user "ok on enable pass\n" - } - } - } - timeout { - send_user "ERROR: Timeout while running enable on host: $hostname .\n" - exit 1; - } - } -} - -# Send commands -set timeout 60 -send_user "\nSTORE: now\n" - -send "skip-page-display\r" - -# Exclude uptime from the output -send "sh run\r" -send "$commands\r" -send "exit\rexit\r" - -expect { - timeout { - send_user "ERROR: Timeout while running commands on host: $hostname .\n" - exit 1; - } - eof { - send_user "\nINFO: Finished.\n" - exit 0; - } -} - -send_user "ERROR: Unable to finish properly.\n" -exit 1; diff --git a/debian/ossec-hids/var/ossec/agentless/ssh_generic_diff b/debian/ossec-hids/var/ossec/agentless/ssh_generic_diff deleted file mode 100755 index cc984ff..0000000 --- a/debian/ossec-hids/var/ossec/agentless/ssh_generic_diff +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# Main script -source "agentless/main.exp" - -# SSH to the box and pass the directories to check -if [catch { - spawn ssh $hostname -} loc_error] { - send_user "ERROR: Opening connection: $loc_error.\n" - exit 1; -} - -source $sshsrc -source $susrc - -set timeout 600 -send_user "INFO: Starting.\n" -send_user "\nSTORE: now\n" -send "$args\r" -send "exit\r" - -expect { - timeout { - send_user "ERROR: Timeout while running commands on host: $hostname .\n" - exit 1; - } - eof { - send_user "\nINFO: Finished.\n" - exit 0; - } -} - -exit 0; diff --git a/debian/ossec-hids/var/ossec/agentless/ssh_integrity_check_bsd b/debian/ossec-hids/var/ossec/agentless/ssh_integrity_check_bsd deleted file mode 100755 index 658d1a5..0000000 --- a/debian/ossec-hids/var/ossec/agentless/ssh_integrity_check_bsd +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# Main script -source "agentless/main.exp" - -# SSH to the box and pass the directories to check -if [catch { - spawn ssh $hostname -} loc_error] { - send_user "\nERROR: Opening connection: $loc_error.\n" - exit 1; -} - -source $sshsrc -source $susrc - -set timeout 600 -send "for i in `find $args 2>/dev/null`;do tail \$i >/dev/null 2>&1 && md5=`md5 \$i | cut -d \"=\" -f 2|cut -d \" \" -f 2` && sha1=`sha1 \$i | cut -d \"=\" -f 2|cut -d \" \" -f 2` && echo FWD: `stat -f \"%Dz:%Dp:%Du:%Dg\" \$i`:\$md5:\$sha1 \$i; done; exit\r" -send "exit\r" - -expect { - timeout { - send_user "\nERROR: Timeout while running commands on host: $hostname .\n" - exit 1; - } - eof { - send_user "\nINFO: Finished.\n" - exit 0; - } -} - -exit 0; diff --git a/debian/ossec-hids/var/ossec/agentless/ssh_integrity_check_linux b/debian/ossec-hids/var/ossec/agentless/ssh_integrity_check_linux deleted file mode 100755 index 51b5796..0000000 --- a/debian/ossec-hids/var/ossec/agentless/ssh_integrity_check_linux +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# Main script -source "agentless/main.exp" - -# SSH to the box and pass the directories to check -if [catch { - spawn ssh $hostname -} loc_error] { - send_user "ERROR: Opening connection: $loc_error.\n" - exit 1; -} - -source $sshsrc -source $susrc - -set timeout 600 -send "unset HISTFILE echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do tail \$i >/dev/null 2>&1 && md5=`md5sum \$i | cut -d \" \" -f 1` && sha1=`sha1sum \$i | cut -d \" \" -f 1` && echo FWD: `stat --printf \"%s:%a:%u:%g\" \$i`:\$md5:\$sha1 \$i; done; exit\r" -send "exit\r" - -expect { - timeout { - send_user "ERROR: Timeout while running commands on host: $hostname .\n" - exit 1; - } - eof { - send_user "\nINFO: Finished.\n" - exit 0; - } -} - -exit 0; diff --git a/debian/ossec-hids/var/ossec/agentless/ssh_nopass.exp b/debian/ossec-hids/var/ossec/agentless/ssh_nopass.exp deleted file mode 100755 index d4eb3d9..0000000 --- a/debian/ossec-hids/var/ossec/agentless/ssh_nopass.exp +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -expect { - "WARNING: REMOTE HOST" { - send_user "\nERROR: RSA host key for '$hostname' has changed. Unable to access.\n" - exit 1; - } - "*sure you want to continue connecting*" { - send "yes\r" - source $sshnopasssrc - return - } - "ssh: connect to host*" { - send_user "\nERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "no address associated with name" { - send_user "\nERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Connection refused*" { - send_user "\nERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Connection closed by remote host*" { - send_user "\nERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "* password:*" { - send_user "\nERROR: Public key authentication failed to host: $hostname .\n" - exit 1 - } - "*\\\$" { - send_user "\nINFO: Started.\n" - } - "*#" { - send_user "\nINFO: Started.\n" - } - timeout { - send_user "\nERROR: Timeout while connecting to host: $hostname . \n" - exit 1; - } -} diff --git a/debian/ossec-hids/var/ossec/agentless/ssh_pixconfig_diff b/debian/ossec-hids/var/ossec/agentless/ssh_pixconfig_diff deleted file mode 100755 index edf992f..0000000 --- a/debian/ossec-hids/var/ossec/agentless/ssh_pixconfig_diff +++ /dev/null @@ -1,205 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -if {$argc < 1} { - send_user "ERROR: ssh_pixconfig_diff \n"; - exit 1; -} - -# NOTE: this script must be called from within /var/ossec for it to work -set passlist "agentless/.passlist" -set hostname [lindex $argv 0] -set commands [lrange $argv 1 end] -set pass "x" -set addpass "x" -set timeout 20 - -if {[string compare $hostname "test"] == 0} { - if {[string compare $commands "test"] == 0} { - exit 0; - } -} - -# Read the password list -if [catch { - set in [open "$passlist" r] -} loc_error] { - send_user "ERROR: Password list not present (use \"register_host\" first).\n" - exit 1; -} - -while {[gets $in line] != -1} { - set me [string first "|" $line] - set me2 [string last "|" $line] - set length [string length $line] - - if {$me == -1} { - continue; - } - if {$me2 == -1} { - continue; - } - if {$me == $me2} { - continue; - } - - set me [expr $me-1] - set me2 [expr $me2-1] - - set host_list [string range $line 0 $me] - set me [expr $me+2] - set pass_list [string range $line $me $me2] - set me2 [expr $me2+2] - set addpass_list [string range $line $me2 $length] - - if {[string compare $host_list $hostname] == 0} { - set pass "$pass_list" - set addpass "$addpass_list" - break - } -} -close $in - -if {[string compare $pass "x"] == 0} { - send_user "ERROR: Password for '$hostname' not found.\n" - exit 1; -} - -# SSH to the box and pass the directories to check -if [catch { - spawn ssh -c des $hostname -} loc_error] { - send_user "ERROR: Opening connection: $loc_error.\n" - exit 1; -} - -expect { - "WARNING: REMOTE HOST" { - send_user "ERROR: RSA host key for '$hostname' has changed. Unable to access.\n" - exit 1; - } - "*sure you want to continue connecting*" { - send "yes\r" - expect "* password:*" { - send "$pass\r" - - expect { - "Permission denied" { - send_user "ERROR: Incorrect password to remote host: $hostname .\n" - exit 1; - } - timeout { - send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n" - exit 1; - } - "*>" { - send_user "\nINFO: Starting.\n" - } - } - } - } - "ssh: connect to host*" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "no address associated with name" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Connection refused*" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Connection closed by remote host*" { - send_user "ERROR: Unable to connect to remote host: $hostname .\n" - exit 1; - } - "*Password:*" { - send "$pass\r" - - expect { - "Permission denied" { - send_user "ERROR: Incorrect password to remote host: $hostname .\n" - exit 1; - } - timeout { - send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n" - exit 1; - } - "*>" { - send_user "INFO: Starting.\n" - } - } - } - timeout { - send_user "ERROR: Timeout while connecting to host: $hostname . \n" - exit 1; - } -} - -# Go into enable mode -send "enable\r" -expect { - "Password:" { - send "$addpass\r" - - expect { - "*asswor*" { - send_user "ERROR: Incorrect enable password to remote host: $hostname .\n" - exit 1; - } - "*rror in authenticatio*" { - send_user "ERROR: Incorrect enable password to remote host: $hostname .\n" - exit 1; - } - timeout { - send_user "ERROR: Timeout while going to enable mode on host: $hostname .\n" - exit 1; - } - "*#" { - send_user "ok on enable pass\n" - } - } - } - timeout { - send_user "ERROR: Timeout while running enable on host: $hostname .\n" - exit 1; - } -} - -# Send commands -set timeout 60 -send_user "\nSTORE: now\n" - -send "no pager\r" -send "term len 0\r" -send "terminal pager 0\r" - -# Exclude uptime from the output -send "show version | grep -v Configuration last| up\r" -send "show running-config\r" -send "$commands\r" -send "exit\r" - -expect { - timeout { - send_user "ERROR: Timeout while running commands on host: $hostname .\n" - exit 1; - } - eof { - send_user "\nINFO: Finished.\n" - exit 0; - } -} - -send_user "ERROR: Unable to finish properly.\n" -exit 1; diff --git a/debian/ossec-hids/var/ossec/agentless/sshlogin.exp b/debian/ossec-hids/var/ossec/agentless/sshlogin.exp deleted file mode 100755 index 4d4121c..0000000 --- a/debian/ossec-hids/var/ossec/agentless/sshlogin.exp +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -expect { - "Permission denied" { - send_user "\nERROR: Incorrect password to remote host: $hostname .\n" - exit 1; - } - eof { - send_user "\nERROR: EOF while logging to host: $hostname .\n" - exit 0; - } - timeout { - send_user "\nERROR: Timeout while running on host: $hostname .\n" - exit 1; - } - "*\\\$" { - send_user "\nINFO: Started.\n" - } - "*#" { - send_user "\nINFO: Started.\n" - } -} diff --git a/debian/ossec-hids/var/ossec/agentless/su.exp b/debian/ossec-hids/var/ossec/agentless/su.exp deleted file mode 100755 index 923c629..0000000 --- a/debian/ossec-hids/var/ossec/agentless/su.exp +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/env expect - -# Agentless monitoring -# -# Copyright (C) 2009 Trend Micro Inc. -# All rights reserved. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# If su was chosen -set timeout 10 -if {[string compare $use_su "su;"] == 0} { - - # Run su command - send "\rsu\r" - - expect { - "Password:" { - send "$addpass\r" - } - timeout { - send_user "\nERROR: Unable to run su.\n" - exit 1; - } - } - - expect { - "Permission denied" { - send_user "\nERROR: Incorrect su password to host: $hostname .\n" - exit 1; - } - "Password:" { - send_user "\nERROR: Incorrect su password to host: $hostname .\n" - exit 1; - } - "Sorry" { - send_user "\nERROR: Incorrect su password to remote host: $hostname .\n" - exit 1; - } - eof { - send_user "\nERROR: EOF while running su on host: $hostname .\n" - exit 1; - } - timeout { - send_user "\nERROR: Timeout while running on host: $hostname .\n" - exit 1; - } - "*#" { - send_user "\nINFO: su accepted.\n" - } - } -} diff --git a/debian/ossec-hids/var/ossec/bin/agent_control b/debian/ossec-hids/var/ossec/bin/agent_control deleted file mode 100755 index 6f1df49..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/agent_control and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/clear_stats b/debian/ossec-hids/var/ossec/bin/clear_stats deleted file mode 100755 index b73dd6b..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/clear_stats and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/list_agents b/debian/ossec-hids/var/ossec/bin/list_agents deleted file mode 100755 index ca45337..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/list_agents and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/manage_agents b/debian/ossec-hids/var/ossec/bin/manage_agents deleted file mode 100755 index 5a2d49a..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/manage_agents and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-agentd b/debian/ossec-hids/var/ossec/bin/ossec-agentd deleted file mode 100755 index f88baa3..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-agentd and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-agentlessd b/debian/ossec-hids/var/ossec/bin/ossec-agentlessd deleted file mode 100755 index 28b6b33..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-agentlessd and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-analysisd b/debian/ossec-hids/var/ossec/bin/ossec-analysisd deleted file mode 100755 index 2bdbcde..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-analysisd and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-authd b/debian/ossec-hids/var/ossec/bin/ossec-authd deleted file mode 100755 index a136631..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-authd and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-client.sh b/debian/ossec-hids/var/ossec/bin/ossec-client.sh deleted file mode 100755 index 265d03f..0000000 --- a/debian/ossec-hids/var/ossec/bin/ossec-client.sh +++ /dev/null @@ -1,230 +0,0 @@ -#!/bin/sh -# ossec-control This shell script takes care of starting -# or stopping ossec-hids -# Author: Daniel B. Cid - -LOCAL=`dirname $0`; -cd ${LOCAL} -PWD=`pwd` -DIR=`dirname $PWD`; - - -### Do not modify below here ### -NAME="OSSEC HIDS" -VERSION="v3.3.0" -DAEMONS="ossec-logcollector ossec-syscheckd ossec-agentd ossec-execd" - -[ -f /etc/ossec-init.conf ] && . /etc/ossec-init.conf - -## Locking for the start/stop -LOCK="${DIR}/var/start-script-lock" -LOCK_PID="${LOCK}/pid" - -# This number should be more than enough (even if it is -# started multiple times together). It will try for up -# to 10 attempts (or 10 seconds) to execute. -MAX_ITERATION="10" - -checkpid() -{ - for i in ${DAEMONS}; do - for j in `cat ${DIR}/var/run/${i}*.pid 2>/dev/null`; do - ps -p $j |grep ossec >/dev/null 2>&1 - if [ ! $? = 0 ]; then - echo "Deleting PID file '${DIR}/var/run/${i}-${j}.pid' not used..." - rm ${DIR}/var/run/${i}-${j}.pid - fi - done - done -} - -lock() -{ - i=0; - - # Providing a lock. - while [ 1 ]; do - mkdir ${LOCK} > /dev/null 2>&1 - MSL=$? - if [ "${MSL}" = "0" ]; then - # Lock acquired (setting the pid) - echo "$$" > ${LOCK_PID} - return; - fi - - # Waiting 1 second before trying again - sleep 1; - i=`expr $i + 1`; - - # If PID is not present, speed things a bit. - kill -0 `cat ${LOCK_PID}` >/dev/null 2>&1 - if [ ! $? = 0 ]; then - # Pid is not present. - i=`expr $i + 1`; - fi - - # We tried 10 times to acquire the lock. - if [ "$i" = "${MAX_ITERATION}" ]; then - # Unlocking and executing - unlock; - mkdir ${LOCK} > /dev/null 2>&1 - echo "$$" > ${LOCK_PID} - return; - fi - done -} - -unlock() -{ - rm -rf ${LOCK} -} - -help() -{ - # Help message - echo "Usage: $0 {start|stop|reload|restart|status}"; - exit 1; -} - -status() -{ - RETVAL=0 - for i in ${DAEMONS}; do - pstatus ${i}; - if [ $? = 0 ]; then - RETVAL=1 - echo "${i} not running..." - else - echo "${i} is running..." - fi - done - exit $RETVAL -} - -testconfig() -{ - # We first loop to check the config. - for i in ${SDAEMONS}; do - ${DIR}/bin/${i} -t; - if [ $? != 0 ]; then - echo "${i}: Configuration error. Exiting" - unlock; - exit 1; - fi - done -} - -# Start function -start() -{ - SDAEMONS="ossec-execd ossec-agentd ossec-logcollector ossec-syscheckd" - - echo "Starting $NAME $VERSION..." - lock; - checkpid; - - # We actually start them now. - for i in ${SDAEMONS}; do - pstatus ${i}; - if [ $? = 0 ]; then - ${DIR}/bin/${i}; - if [ $? != 0 ]; then - echo "${i} did not start"; - unlock; - exit 1; - fi - - echo "Started ${i}..." - else - echo "${i} already running..." - fi - done - - # After we start we give 2 seconds for the daemons - # to internally create their PID files. - sleep 2; - unlock; - echo "Completed." -} - -pstatus() -{ - pfile=$1; - - # pfile must be set - if [ "X${pfile}" = "X" ]; then - return 0; - fi - - ls ${DIR}/var/run/${pfile}*.pid > /dev/null 2>&1 - if [ $? = 0 ]; then - for j in `cat ${DIR}/var/run/${pfile}*.pid 2>/dev/null`; do - ps -p $j |grep ossec >/dev/null 2>&1 - if [ ! $? = 0 ]; then - echo "${pfile}: Process $j not used by ossec, removing .." - rm -f ${DIR}/var/run/${pfile}-$j.pid - continue; - fi - - kill -0 $j > /dev/null 2>&1 - if [ $? = 0 ]; then - return 1; - fi - done - fi - - return 0; -} - -stopa() -{ - lock; - checkpid; - for i in ${DAEMONS}; do - pstatus ${i}; - if [ $? = 1 ]; then - echo "Killing ${i} .. "; - - kill `cat ${DIR}/var/run/${i}*.pid`; - else - echo "${i} not running .."; - fi - - rm -f ${DIR}/var/run/${i}*.pid - done - - unlock; - echo "$NAME $VERSION Stopped" -} - -### MAIN HERE ### - -case "$1" in -start) - testconfig - start - ;; -stop) - stopa - ;; -restart) - testconfig - stopa - sleep 1; - start - ;; -reload) - DAEMONS="ossec-logcollector ossec-syscheckd ossec-agentd" - stopa - start - ;; -status) - status - ;; -help) - help - ;; -*) - help -esac - diff --git a/debian/ossec-hids/var/ossec/bin/ossec-control b/debian/ossec-hids/var/ossec/bin/ossec-control deleted file mode 120000 index 4450052..0000000 --- a/debian/ossec-hids/var/ossec/bin/ossec-control +++ /dev/null @@ -1 +0,0 @@ -ossec-local.sh \ No newline at end of file diff --git a/debian/ossec-hids/var/ossec/bin/ossec-csyslogd b/debian/ossec-hids/var/ossec/bin/ossec-csyslogd deleted file mode 100755 index 4488246..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-csyslogd and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-dbd b/debian/ossec-hids/var/ossec/bin/ossec-dbd deleted file mode 100755 index fbafdf8..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-dbd and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-execd b/debian/ossec-hids/var/ossec/bin/ossec-execd deleted file mode 100755 index 072adf2..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-execd and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-local.sh b/debian/ossec-hids/var/ossec/bin/ossec-local.sh deleted file mode 100755 index 1a85a20..0000000 --- a/debian/ossec-hids/var/ossec/bin/ossec-local.sh +++ /dev/null @@ -1,309 +0,0 @@ -#!/bin/sh -# ossec-control This shell script takes care of starting -# or stopping ossec-hids -# Author: Daniel B. Cid - -# Getting where we are installed -LOCAL=`dirname $0`; -cd ${LOCAL} -PWD=`pwd` -DIR=`dirname $PWD`; -PLIST=${DIR}/bin/.process_list; - -### Do not modify below here ### - -# Getting additional processes -ls -la ${PLIST} > /dev/null 2>&1 -if [ $? = 0 ]; then -. ${PLIST}; -fi - -NAME="OSSEC HIDS" -VERSION="v3.3.0" -DAEMONS="ossec-monitord ossec-logcollector ossec-syscheckd ossec-analysisd ossec-maild ossec-execd ${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON}" - -## Locking for the start/stop -LOCK="${DIR}/var/start-script-lock" -LOCK_PID="${LOCK}/pid" - -# This number should be more than enough (even if it is -# started multiple times together). It will try for up -# to 10 attempts (or 10 seconds) to execute. -MAX_ITERATION="10" - -checkpid() { - for i in ${DAEMONS}; do - for j in `cat ${DIR}/var/run/${i}*.pid 2>/dev/null`; do - ps -p $j |grep ossec >/dev/null 2>&1 - if [ ! $? = 0 ]; then - echo "Deleting PID file '${DIR}/var/run/${i}-${j}.pid' not used..." - rm ${DIR}/var/run/${i}-${j}.pid - fi - done - done -} - -lock() { - i=0; - - # Providing a lock. - while [ 1 ]; do - mkdir ${LOCK} > /dev/null 2>&1 - MSL=$? - if [ "${MSL}" = "0" ]; then - # Lock acquired (setting the pid) - echo "$$" > ${LOCK_PID} - return; - fi - - # Waiting 1 second before trying again - sleep 1; - i=`expr $i + 1`; - - # If PID is not present, speed things a bit. - kill -0 `cat ${LOCK_PID}` >/dev/null 2>&1 - if [ ! $? = 0 ]; then - # Pid is not present. - i=`expr $i + 1`; - fi - - # We tried 10 times to acquire the lock. - if [ "$i" = "${MAX_ITERATION}" ]; then - # Unlocking and executing - unlock; - mkdir ${LOCK} > /dev/null 2>&1 - echo "$$" > ${LOCK_PID} - return; - fi - done -} - -unlock() -{ - rm -rf ${LOCK} -} - -help() -{ - # Help message - echo "" - echo "Usage: $0 {start|stop|restart|status|enable|disable}"; - exit 1; -} - -# Enables additional daemons -enable() -{ - if [ "X$2" = "X" ]; then - echo "" - echo "Enable options: database, client-syslog, agentless, debug" - echo "Usage: $0 enable [database|client-syslog|agentless|debug]" - exit 1; - fi - - if [ "X$2" = "Xdatabase" ]; then - echo "DB_DAEMON=ossec-dbd" >> ${PLIST}; - elif [ "X$2" = "Xclient-syslog" ]; then - echo "CSYSLOG_DAEMON=ossec-csyslogd" >> ${PLIST}; - elif [ "X$2" = "Xagentless" ]; then - echo "AGENTLESS_DAEMON=ossec-agentlessd" >> ${PLIST}; - elif [ "X$2" = "Xdebug" ]; then - echo "DEBUG_CLI=\"-d\"" >> ${PLIST}; - else - echo "" - echo "Invalid enable option." - echo "" - echo "Enable options: database, client-syslog, agentless, debug" - echo "Usage: $0 enable [database|client-syslog|agentless|debug]" - exit 1; - fi -} - -# Disables additional daemons -disable() -{ - if [ "X$2" = "X" ]; then - echo "" - echo "Disable options: database, client-syslog, agentless, debug" - echo "Usage: $0 disable [database|client-syslog|agentless,debug]" - exit 1; - fi - - if [ "X$2" = "Xdatabase" ]; then - echo "DB_DAEMON=\"\"" >> ${PLIST}; - elif [ "X$2" = "Xclient-syslog" ]; then - echo "CSYSLOG_DAEMON=\"\"" >> ${PLIST}; - elif [ "X$2" = "Xagentless" ]; then - echo "AGENTLESS_DAEMON=\"\"" >> ${PLIST}; - elif [ "X$2" = "Xdebug" ]; then - echo "DEBUG_CLI=\"\"" >> ${PLIST}; - else - echo "" - echo "Invalid disable option." - echo "" - echo "Disable options: database, client-syslog, agentless, debug" - echo "Usage: $0 disable [database|client-syslog|agentless|debug]" - exit 1; - fi -} - -status() -{ - RETVAL=0 - for i in ${DAEMONS}; do - pstatus ${i}; - if [ $? = 0 ]; then - RETVAL=1 - echo "${i} not running..." - else - echo "${i} is running..." - fi - done - exit $RETVAL -} - -testconfig() -{ - # We first loop to check the config - for i in ${SDAEMONS}; do - ${DIR}/bin/${i} -t ${DEBUG_CLI}; - if [ $? != 0 ]; then - echo "${i}: Configuration error. Exiting" - unlock; - exit 1; - fi - done -} - -start() -{ - SDAEMONS="${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON} ossec-maild ossec-execd ossec-analysisd ossec-logcollector ossec-syscheckd ossec-monitord" - - echo "Starting $NAME $VERSION..." - echo | ${DIR}/bin/ossec-logtest > /dev/null 2>&1; - if [ ! $? = 0 ]; then - echo "ossec-analysisd: Configuration error. Exiting." - exit 1; - fi - - lock; - checkpid; - - # We actually start them now. - for i in ${SDAEMONS}; do - pstatus ${i}; - if [ $? = 0 ]; then - ${DIR}/bin/${i} ${DEBUG_CLI}; - if [ $? != 0 ]; then - echo "${i} did not start correctly."; - unlock; - exit 1; - fi - echo "Started ${i}..." - else - echo "${i} already running..." - fi - done - - # After we start we give 2 seconds for the daemons - # to internally create their PID files. - sleep 2; - unlock; - - ls -la "${DIR}/ossec-agent/" >/dev/null 2>&1 - if [ $? = 0 ]; then - echo "" - echo "Starting sub agent directory (for hybrid mode)" - ${DIR}/ossec-agent/bin/ossec-control start - fi - - echo "Completed." -} - -pstatus() -{ - pfile=$1; - - # pfile must be set - if [ "X${pfile}" = "X" ]; then - return 0; - fi - - ls ${DIR}/var/run/${pfile}*.pid > /dev/null 2>&1 - if [ $? = 0 ]; then - for j in `cat ${DIR}/var/run/${pfile}*.pid 2>/dev/null`; do - ps -p $j |grep ossec >/dev/null 2>&1 - if [ ! $? = 0 ]; then - echo "${pfile}: Process $j not used by ossec, removing .." - rm -f ${DIR}/var/run/${pfile}-$j.pid - continue; - fi - - kill -0 $j > /dev/null 2>&1 - if [ $? = 0 ]; then - return 1; - fi - done - fi - - return 0; -} - -stopa() -{ - lock; - checkpid; - for i in ${DAEMONS}; do - pstatus ${i}; - if [ $? = 1 ]; then - echo "Killing ${i} .. "; - kill `cat ${DIR}/var/run/${i}*.pid`; - else - echo "${i} not running .."; - fi - rm -f ${DIR}/var/run/${i}*.pid - done - - unlock; - - ls -la "${DIR}/ossec-agent/" >/dev/null 2>&1 - if [ $? = 0 ]; then - echo "" - echo "Stopping sub agent directory (for hybrid mode)" - ${DIR}/ossec-agent/bin/ossec-control stop - fi - echo "$NAME $VERSION Stopped" -} - -### MAIN HERE ### - -case "$1" in -start) - testconfig - start - ;; -stop) - stopa - ;; -restart) - testconfig - stopa - sleep 1; - start - ;; -status) - status - ;; -help) - help - ;; -enable) - enable $1 $2; - ;; -disable) - disable $1 $2; - ;; -*) - help -esac - diff --git a/debian/ossec-hids/var/ossec/bin/ossec-logcollector b/debian/ossec-hids/var/ossec/bin/ossec-logcollector deleted file mode 100755 index f456dcb..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-logcollector and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-logtest b/debian/ossec-hids/var/ossec/bin/ossec-logtest deleted file mode 100755 index 452fc24..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-logtest and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-maild b/debian/ossec-hids/var/ossec/bin/ossec-maild deleted file mode 100755 index 3b0ba70..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-maild and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-makelists b/debian/ossec-hids/var/ossec/bin/ossec-makelists deleted file mode 100755 index a4e4d11..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-makelists and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-monitord b/debian/ossec-hids/var/ossec/bin/ossec-monitord deleted file mode 100755 index 72f7b98..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-monitord and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-regex b/debian/ossec-hids/var/ossec/bin/ossec-regex deleted file mode 100755 index d8148e5..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-regex and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-regex-convert b/debian/ossec-hids/var/ossec/bin/ossec-regex-convert deleted file mode 100755 index f1a2581..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-regex-convert and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-remoted b/debian/ossec-hids/var/ossec/bin/ossec-remoted deleted file mode 100755 index 68a8f7b..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-remoted and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-reportd b/debian/ossec-hids/var/ossec/bin/ossec-reportd deleted file mode 100755 index a15e627..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-reportd and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/ossec-server.sh b/debian/ossec-hids/var/ossec/bin/ossec-server.sh deleted file mode 100755 index 5a12515..0000000 --- a/debian/ossec-hids/var/ossec/bin/ossec-server.sh +++ /dev/null @@ -1,323 +0,0 @@ -#!/bin/sh -# ossec-control This shell script takes care of starting -# or stopping ossec-hids -# Author: Daniel B. Cid - -# Getting where we are installed -LOCAL=`dirname $0`; -cd ${LOCAL} -PWD=`pwd` -DIR=`dirname $PWD`; -PLIST=${DIR}/bin/.process_list; - -### Do not modify below here ### - -# Getting additional processes -ls -la ${PLIST} > /dev/null 2>&1 -if [ $? = 0 ]; then -. ${PLIST}; -fi - -NAME="OSSEC HIDS" -VERSION="v3.3.0" - -[ -f /etc/ossec-init.conf ] && . /etc/ossec-init.conf; - -DAEMONS="ossec-monitord ossec-logcollector ossec-remoted ossec-syscheckd ossec-analysisd ossec-maild ossec-execd ${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON}" - -## Locking for the start/stop -LOCK="${DIR}/var/start-script-lock" -LOCK_PID="${LOCK}/pid" - -# This number should be more than enough (even if it is -# started multiple times together). It will try for up -# to 10 attempts (or 10 seconds) to execute. -MAX_ITERATION="10" - -checkpid() -{ - for i in ${DAEMONS}; do - for j in `cat ${DIR}/var/run/${i}*.pid 2>/dev/null`; do - ps -p $j |grep ossec >/dev/null 2>&1 - if [ ! $? = 0 ]; then - echo "Deleting PID file '${DIR}/var/run/${i}-${j}.pid' not used..." - rm ${DIR}/var/run/${i}-${j}.pid - fi - done - done -} - -lock() -{ - i=0; - - # Providing a lock. - while [ 1 ]; do - mkdir ${LOCK} > /dev/null 2>&1 - MSL=$? - if [ "${MSL}" = "0" ]; then - # Lock acquired (setting the pid) - echo "$$" > ${LOCK_PID} - return; - fi - - # Waiting 1 second before trying again - sleep 1; - i=`expr $i + 1`; - - # If PID is not present, speed things a bit. - kill -0 `cat ${LOCK_PID}` >/dev/null 2>&1 - if [ ! $? = 0 ]; then - # Pid is not present. - i=`expr $i + 1`; - fi - - # We tried 10 times to acquire the lock. - if [ "$i" = "${MAX_ITERATION}" ]; then - # Unlocking and executing - unlock; - mkdir ${LOCK} > /dev/null 2>&1 - echo "$$" > ${LOCK_PID} - return; - fi - done -} - -unlock() -{ - rm -rf ${LOCK} -} - -help() -{ - # Help message - echo "" - echo "Usage: $0 {start|stop|reload|restart|status|enable|disable}"; - exit 1; -} - -# Enables additional daemons -enable() -{ - if [ "X$2" = "X" ]; then - echo "" - echo "Enable options: database, client-syslog, agentless, debug" - echo "Usage: $0 enable [database|client-syslog|agentless|debug]" - exit 1; - fi - - if [ "X$2" = "Xdatabase" ]; then - echo "DB_DAEMON=ossec-dbd" >> ${PLIST}; - elif [ "X$2" = "Xclient-syslog" ]; then - echo "CSYSLOG_DAEMON=ossec-csyslogd" >> ${PLIST}; - elif [ "X$2" = "Xagentless" ]; then - echo "AGENTLESS_DAEMON=ossec-agentlessd" >> ${PLIST}; - elif [ "X$2" = "Xdebug" ]; then - echo "DEBUG_CLI=\"-d\"" >> ${PLIST}; - else - echo "" - echo "Invalid enable option." - echo "" - echo "Enable options: database, client-syslog, agentless, debug" - echo "Usage: $0 enable [database|client-syslog|agentless|debug]" - exit 1; - fi -} - -# Disables additional daemons -disable() -{ - if [ "X$2" = "X" ]; then - echo "" - echo "Disable options: database, client-syslog, agentless, debug" - echo "Usage: $0 disable [database|client-syslog|agentless|debug]" - exit 1; - fi - - if [ "X$2" = "Xdatabase" ]; then - echo "DB_DAEMON=\"\"" >> ${PLIST}; - elif [ "X$2" = "Xclient-syslog" ]; then - echo "CSYSLOG_DAEMON=\"\"" >> ${PLIST}; - elif [ "X$2" = "Xagentless" ]; then - echo "AGENTLESS_DAEMON=\"\"" >> ${PLIST}; - elif [ "X$2" = "Xdebug" ]; then - echo "DEBUG_CLI=\"\"" >> ${PLIST}; - else - echo "" - echo "Invalid disable option." - echo "" - echo "Disable options: database, client-syslog, agentless, debug" - echo "Usage: $0 disable [database|client-syslog|agentless|debug]" - exit 1; - fi -} - -status() -{ - RETVAL=0 - for i in ${DAEMONS}; do - ## If ossec-maild is disabled, don't try to start it. - if [ X"$i" = "Xossec-maild" ]; then - grep "no<" ${DIR}/etc/ossec.conf >/dev/null 2>&1 - if [ $? = 0 ]; then - continue - fi - fi - - pstatus ${i}; - if [ $? = 0 ]; then - echo "${i} not running..." - RETVAL=1 - else - echo "${i} is running..." - fi - done - exit $RETVAL -} - -testconfig() -{ - # We first loop to check the config. - for i in ${SDAEMONS}; do - ${DIR}/bin/${i} -t ${DEBUG_CLI}; - if [ $? != 0 ]; then - echo "${i}: Configuration error. Exiting" - unlock; - exit 1; - fi - done -} - -# Start function -start() -{ - SDAEMONS="${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON} ossec-maild ossec-execd ossec-analysisd ossec-logcollector ossec-remoted ossec-syscheckd ossec-monitord" - - echo "Starting $NAME $VERSION..." - echo | ${DIR}/bin/ossec-logtest > /dev/null 2>&1; - if [ ! $? = 0 ]; then - echo "OSSEC analysisd: Testing rules failed. Configuration error. Exiting." - exit 1; - fi - lock; - checkpid; - - # We actually start them now. - for i in ${SDAEMONS}; do - - ## If ossec-maild is disabled, don't try to start it. - if [ X"$i" = "Xossec-maild" ]; then - grep "no<" ${DIR}/etc/ossec.conf >/dev/null 2>&1 - if [ $? = 0 ]; then - continue - fi - fi - - pstatus ${i}; - if [ $? = 0 ]; then - ${DIR}/bin/${i} ${DEBUG_CLI}; - if [ $? != 0 ]; then - echo "${i} did not start correctly."; - unlock; - exit 1; - fi - - echo "Started ${i}..." - else - echo "${i} already running..." - fi - done - - # After we start we give 2 seconds for the daemons - # to internally create their PID files. - sleep 2; - unlock; - echo "Completed." -} - -pstatus() -{ - pfile=$1; - - # pfile must be set - if [ "X${pfile}" = "X" ]; then - return 0; - fi - - ls ${DIR}/var/run/${pfile}*.pid > /dev/null 2>&1 - if [ $? = 0 ]; then - for j in `cat ${DIR}/var/run/${pfile}*.pid 2>/dev/null`; do - ps -p $j |grep ossec >/dev/null 2>&1 - if [ ! $? = 0 ]; then - echo "${pfile}: Process $j not used by ossec, removing .." - rm -f ${DIR}/var/run/${pfile}-$j.pid - continue; - fi - - kill -0 $j > /dev/null 2>&1 - if [ $? = 0 ]; then - return 1; - fi - done - fi - - return 0; -} - -stopa() -{ - lock; - checkpid; - for i in ${DAEMONS}; do - pstatus ${i}; - if [ $? = 1 ]; then - echo "Killing ${i} .. "; - - kill `cat ${DIR}/var/run/${i}*.pid`; - else - echo "${i} not running .."; - fi - rm -f ${DIR}/var/run/${i}*.pid - done - - unlock; - echo "$NAME $VERSION Stopped" -} - -### MAIN HERE ### - -case "$1" in -start) - testconfig - start - ;; -stop) - stopa - ;; -restart) - testconfig - stopa - sleep 1; - start - ;; -reload) - DAEMONS="ossec-monitord ossec-logcollector ossec-remoted ossec-syscheckd ossec-analysisd ossec-maild ${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON}" - stopa - start - ;; -status) - status - ;; -help) - help - ;; -enable) - enable $1 $2; - ;; -disable) - disable $1 $2; - ;; -*) - help -esac - diff --git a/debian/ossec-hids/var/ossec/bin/ossec-syscheckd b/debian/ossec-hids/var/ossec/bin/ossec-syscheckd deleted file mode 100755 index b1f70b5..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/ossec-syscheckd and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/rootcheck_control b/debian/ossec-hids/var/ossec/bin/rootcheck_control deleted file mode 100755 index bc8e3ee..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/rootcheck_control and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/syscheck_control b/debian/ossec-hids/var/ossec/bin/syscheck_control deleted file mode 100755 index 7b4fe02..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/syscheck_control and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/syscheck_update b/debian/ossec-hids/var/ossec/bin/syscheck_update deleted file mode 100755 index e52d5e9..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/syscheck_update and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/bin/verify-agent-conf b/debian/ossec-hids/var/ossec/bin/verify-agent-conf deleted file mode 100755 index 639028c..0000000 Binary files a/debian/ossec-hids/var/ossec/bin/verify-agent-conf and /dev/null differ diff --git a/debian/ossec-hids/var/ossec/etc/decoder.xml b/debian/ossec-hids/var/ossec/etc/decoder.xml deleted file mode 100644 index 1d73df8..0000000 --- a/debian/ossec-hids/var/ossec/etc/decoder.xml +++ /dev/null @@ -1,3371 +0,0 @@ - - - - - - - - - (pam_unix)$ - - - - - ^pam_unix|^\(pam_unix\)|^pam_succeed_if - - - - pam - ^session \w+ - ^for user (\S+) - user - - - - - - pam - rhost=\S+\s+user=\S+ - rhost=(\S+)\s+user=(\S+) - srcip, user - - - - pam - ruser - ^=(\S+) - user - - - - pam - rhost=(\S+) - srcip - - - - pam - rhost - ^=(\S+) - srcip - - - - - - - ^sshd - - - - sshd - ^Accepted - ^ \S+ for (\S+) from (\S+) port - user, srcip - name, user, location - - - - sshd - ^User \S+ from - ^User (\S+) from (\S+) - user, srcip - - - - sshd - ^User - ^(\S+), coming from (\S+), - user, srcip - name, user, location - - - - sshd - ^Postponed keyboard-interactive|^Failed keyboard-interactive - user (\S+) from (\S+) port (\d+) - user, srcip, srcport - - - - sshd - ^Failed \S+ for invalid user|^Failed \S+ for illegal user - from (\S+) port \d+ \w+$ - srcip - - - - sshd - ^Failed \S+ - ^for (\S+) from (\S+) port \d+ - user, srcip - - - - sshd - ^error: PAM: Authentication \w+ - ^for (\S+) from (\S+)$ - user, srcip - - - - sshd - ^error: PAM: - user (\S+) from (\S+) - user, srcip - - - - sshd - ^reverse mapping checking - ^\w+ for \S+ [(\S+)] |^\w+ for (\S+) - srcip - - - - sshd - ^Invalid user|^Illegal user - from (\S+) - srcip - - - - sshd - ^scanned from - (\S+) - srcip - - - - sshd - ^Received disconnect - ^from (\S+): |^from (\S+) - srcip - - - - sshd - ^Disconnected from invalid user - \S+ (\S+) - srcip - - - - sshd - ^Connection closed by - user (\S+) (\S+) - user, srcip - - - - sshd - ^Unable to negotiate with - ^(\S+) port (\d+) - srcip, srcport - - - - sshd - ^Protocol major versions differ for - ^(\S+) - srcip - - - - - - sshd - ^Did not receive identification |^Bad protocol version - from (\S+)$| from (\S+) port (\d+)$ - srcip,srcport - - - - sshd - ^refused connect - ^from (\S+)$|^from \S+ \((\S+\w+)\)$|^from \S+ \((\S+::)\)$ - srcip - - - - sshd - ^Connection closed - ^by (\S+)$ - srcip - - - - sshd - ^Received disconnect - ^from (\S+): - srcip - - - - - - sshd - ^pam_ldap: - user "uid=(\S+),ou=\w+,dc=\w+,dc=\w+" - user - - - - sshd - fatal: Unable to negotiate with - ^(\S+) port (\d+): |^(\S+): - srcip, srcport - - - - sshd - rhost=\S+\s+user=\S+ - rhost=(\S+)\s+user=(\S+) - srcip, user - - - - - - sshd - exceeded for - (\S+) from (\S+) port (\d+) - user, srcip, srcport - - - - - - ^dropbear - - - - - - dropbear - password - for '(\S+)' from (\S+):\d+$ - dstuser, srcip - - - - - - dropbear - nonexistent - from (\S+):\d+$ - srcip - - - - - - dropbear - (\S+) for '(\S+)' with key \S+ (\S+) from (\S+):\d+$ - status,dstuser,extra_data,srcip - - - - - ^telnetd|^in.telnetd - - - - telnetd - from (\S+)$ - srcip - - - - - - - ^rshd$ - - - - rshd - ^Connection from (\S+) on illegal port$ - srcip - - - - - - - ^cimserver$ - - - - cimserver - ^\w+: Authentication failed for user - ^(\S+).$ - user - - - - - - - - ^smbd - - - - smbd - User name: - ^ (\S+). - user - - - - smbd - from \((\S+)\) - srcip - - - - smbd - from (\S+)$ - from (\S+)$ - srcip - - - - smbd - to client \S+. - to client (\S+). - srcip - - - - ^nmbd - - - - - - ^sudo - ^\s*(\S+)\s:\sTTY=\S+\s;\sPWD=(\S+)\s;\sUSER=(\S+)\s;\sCOMMAND=(\.+)$| - ^\s*(\S+)\s:\sTTY=\S+\s;\sPWD=(\S+)\s;\sUSER=(\S+)\s;\sTSID=\S+\s;\sCOMMAND=(\.+)$ - dstuser,url,srcuser,status - name,dstuser,location - First time user executed the sudo command - - - - - ^su$ - - - - su - ^'su - ^'su (\S+)' \S+ for (\S+) on \S+$ - dstuser, srcuser - name, srcuser, location - - - - su - pam_ldap - user "uid=(\S+), - user - - - - ^SU \S+ \S+ - ^\S \S+ (\S+)-(\S+)$ - srcuser, dstuser - name, srcuser, location - - - - su - ^FAILED SU - ^\(to (\S+) (\S+) on - dstuser, srcuser - - - - su - - ^BAD SU (\S+) to (\S+) on| - ^failed: \S+ changing from (\S+) to (\S+)| - ^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on - srcuser, dstuser - name, srcuser, location - - - - - - - ^proftpd - - - - proftpd - : Login successful - ^\S+ \(\S+[(\S+)]\)\s*\S \w+ (\S+): - Login successful - srcip, user - name, user, srcip, location - - - - proftpd - ^\S+ \(\S+[(\S+)]\) - srcip - - - - - - - ^pure-ftpd - - - - pure-ftpd - ^\S+ [INFO] \S+ is now logged in - ^\(?@(\S+)\) [INFO] (\S+) is now logged in - srcip, user - name, user, srcip, location - - - - pure-ftpd - ^\((\S+)@(\S+)\) [ - user,srcip - - - - - - ^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d \S\d\d\d\d] "\w+ \S+" - ^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$ - extra_data,dstuser,action,url,status - - - - - - - - - - - ^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] - - - - ^vsftpd - ^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] - - - - vsftpd - LOGIN: - [(\S+)] (\S+ LOGIN): Client "(\S+\w)"$ - user,status,srcip - - - - vsftpd - ^CONNECT: - (CONNECT): Client "(\S+\w+)"$ - action,srcip - - - - vsftpd - [(\S+)] (OK \S+): Client "(\S+)", "(\.+)"\.* - user,status,srcip,url - - - - vsftpd - Client "(\S+\w)"$ - srcip - - - - - - ^ftpd|^in.ftpd - - - - ftpd - ^Failed authentication from: \S+ | - ^repeated login failures from - - ^\S+ [(\S+)]$|^(\S+) - srcip - - - - ftpd - ^FTP LOGIN REFUSED - [(\S+)]$ - srcip - - - - ftpd - from (\S+)$ - srcip - - - - ftpd - ^login \S+ from \S+ failed. - ^login (\S+) from (\S+) failed.$ - user, srcip - - - - - - - ^arpwatch - - - - arpwatch - ^new station |^bogon - ^(\S+) (\S+) - srcip, extra_data - name, srcip, extra_data - - - - - - - ^MySQL log: - - - - - - - ^[\d\d\d\d-\d\d-\d\d \S+ \w+] - ^\S+ (\w+): - status - - - - - - - ^imapd - user=(\S+) \.+ [(\S+)]$ - user,srcip - - - - - - - ^vpopmail - - - - vpopmail - ^vchkpw-\S+: password fail - (\S+)@\S+:(\S+)$ - user, srcip - - - - vpopmail - ^vchkpw-\S+: vpopmail user not - ^found (\S+):(\S+)$ - user, srcip - - - - vpopmail - ^vchkpw-\S+: null password - ^given (\S+):(\S+)$ - user, srcip - - - - vpopmail - ^vchkpw-\S+: \(\S+\) login - ^success (\S+):(\S+)$ - user, srcip - - - - - - - ^vm-pop3d - - - - vm-pop3d - ^User ' - ^(\S+)' - \w+ auth, - from=(\S+)$ - user, srcip - - - - - - - ^pop3d|^courierpop3login|^imaplogin|^courier-pop3|^courier-imap - - - - courier - ^LOGIN, - ^user=(\S+), ip=[(\S+)]$ - user, srcip - - - - courier - , ip=[(\S+)]$ - srcip - - - - - - - - ^dovecot - - - - dovecot - ^\w\w\w\w-login: Login: - ^user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), mpid=\S+, (\S*)$ - user, srcip, dstip, protocol - - - - dovecot - ^\w\w\w\w-login: Aborted login - : user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), (\S*)$ - user, srcip, dstip, protocol - - - - dovecot - ^auth\(default\)|auth-worker\(default\) - ^: \S+\((\S+),(\S+)\) - user, srcip - - - - dovecot - ^\w\w\w\w-login: - \(auth failed, \d+ attempts in \d+ secs\): user=\p(\S+)\p, method=\w+, rip=(\S+), lip=(\S+) - user,srcip,dstip - - - - dovecot - ^\w\w\w\w-login: Disconnected: - ^rip=(\S+), lip=(\S+) - srcip, dstip - - - - ^Info$|^Warn$ - - - - dovecot-info - imap-login - Login: user=(\S+), method=\.+, rip=(\S+), lip=(\S+) - user, srcip, dstip - - - - dovecot-info - auth\(\.+\): \S+\((\S+),(\S+)\): - user, srcip - - - - - - ^named - - - - named - : query - client (\S+)#\d+\s*\S*: - srcip,url - - - - named - query: (\S+) IN|query \S+ '(\S+)/ - url - - - - named - ^client - ^(\S+)# - srcip - - - - named - from [(\S+)] - srcip - - - - named - for master - for master (\S+):(\d+) \S+ \(source (\S+)#d+\)$ - dstip,dstport,srcip - - - - - - - ^postfix - - - - true - postfix - ^NOQUEUE: reject: \w\w\w\w from - [(\S+)]:\d+: (\d+) |[(\S+)]:(\d+): |[(\S+)]: (\d+) |[(\S+)]:(\d+): - srcip,id - - - - postfix - ^warning: \S+: SASL - ^warning: \S+[(\S+)]: - srcip - - - - - - ^sendmail|^sm-mta|^sm-msp-queue - - - - sendmail-reject - ^\S+: rejecting commands from - ^ \S+ [(\S+)] - srcip - - - - sendmail-reject - relay=[ - ^(\S+)] - srcip - - - - sendmail-reject - relay=\S+ [ - ^(\S+)] - srcip - - - - - - - - ^smf-sav - ^sender check failed| - ^sender check tempfailed - ^ \(cached\): \S+, (\S+),| - ^: \S+, (\S+), - srcip - - - - - - - ^MailScanner - - - - mailscanner - ^Message \S+ from - ^(\S+) \S+ to \S+ is (\w+) - srcip, action - - - - - - - ^smtpd - - - - smtpd - ^client - ^client (\S+) - srcip - - - - smtpd - relay= - relay=\S+ [(\S+)], - srcip - - - - smtpd - ^smtp-in: - ^(\S+) - status - - - - smtpd - => (\d+) - action - - - - - - ^kernel - - - - iptables - firewall - ^[\d+.\d+] \S+ IN= - - ^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+) - \.+ PROTO=(\w+) - action,srcip,dstip,protocol - - - - iptables - firewall - ^SPT=(\d+) DPT=(\d+) - srcport,dstport - - - - iptables - firewall - ^\S+ IN= - - ^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ - PROTO=(\w+) - action,srcip,dstip,protocol - - - - iptables - firewall - ^SPT=(\d+) DPT=(\d+) - srcport,dstport - - - - iptables - firewall - ^Shorewall:\S+: - - ^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ - PROTO=(\w+) - action,srcip,dstip,protocol - - - - iptables - firewall - ^SPT=(\d+) DPT=(\d+) - srcport,dstport - - - - iptables - firewall - ^\p\S+\p Shorewall:\S+: - ^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ - PROTO=(\w+) - action,srcip,dstip,protocol - - - - - - firewall - ^ipmon - (\w) (\S+),(\d+) -> - (\S+),(\d+) PR (\w+) - action,srcip,srcport,dstip,dstport,protocol - - - - - - firewall - ^ipsec_logd - R:(\w) \w:\S+ S:(\S+) - D:(\S+) P:(\S+) SP:(\d+) DP:(\d+) - action,srcip,dstip,protocol,srcport,dstport - - - - - - - firewall - ^pf$ - PF_Decoder - - - - - - - firewall - ^id=\w+ sn=\w+ time=\S+ \S+ fw=\S+ pri=\d - SonicWall_Decoder - - - - - - - - ^NetScreen device_id - - - - netscreenfw - firewall - - system-notification-00257 - \(traffic\): - - proto=(\w+) \.+action=(\w+) - \.+src=(\S+) dst=(\S+) src_port=(\d+) dst_port=(\d+) - protocol, action, srcip, dstip, srcport, dstport - - - - netscreenfw - system-critical-\.+ from | - system-alert-\.+ from | - system-emergency-\.+ From - - system-(\w+)-(\d+): \.+ - from\.+(\S+) - action, id, srcip - - - - netscreenfw - system-(\w+)-(\d+): - action, id - - - - - - ^%PIX-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %PIX-| - ^%ASA-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %ASA-| - ^%FWSM-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %FWSM- - - - - pix - firewall - ^2-106001 - ^(\S+): \w+ (\w+) \S+ (\S+) from - (\S+)/(\S+) to (\S+)/(\S+) - id, protocol, action, srcip, srcport, dstip, dstport - - - - pix - firewall - ^3-710003|^7-710002|^7-710005 - ^(\S+): (\S+) \w+ (\w+) \.+from - (\S+)/(\S+) to \w+:(\S+)/(\S+) - id, protocol, action, srcip, srcport, dstip, dstport - - - - pix - firewall - ^4-106023 - ^(\S+): (\w+) (\w+) src \w+: - (\S+)/(\S+) dst \w+:(\S+)/(\S+) - id, action, protocol, srcip, srcport, dstip, dstport - - - - pix - firewall - ^4-106019 - ^(\S+): IP packet from (\S+) to - (\S+), protocol (\w+) (\w+) - id, srcip, dstip, protocol, action - - - - pix - firewall - ^2-106006|^2-106007 - ^(\S+): (\w+) \S+ (\w+) from - (\S+)/(\d+) to (\S+)/(\d+) - id, action, protocol, srcip, srcport, dstip, dstport - - - - pix - firewall - ^6-106015 - ^(\S+): (\w+) (\w+) \S+ \S+ (\S+) from - (\S+)/(\S+) to (\S+)/(\S+) - id, action, protocol, srcip, srcport, dstip, dstport - - - - pix - firewall - ^6-305012 - ^(\S+): (\w+) \w+ (\w+) translation - from \w+:(\S+)/(\d+) to \w+:(\S+)/(\d+) - id, action, protocol, srcip, srcport, dstip, dstport - - - - pix - firewall - ^3-106011|^3-106010 - ^(\S+): (\w+) \.+ (\w+) src - \w+:(\S+)/(\d+) dst \w+:(\S+)/(\d+) - id, action, protocol, srcip, srcport, dstip, dstport - - - - pix - ^5-304001: - ^(\S+): (\S+) Accessed URL - (\S+):(http\w*://\.+)| - ^(\S+): (\S+) Accessed URL (\S+): - id, srcip, dstip, url - - - - pix - ^5-304002: - ^(\S+): Access (denied) URL (http\w*://\.+) - SRC (\S+) DEST (\S+) on interface - id, action, url, srcip, dstip - - - - pix - ^2-106012: |^2-106017: | - ^2-106020|^1-106021|^1-106022| - ^4-4000 - ^(\S+): \.+ from (\S+) - id, srcip - - - - pix - ^6-308001 - ^(\S+): \.+ (\S+) - id, srcip - - - - pix - ^6-605004|^6-605005 - ^(\S+): Login (\S+) from (\S+)/(\d+) \.+user "(\w+)" - id, action, srcip, srcport, user - - - - pix - ^(\S+): - id - - - - - - - ^\d+ \d\d/\d\d/\d\d\d\d \S+ SEV=\d - ^(\S+) RPT=\d+ (\S+) - id, srcip - - - - - - - - ^snort - - - - ids - ^[**] [\d+:\d+:\d+] - - - - snort - ids - ^[**] |^[\d+:\d+:\d+] - ^[**] [(\d+:\d+:\d+)] \.+ (\S+)\p*\d* -> - (\S+)|^[(\d+:\d+:\d+)] \.+ - (\S+)\p*\d* -> (\S+) - id,srcip,dstip - name,id,srcip,dstip - - - - snort - ids - ^[Drop] [**] |^[\d+:\d+:\d+] - ^[Drop] [**] [(\d+:\d+:\d+)] \.+ (\S+)\p*\d* -> - (\S+)|^[(\d+:\d+:\d+)] \.+ - (\S+)\p*\d* -> (\S+) - id,srcip,dstip - name,id,srcip,dstip - - - - - - - ^isakmpd - - - - isakmpd - message from - from (\S+) port (\d+) - srcip,srcport - - - - isakmpd - from peer - from peer (\S+):(\d+)$ - srcip,srcport - - - - - - - ^suhosin - ids - ^ALERT - (\.+) \(attacker '(\S+)', - id, srcip - name, location, id - - - - - - - ids - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\| - ^\S+\|(\S+)\| - (\S+)\|(\S+)\| - id, srcip, dstip - name, id, srcip, dstip - - - - - - - ^[\w+] [imp] |^[\w+] [horde] - - - - horde_imp - ^Login success - ^for (\S+) [(\S+)] - user, srcip - - - - horde_imp - ^FAILED LOGIN - ^ (\S+) to \S+ as (\S+) - srcip, user - - - - - - - ^WPsyslog|^wpcore - ^[ - ^(\S+) - srcip - - - - - - - - ^roundcube - - - - ^[\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d \S+] - - - - roundcube - Successful login for - ^(\S+) \(id \d+\) from (\S+)$|^(\S+) \(ID: \d+\) from (\S+) - user, srcip - - - - roundcube - ] \w+ Error: Authentication - ^for (\S+) failed - user - - - - roundcube - > \w+ Error: Login failed |> Failed login - ^for (\S+) from (\S+)\. |^for (\S+) from (\S+) in session - user, srcip - - - - - - - - ^httpd - - - - ^[warn] |^[notice] |^[error] - - - - ^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] - - - - - apache-errorlog - [client \S+:\d+] \S+: - [client (\S+):(\d+)] (\S+): - srcip,srcport,id - - - - apache-errorlog - [client \S+] \S+: - [client (\S+)] (\S+): - srcip,id - - - - - apache-errorlog - [client - ^ (\S+):(\d+)] |^ (\S+)] - srcip,srcport - - - - - - - ^20\d\d/\d\d/\d\d \d\d:\d\d:\d\d [ - - - - nginx-errorlog - , client: \S+, server: \S+, request: "\S+ - , client: (\S+), - srcip - - - - - - - - web-log - ^\S+ \S+ \S+ [\S+ \S\d+] "\w+ \S+ HTTP\S+" - ^(\S+) \S+ (\S+) [\S+ \S\d+] - "(\w+) (\S+) HTTP\S+" (\d+) - srcip, srcuser, action, url, id - - - - - - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d - - - - - - - windows-date-format - firewall - true - ^OPEN|^CLOSE|^DROP - ^(\w+) (\w+) - (\S+) (\S+) (\d+) (\d+) - action, protocol, srcip, dstip, srcport, dstport - - - - - - windows-date-format - web-log - true - ^\S+ \S+ W3SVC - ^(\S+) \S+ \S+ \S+ \S+ - \d+ \S+ (\S+ \S+) (\d+) - srcip,url,id - - - - - - windows-date-format - web-log - true - ^W3SVC\d+ \S+ \S+ \S+ - ^(\S+ \S+) \d+ \S+ (\S+) - \S+ \S+ \S+ \S+ \S+ (\d+) - url, srcip, id - - - - - - windows-date-format - web-log - true - ^\S+ GET |^\S+ POST - (\S+ \S*) \.* (\S+) \S*\.* (\d\d\d) \S+ \S+ \S+ - url,srcip,id - - - - - - windows-date-format - true - ^\S+ \S+ MSFTPSVC - ^(\S+) (\S+) \S+ \S+ \S+ - \d+ [\d+](\S+) \S+ \S+ (\d+) - srcip,user,action,id - - - - - - - windows-date-format - true - ^\S+ \S+ SMTPSVC - ^(\S+) \S+ \S+ \S+ \S+ - \d+ (\S+) \S+ \S+ (\d+) - srcip, action, id - - - - - - - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d: - - - - racoon - true - - ^ERROR: couldn't find the pskey - ^for (\S+) - srcip - - - - racoon - ^(\w+): - action - - - - - - - windows - ^WinEvtLog - - - - windows - windows - ^\.+: (\w+)\((\d+)\): (\.+): - (\.+): \.+: (\S+): - status, id, extra_data, user, system_name - name, location, system_name - - - - windows - windows - Source Network Address: (\S+) - srcip - - - - windows - windows - Account Name:\s+(\w+\.+)\s+Account - user - - - - windows - windows - Account Domain:\s\s+(\w\.+)\s\s+Logon ID: - extra_data - - - - - - windows - ^security[\w+] \d+ - ^(\w+)[(\w+)] (\d+) - extra_data, status, id - - - - - - windows - ^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d - ^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+) - \t(\.+)\t\.+\t(\.+)\t(\.+)\t - id, extra_data, user, status, system_name - name, id, location, user, system_name - - - - - - ^\w\w\w\w\w\w\w\w\w\w\w\w, - ^(\d+),\d+,\d+,(\S+),(\.+), - id, system_name, extra_data - name, location, id, system_name, extra_data - - - - - - ^\d\d\d\d\d\d\d\d,\d\d\d+, - SymantecWS_Decoder - - - - - - - ^20\d\d\d\d\d\d\<;> - ^\d+\<;>\S+\<;>(\d+)\<; - id - - - - - - - ^ossec: - ossec - - - - ossec - ^\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d ossec-logcollector - ^\(\d+\): (\.) - extra_data - - - - ossec - ossec - ^Agent started: - ^ '(\S+\S)' - extra_data - name, location, extra_data - - - - ossec - ^ossec: Alert Level: - OSSECAlert_Decoder - - - - ^ossec$ - OSSECAlert_Decoder - - - - - - ^\w\w\w \w+\s+\d+ \d\d:\d\d:\d\d \w+ \d+ /\S+/active-response - /bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+) - action, status, srcip, id, extra_data - - - - - ^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] - host=(\S+), - srcip - - - - - - - ^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d '\S+' \d+ - - - - vmware - ^(\w+)] \S+ \S+ - status - - - - vmware - ^: User (\w+)@(\S+) - logged |^: Failed login \w+ for (\w+)@(\S+) - user, srcip - - - - vmware - - - - vmware-syslog - ^Accepted|^Rejected - ^ \S+ for user (\S+) from (\S+)$ - user, srcip - - - - vmware-syslog - ^login from - ^(\S+) as - srcip - - - - - - - ^audit$ - - - - solaris_bsm - \w+ session \d+ by - (\w+) session \d+ by - status - - - - solaris_bsm - ^ \S+ as \S+:\S+ from (\S+) - srcip - - - - - - - ^asterisk - - - - asterisk - ^WARNING[\d+]: \S+ in \S+: Don't know - ^\S+ how to respond via '(\w+/\d.\d/\w+)' - user - - - - asterisk - ^NOTICE[\d+]: \S+ in \S+: Registration from - ^'\.+' failed for '(\S+):(\d+)'|^'\.+' failed for '(\S+)' - srcip,srcport - - - - asterisk - Registration from - failed for '(\S+):(\d+)'|failed for '(\S+)' - srcip,srcport - - - - asterisk - ^NOTICE[\d+][\w+]: \S+ in \S+: Call from - ^'\S*' \((\S+):(\d+)\) to extension '(\S+)' rejected because extension not found in context '(\S+)'.$ - srcip, srcport, extra_data, extra_data - - - - asterisk - ^NOTICE[\d+]: \S+ in \S+: Host - ^(\S+) failed MD5 authentication for (\S+) - srcip, user - - - - - ^%\w+-\d-\w+: - - - - - ^%\w+-\d-\w+: - - - - - - cisco-ios - firewall - ^%SEC-6-IPACCESSLOGP: - ^list \S+ (\w+) (\w+) - (\S+)\((\d+)\) -> (\S+)\((\d+)\), - action, protocol, srcip, srcport, dstip, dstport - - - - - - cisco-ios - ids - ^%IPS-4-SIGNATURE: - ^Sig:(\d+) \.+[(\S+):(\d+) -> - (\S+):(\d+)] - id, srcip, srcport, dstip, dstport - name, id, srcip, dstip - First time Cisco IOS IDS/IPS module rule fired. - - - - - - cisco-ios - ^(%\w+-\d-\w+): - id - - - - - - - - - ^Checkpoint - ^\s+\S+ \d\d:\d\d:\d\d - - - - checkpoint-syslog - firewall - ^drop|^accept|^reject - ^(\w+)\s+\S+ \p\S+ rule:\.+ - src: (\S+); dst: (\S+); proto: (\S+); - action,srcip,dstip,protocol - - - - checkpoint-syslog - firewall - service: (\d+); s_port: (\d+); - dstport,srcport - - - - checkpoint-syslog - ids - ^monitor|^drop - attack: (\.+); - src: (\S+); dst: (\S+); - proto: (\S+); - extra_data, srcip, dstip, protocol - name, extra_data, srcip, dstip - First time Checkpoint rule fired. - - - - - - - - - - ^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,| - ^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+, - ^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\S+) - id,extra_data,srcip - - - - - ^\d\d\d\d\d,\d\d/\d\d/\d\d,\d\d:\d\d:\d\d, - ^(\d\d\d\d\d), - id - - - - - - ^/bsd - - - - bsd_kernel - ^arp - for (\S+) by (\S+) on \S+ - dstip, extra_data - - - - - - userdel - user removed: name=(\S+)$ - srcuser - - - - - - - - ^mountd - - - - mountd - from host - (\S+) port \d+$ - srcip - - - - - - - - - - - groupdel - ^group deleted: name=(\S+)$ - extra_data - - - - - - ^portsentry - - - - portsentry - attackalert: Connect from host: - (\S+)/\S+ to (\S+) port: (\d+)$ - srcip,protocol,dstport - - - - portsentry - is already blocked. Ignoring$ - Host: (\S+) is - srcip - - - - - - ^clamd - - - - ^freshclam - - - - - - ^slapd - - - - - openldap - ACCEPT - ^conn=(\d+) fd=\d+ ACCEPT from IP=(\S+): - id, srcip - - - - - openldap - BIND - ^conn=(\d+) op=\d+ BIND dn="\w+=(\w+), - id, dstuser - - - - - - openldap - RESULT - ^conn=(\d+) op=\d+ RESULT - id - - - - - ^ntpd - - - - ntpd - ^bad peer - ^bad peer \S+ \p(\S+)\p$|^bad peer from pool \S+ \p(\S+)\p$ - srcip - - - - -type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)' -type=CRED_ACQ msg=audit(1305666154.831:51859): user pid=21250 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="username" : exe="/usr/sbin/sshd" (hostname=lala.example.com, addr=172.16.0.1, terminal=ssh res=success)' -type=CRED_ACQ msg=audit(1273182001.226:148635): user pid=29770 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron -type=USER_AUTH msg=audit(1305666163.690:51871): user pid=21269 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' -type=USER_ACCT msg=audit(1306939201.750:67934): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -type=CRED_ACQ msg=audit(1306939201.751:67935): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -type=USER_START msg=audit(1306939201.756:67937): user pid=4401 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -type=USER_CHAUTHTOK msg=audit(1304523288.952:37394): user pid=7258 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='op=change password id=505 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1 res=success)' - - -type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)' - - -type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp" -type=SYSCALL msg=audit(1307045820.403:151): arch=c000003e syscall=59 success=no exit=-13 a0=de24c8 a1=de2408 a2=dc3008 a3=7fff1db3cc60 items=1 ppid=11719 pid=12347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="bash" exe="/bin/bash" key=(null) -type=SYSCALL msg=audit(1306939143.715:67933): arch=40000003 syscall=94 success=yes exit=0 a0=5 a1=180 a2=8ebd360 a3=8ec4978 items=1 ppid=4383 pid=4388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8038 comm="less" exe="/usr/bin/less" subj=user_u:system_r:unconfined_t:s0 key="perm_mod" -type=USER_ROLE_CHANGE msg=audit(1280266360.845:51): user pid=1978 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' -type=PATH msg=audit(1306967989.163:119): item=0 name="./ls" inode=261813 dev=fb:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 - - -type=PATH msg=audit(1273924468.947:179534): item=0 name=(null) inode=424783 dev=fd:07 mode=0100640 ouid=0 ogid=502 rdev=00:00 obj=user_u:object_r:file_t:s0 - ---> - - - ^type= - - - - - auditd - ^AVC - ^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$ - action,id,status,extra_data - - - - - auditd - ^SYSCALL - ^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)" - action,id,status,extra_data - - - - - auditd - ^CONFIG_CHANGE - ^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$ - action,id,extra_data - - - - - auditd - ^PATH - ^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+ - action,id,extra_data - - - - - auditd - ^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+| - ^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+ - action,id - - - - auditd - acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$ - user,extra_data,srcip - - - - auditd - ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$ - user,extra_data,srcip,status - - - - auditd - subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$ - user,extra_data,srcip,status - - - - auditd - subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$ - extra_data,srcip,status - - - - - iptables - ^[\s\d+.\d+] mptscsih: - ^[\s\d+.\d+] (\w+): (\w+): task abort: (\w+) - id,data,status - - - - iptables - ^[\s\d+.\d+] mptbase: - ^[\s\d+.\d+] (\w+): (\w+):\s+\w+ is now (\w+)\p\s(\D+)$ - id,data,action,status - - - - - - - - ^HT286: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* | - ^HT502: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* | - ^HT503: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* - - - - grandstream-ata - Received - ^(\d+) response for transaction (\d+)\((\w+)\)$ - status, id, action - - - - grandstream-ata - Account - ^(\d+) (registered), tried \d+; Next registration in \d+ seconds \(\d+/\d+\) on (\.+)$ - id, status, extra_data - name, location, extra_data - - - - grandstream-ata - Vinetic:: - ^(startRing) with CID, Attempting to deliver CID (\d+) on port \d+$ - action, id - - - - grandstream-ata - ^(Dialing) (\d+)$ - action, id - - - - - - - iptables - apparmor= - apparmor="(\S+)" operation="(\S+)" - status, extra_data - - - - - ^unix_chkpwd - - - - - unix_chkpwd - user \((\w+)\)$ - srcuser - - - - - - ^inbound/pass|^scan|^outbound/smtp - - - - barracuda-svf-email - ^\S+[\S+]| - ^\S+ - ^\S+[(\S+)] (\d+-\w+-\w+) \d+ \d+ | - ^(\S+) (\d+-\w+-\w+) \d+ \d+ - srcip, id - - - - - barracuda-svf-email - (SCAN) (\S+ \S+ \S+ \S+ \d+ \d+ \.+ SUBJ:\.+)$ - action, extra_data - - - - - barracuda-svf-email - (RECV) (\S+ \S+ \d+ \d+ \.+)$ - action, extra_data - - - - - barracuda-svf-email - (SEND) (\S+ \d+ \S+ \.+)$ - action, extra_data - - - - - - ^web - - - - barracuda-svf-admin - ^[\S+] global[] CHANGE - ^[(\S+)] global[] (CHANGE) (\S+ \(\S*)\)$ - srcip,action,extra_data - - - - barracuda-svf-admin - ^[\S+] LOGIN| - ^[\S+] FAILED_LOGIN| - ^[\S+] LOGOUT - ^[(\S+)] (\S+) \((\S+)\)\p*$ - srcip,action,user - - - - - - -windows -INFORMATION\(1\) -Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine: -status,user,url,data - - - - - squid - ^\d+ \S+ - ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) - srcip,action,id,url - - - - - - - ^unbound - - - - unbound - info: (\S+) (\S+). A IN$| info: (\S+) (\S+) AAAA IN$ - srcip,url - - - - - ^doas - - - - doas - ^(\S+) ran| for (\S+): - srcuser - - - - doas - as (\S+): - dstuser - - - - - - windows-date-format - authenticator failed - [(\S+)]:\d+: \d+ Incorrect authentication data \(set_id=(\w+)\) - srcip,user - - - - windows-date-format - ^SMTP connection from - [(\S+)]:\d+ \(TCP/IP connection count - srcip - - - - windows-date-format - ^SMTP connection from - [(\S+)]:\d+ lost - srcip - - - - windows-date-format - ^SMTP call from - [(\S+)]:\d+ dropped: too many syntax or protocol errors - srcip - - - - - - ^nsd - - - - nsd - from (\S+)@| from (\S+) - srcip - - - - - - ^{"reqId":"\S+","message":"\.+","level":\d,"time":"\.+"}$|^{"app":"\S+","message":"\.+","level":\d,"time":"\.+"}$|^{"reqId":"\S+","level":\d,"time":"\S+","message":"\.+"}$ - - - - - ^ownCloud - - - - owncloud - Login failed: user - ^'(\w+)' , wrong password, IP:(\d+.\d+.\d+.\d+) - user, srcip - - - - owncloud - Login failed: - ^'(\w+)' \(Remote IP: '(\d+.\d+.\d+.\d+) - user, srcip - - - - owncloud - Passed filename is not valid, might be malicious - ;ip:"(\d+.\d+.\d+.\d+)|;ip:\\"(\d+.\d+.\d+.\d+) - srcip - - - - owncloud - ","level": - ^(\d)," - status - - - - - - psad - - - - psad - ^scan detected - (\S+) -> (\S+) \.+ DL: (\d) - srcip,dstip,status - - - - psad - ^message repeated - (\S+) -> (\S+) \.+ DL: (\d) - srcip,dstip,status - - - - psad - signature match: - src: (\S+) signature match: \.+ port: (\d+) - srcip,dstport - - - - - - ^pvedaemon - - - - ^pvestatd - - - - ^pveproxy - - - - ^pvepw-logger - - - - pvedaemon - authentication failure; - ^rhost=(\S+) user=(\S+)@pam msg=|^rhost=(\S+) user=(\S+)@pve msg= - srcip, user - - - - pvedaemon - successful auth for user ' - ^(\S+)@pam'$|^(\S+)@pve'$ - user - - - - ^dhcpd$ - - - - dhcpd - ^(\S+) \S+ (\S+) \S+ (\S+) via (\S+)$ - action, srcip, extra_data, extra_data - - - - dhcpd - acking - already acking lease (\S+) - srcip - - - - dhcpd - ^IP address - ^IP address (\S+) - srcip - - - - - [\d+/\w+/\d+:\d+:\d+:\d+ -\d+] " - ^(\S+) (\S+) \S+ \S+ [\d+/\w+/\d+:\d+:\d+:\d+ -\d+] "(\S+) (\S+) HTTP/\d.\d" (\d+) \d$ - url, srcip, protocol, url, status - web-log - - - - - - ^dnsmasq - - - - dnsmasq - ^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) to (\S+)| - ^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) from (\S+)| - ^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) is (\S+) - srcip, action, url, extra_data - - - - - - - - - - - - - - - - ^kesl - - - - kesl - ^\p\pEventType\p: \p\S+\p,\pEventId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pAVBasesDate\p: \p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\p - ^\p\pEventType\p: \p(\S+)\p,\pEventId\p: \p(\d+)\p,\pTaskName\p: \p(\S+)\p,\pTaskId\p: \p\d+\p,\pAVBasesDate\p: \p(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\p\p - status, id, action, extra_data - - - - kesl - ^\p\pEventType\p: \p\S+\p,\pEventID\p: \p\d+\p,\pDetectName\p: \p\S+\p,\pDetectType\p: \p\S+\p,\pDetectCertainty\p: \p\S+\p,\pDetectSource\p: \p\S+\p,\pFileName\p: \p\S+,\pObjectName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pRuntimeTaskId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p\S+\p,\pAccessUser\p: \p\S+\p,\pAccessUserId\p: \p\d+\p,\pFileOwner\p: \p\S+\p,\pFileOwnerId\p: \p\d+\p\p - ^\p\pEventType\p: \p(\S+)\p,\pEventID\p: \p(\d+)\p,\pDetectName\p: \p\S+\p,\pDetectType\p: \p\S+\p,\pDetectCertainty\p: \p(\S+)\p,\pDetectSource\p: \p\S+\p,\pFileName\p: \S+,\pObjectName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pRuntimeTaskId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p(\S+)\p,\pAccessUser\p: \p\S+\p,\pAccessUserId\p: \p\d+\p,\pFileOwner\p: \p\S+\p,\pFileOwnerId\p: \p\d+\p\p - status, id, extra_data, action - - - - kesl - ^\p\pEventType\p: \p\S+\p,\pEventId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pTaskState\p: \p\S+\p,\pPrevTaskState\p: \p\S+\p,\pTaskRequestInitiator\p: \p\S+\p,\pRuntimeTaskId\p: \p\d+\p\p - ^\p\pEventType\p: \p(\S+)\p,\pEventId\p: \p(\d+)\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p(\S+)\p,\pTaskId\p: \p\d+\p,\pTaskState\p: \p(\S+)\p,\pPrevTaskState\p: \p\S+\p,\pTaskRequestInitiator\p: \p(\S+)\p,\pRuntimeTaskId\p: \p\d+\p\p - action, id, extra_data, status, srcuser - - - - - - - dionaea.connections - ^{\pdirection\p: \p(\S+)\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\.\d+\p, \pdionaea_action\p: \p(\S+)\p, \ptype\p: \pdionaea.connections\p, \papp\p: \pdionaea\p, \psrc_ip\p: "(\S+)", \pvendor_product\p: \pDionaea\p, \pdest_port\p: (\d+), \psignature\p: \p\.+\p, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p} - extra_data, protocol, action, srcip, dstport, srcport, dstip - - - - - - - - - - cowrie.sessions - - - - cowrie - "SSH login attempted - ^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \pssh_username\p: \p(\S+)\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pssh_password\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"} - protocol, extra_data, user, dstport, srcport, srcip, action, dstip - - - - cowrie - "SSH session on cowrie honeypot - ^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \ptype\p: \pcowrie.sessions\p, \papp\p: \pcowrie\p, \psrc_ip\p: "(\S+)", \pdest_port\p: (\d+), \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p} - protocol, extra_data, srcip, dstport, action, srcport, dstip - - - - cowrie - "command attempted on cowrie honeypot - ^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pcommand\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"} - protocol, extra_data, dstport, srcport, srcip, action, dstip - - - diff --git a/debian/ossec-hids/var/ossec/etc/internal_options.conf b/debian/ossec-hids/var/ossec/etc/internal_options.conf deleted file mode 100644 index b4c7beb..0000000 --- a/debian/ossec-hids/var/ossec/etc/internal_options.conf +++ /dev/null @@ -1,130 +0,0 @@ -# internal_options.conf, Daniel B. Cid (dcid @ ossec.net). -# -# DO NOT TOUCH THIS FILE. The default configuration -# is at ossec.conf. More information at: -# http://www.ossec.net/en/manual.html -# -# This file should be handled with care. It contain -# run time modifications that can affect the use -# of ossec. Only change it if you know what you -# are doing. Again, look first at ossec.conf -# for most of the things you want to change. - - -# Analysisd default rule timeframe. -analysisd.default_timeframe=360 -# Analysisd stats maximum diff. -analysisd.stats_maxdiff=999000 -# Analysisd stats minimum diff. -analysisd.stats_mindiff=1250 -# Analysisd stats percentage (how much to differ from average) -analysisd.stats_percent_diff=150 -# Analysisd FTS list size. -analysisd.fts_list_size=32 -# Analysisd FTS minimum string size. -analysisd.fts_min_size_for_str=14 -# Analysisd Enable the firewall log (at logs/firewall/firewall.log) -# 1 to enable, 0 to disable. -analysisd.log_fw=1 -# Maximum number of fields in a decoder (order tag) -analysisd.decoder_order_size=10 - - -# Output GeoIP data at JSON alerts -analysisd.geoip_jsonout=0 - -# Logcollector file loop timeout (check every 2 seconds for file changes) -logcollector.loop_timeout=2 - -# Logcollector number of attempts to open a log file. -logcollector.open_attempts=8 - -# Logcollector - If it should accept remote commands from the manager -logcollector.remote_commands=0 - - - -# Remoted counter io flush. -remoted.recv_counter_flush=128 - -# Remoted compression averages printout. -remoted.comp_average_printout=19999 - -# Verify msg id (set to 0 to disable it) -remoted.verify_msg_id=1 - -# Don't exit when client.keys empty -remoted.pass_empty_keyfile=0 - -# Maild strict checking (0=disabled, 1=enabled) -maild.strict_checking=1 - -# Maild grouping (0=disabled, 1=enabled) -# Groups alerts within the same e-mail. -maild.groupping=1 - -# Maild full subject (0=disabled, 1=enabled) -maild.full_subject=0 - -# Maild display GeoIP data (0=disabled, 1=enabled) -maild.geoip=1 - - -# Monitord day_wait. Amount of seconds to wait before compressing/signing -# the files. -monitord.day_wait=10 - -# Monitord compress. (0=do not compress, 1=compress) -monitord.compress=1 - -# Monitord sign. (0=do not sign, 1=sign) -monitord.sign=1 - -# Monitord monitor_agents. (0=do not monitor, 1=monitor) -monitord.monitor_agents=1 - -# Monitord notify_time. Frequency of which the clients' availability needs -# to be checked. (60-3600) -monitord.notify_time=600 - -# Syscheck checking/usage speed. To avoid large cpu/memory -# usage, you can specify how much to sleep after generating -# the checksum of X files. The default is to sleep 2 seconds -# after reading 15 files. -syscheck.sleep=2 -syscheck.sleep_after=15 - -# Rootcheck checking/usage speed. Rootcheck will pause for this -# duration after scanning a PID or port. -rootcheck.sleep=2 - - -# Database - maximum number of reconnect attempts -dbd.reconnect_attempts=10 - - -# Debug options. -# Debug 0 -> no debug -# Debug 1 -> first level of debug -# Debug 2 -> full debugging - -# Windows debug (used by the windows agent) -windows.debug=0 - -# Syscheck (local, server and unix agent) -syscheck.debug=0 - -# Remoted (server debug) -remoted.debug=0 - -# Analysisd (server or local) -analysisd.debug=0 - -# Log collector (server, local or unix agent) -logcollector.debug=0 - -# Unix agentd -agent.debug=0 - - -# EOF diff --git a/debian/ossec-hids/var/ossec/etc/ossec-agent.conf b/debian/ossec-hids/var/ossec/etc/ossec-agent.conf deleted file mode 100644 index 83ba36b..0000000 --- a/debian/ossec-hids/var/ossec/etc/ossec-agent.conf +++ /dev/null @@ -1,68 +0,0 @@ - - - - - 192.168.10.100 - - - - - 7200 - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - - - /etc/ssl/private.key - - - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - - - - syslog - /var/log/messages - - - - syslog - /var/log/authlog - - - - syslog - /var/log/secure - - - - syslog - /var/log/xferlog - - - - syslog - /var/log/maillog - - - - apache - /var/www/logs/access_log - - - - apache - /var/www/logs/error_log - - diff --git a/debian/ossec-hids/var/ossec/etc/ossec-local.conf b/debian/ossec-hids/var/ossec/etc/ossec-local.conf deleted file mode 100644 index 50bd4a2..0000000 --- a/debian/ossec-hids/var/ossec/etc/ossec-local.conf +++ /dev/null @@ -1,203 +0,0 @@ - - - - - yes - daniel.cid@example.com - smtp.example.com. - ossecm@ossec.example.com. - - - - rules_config.xml - pam_rules.xml - sshd_rules.xml - telnetd_rules.xml - syslog_rules.xml - arpwatch_rules.xml - symantec-av_rules.xml - symantec-ws_rules.xml - pix_rules.xml - named_rules.xml - smbd_rules.xml - vsftpd_rules.xml - pure-ftpd_rules.xml - proftpd_rules.xml - ms_ftpd_rules.xml - ftpd_rules.xml - hordeimp_rules.xml - roundcube_rules.xml - wordpress_rules.xml - cimserver_rules.xml - vpopmail_rules.xml - vmpop3d_rules.xml - courier_rules.xml - web_rules.xml - web_appsec_rules.xml - apache_rules.xml - nginx_rules.xml - php_rules.xml - mysql_rules.xml - postgresql_rules.xml - ids_rules.xml - squid_rules.xml - firewall_rules.xml - apparmor_rules.xml - cisco-ios_rules.xml - netscreenfw_rules.xml - sonicwall_rules.xml - postfix_rules.xml - sendmail_rules.xml - imapd_rules.xml - mailscanner_rules.xml - dovecot_rules.xml - ms-exchange_rules.xml - racoon_rules.xml - vpn_concentrator_rules.xml - spamd_rules.xml - msauth_rules.xml - mcafee_av_rules.xml - trend-osce_rules.xml - ms-se_rules.xml - - zeus_rules.xml - solaris_bsm_rules.xml - vmware_rules.xml - ms_dhcp_rules.xml - asterisk_rules.xml - ossec_rules.xml - attack_rules.xml - systemd_rules.xml - firewalld_rules.xml - dropbear_rules.xml - unbound_rules.xml - sysmon_rules.xml - opensmtpd_rules.xml - exim_rules.xml - openbsd-dhcpd_rules.xml - dnsmasq_rules.xml - local_rules.xml - - - - - 17200 - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - - - /etc/ssl/private.key - - - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - - - - 127.0.0.1 - 192.168.2.1 - 192.168.2.190 - 192.168.2.32 - 192.168.2.10 - - - - 1 - 7 - - - - host-deny - host-deny.sh - srcip - yes - - - - firewall-drop - firewall-drop.sh - srcip - yes - - - - disable-account - disable-account.sh - user - yes - - - - - - - host-deny - local - 7 - 600 - - - - - firewall-drop - local - 7 - 600 - - - - - - syslog - /var/log/messages - - - - syslog - /var/log/authlog - - - - syslog - /var/log/secure - - - - syslog - /var/log/xferlog - - - - syslog - /var/log/maillog - - - - apache - /var/www/logs/access_log - - - - apache - /var/www/logs/error_log - - diff --git a/debian/ossec-hids/var/ossec/etc/ossec-server.conf b/debian/ossec-hids/var/ossec/etc/ossec-server.conf deleted file mode 100644 index fe59494..0000000 --- a/debian/ossec-hids/var/ossec/etc/ossec-server.conf +++ /dev/null @@ -1,213 +0,0 @@ - - - - - yes - daniel.cid@example.com - smtp.example.com. - ossecm@ossec.example.com. - - - - rules_config.xml - pam_rules.xml - sshd_rules.xml - telnetd_rules.xml - syslog_rules.xml - arpwatch_rules.xml - symantec-av_rules.xml - symantec-ws_rules.xml - pix_rules.xml - named_rules.xml - smbd_rules.xml - vsftpd_rules.xml - pure-ftpd_rules.xml - proftpd_rules.xml - ms_ftpd_rules.xml - ftpd_rules.xml - hordeimp_rules.xml - roundcube_rules.xml - wordpress_rules.xml - cimserver_rules.xml - vpopmail_rules.xml - vmpop3d_rules.xml - courier_rules.xml - web_rules.xml - web_appsec_rules.xml - apache_rules.xml - nginx_rules.xml - php_rules.xml - mysql_rules.xml - postgresql_rules.xml - ids_rules.xml - squid_rules.xml - firewall_rules.xml - apparmor_rules.xml - cisco-ios_rules.xml - netscreenfw_rules.xml - sonicwall_rules.xml - postfix_rules.xml - sendmail_rules.xml - imapd_rules.xml - mailscanner_rules.xml - dovecot_rules.xml - ms-exchange_rules.xml - racoon_rules.xml - vpn_concentrator_rules.xml - spamd_rules.xml - msauth_rules.xml - mcafee_av_rules.xml - trend-osce_rules.xml - ms-se_rules.xml - - zeus_rules.xml - solaris_bsm_rules.xml - vmware_rules.xml - ms_dhcp_rules.xml - asterisk_rules.xml - ossec_rules.xml - attack_rules.xml - dropbear_rules.xml - unbound_rules.xml - sysmon_rules.xml - opensmtpd_rules.xml - exim_rules.xml - openbsd-dhcpd_rules.xml - dnsmasq_rules.xml - local_rules.xml - - - - - - 72000 - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - - - /etc/ssl/private.key - - - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - - - - 127.0.0.1 - ::1 - 192.168.2.1 - 192.168.2.190 - 192.168.2.32 - 192.168.2.10 - - - - secure - - - - 1 - 7 - - - - host-deny - host-deny.sh - srcip - yes - - - - firewall-drop - firewall-drop.sh - srcip - yes - - - - disable-account - disable-account.sh - user - yes - - - - - - - host-deny - local - 7 - 600 - - - - - firewall-drop - local - 7 - 600 - - - - - - syslog - /var/log/messages - - - - syslog - /var/log/authlog - - - - syslog - /var/log/secure - - - - syslog - /var/log/xferlog - - - - syslog - /var/log/maillog - - - - apache - /var/www/logs/access_log - - - - apache - /var/www/logs/error_log - - - - syslog - /var/log/exim_mainlog - - - diff --git a/debian/ossec-hids/var/ossec/etc/ossec.conf b/debian/ossec-hids/var/ossec/etc/ossec.conf deleted file mode 100644 index 07562bb..0000000 --- a/debian/ossec-hids/var/ossec/etc/ossec.conf +++ /dev/null @@ -1,158 +0,0 @@ - - - yes - root@localhost - 127.0.0.1 - ossecm@localhost - - - - rules_config.xml - pam_rules.xml - sshd_rules.xml - telnetd_rules.xml - syslog_rules.xml - arpwatch_rules.xml - symantec-av_rules.xml - symantec-ws_rules.xml - pix_rules.xml - named_rules.xml - smbd_rules.xml - vsftpd_rules.xml - pure-ftpd_rules.xml - proftpd_rules.xml - ms_ftpd_rules.xml - ftpd_rules.xml - hordeimp_rules.xml - roundcube_rules.xml - wordpress_rules.xml - vpopmail_rules.xml - vmpop3d_rules.xml - courier_rules.xml - web_rules.xml - apache_rules.xml - nginx_rules.xml - php_rules.xml - mysql_rules.xml - postgresql_rules.xml - ids_rules.xml - squid_rules.xml - firewall_rules.xml - cisco-ios_rules.xml - netscreenfw_rules.xml - sonicwall_rules.xml - postfix_rules.xml - sendmail_rules.xml - imapd_rules.xml - mailscanner_rules.xml - dovecot_rules.xml - ms-exchange_rules.xml - racoon_rules.xml - vpn_concentrator_rules.xml - spamd_rules.xml - msauth_rules.xml - mcafee_av_rules.xml - trend-osce_rules.xml - - zeus_rules.xml - solaris_bsm_rules.xml - vmware_rules.xml - ms_dhcp_rules.xml - asterisk_rules.xml - ossec_rules.xml - attack_rules.xml - local_rules.xml - - - - - 79200 - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin - - - /etc/mtab - /etc/mnttab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - /var/ossec/etc/shared/system_audit_rcl.txt - /var/ossec/etc/shared/cis_debian_linux_rcl.txt - /var/ossec/etc/shared/cis_rhel_linux_rcl.txt - /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt - - - - yes - - - - 1 - 7 - - - - - syslog - /var/log/messages - - - - syslog - /var/log/auth.log - - - - syslog - /var/log/syslog - - - - syslog - /var/log/xferlog - - - - syslog - /var/log/vsftpd.log - - - - syslog - /var/log/mail.info - - - - syslog - /var/log/mail.log - - - - syslog - /var/log/dpkg.log - - - - apache - /var/log/apache2/error.log - - - - apache - /var/log/apache2/access.log - - diff --git a/debian/ossec-hids/var/ossec/etc/shared/acsc_office2016_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/acsc_office2016_rcl.txt deleted file mode 100644 index f5e0e3d..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/acsc_office2016_rcl.txt +++ /dev/null @@ -1,427 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# Hardening Checks for Microsoft Office 2016 -# Based on Australian Cyper Security Centre Hardening Microsoft Office Guide - May 2018 (https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf) -# -# -#7 Ensure Attack Surface Reduction is set to 'Enabled' -[ACSC - Microsoft Office 2016 - 7 Ensure Attack Surface Reduction is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> !ExploitGuard_ASR_Rules; -# -# -#7a Ensure 'Block executable content from email client and webmail' is set to 'Enabled' -[ACSC - Microsoft Office 2016 - 7a Ensure 'Block executable content from email client and webmail' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550; -# -# -#7b Ensure 'block Office applications from creating child processes' is set to 'Enabled' -[ACSC - Microsoft Office 2016 - 7b Ensure 'block Office applications from creating child processes' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D4F940AB-401B-4EFC-AADC-AD5F3C50688A; -# -# -#7c Ensure 'block Office applications from creating executable content' is set to 'Enabled' -[ACSC - Microsoft Office 2016 - 7c Ensure 'block Office applications from creating executable content' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !3B576869-A4EC-4529-8536-B80A7769E899; -# -# -#7d Ensure 'block Office applications from injecting code into other processes' is set to 'Enabled' -[ACSC - Microsoft Office 2016 - 7d Ensure 'block Office applications from injecting code into other processes' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84; -# -# -#7e Ensure 'block JavaScript and VBScript from launching downloaded executable content' is set to 'Enabled' -[ACSC - Microsoft Office 2016 - 7e Ensure 'block JavaScript and VBScript from launching downloaded executable content' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D3E037E1-3EB8-44C8-A917-57927947596D; -# -# -#7f Ensure 'block execution of potentially obfuscated scripts' is set to 'Enabled' -[ACSC - Microsoft Office 2016 - 7f Ensure 'block execution of potentially obfuscated scripts' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !5BEB7EFE-FD9A-4556-801D-275E5FFC04CC; -# -# -#7g Ensure 'block Win32 API calls from Office macro' is set to 'Enabled' -[ACSC - Microsoft Office 2016 - 7g Ensure 'block Win32 API calls from Office macro' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B; -# -# -#17 Ensure 'Disable All Active X' is set to 'Enabled' -[ACSC - Microsoft Office 2016 - 17 Ensure 'Disable All Active X' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> !disableallactivex; -# -# -#19a Ensure'Block all unmanaged add-ins' is set to 'Enabled' for Excel -[ACSC - Microsoft Office 2016 - 19a Ensure'Block all unmanaged add-ins' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> !restricttolist; -# -# -#19b Ensure 'List of managed add-ins' is set to 'Enabled' for Excel -[ACSC - Microsoft Office 2016 - 19b Ensure 'List of managed add-ins' is set to 'Enabled'] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> !policyon; -# -# -#19c Ensure'Block all unmanaged add-ins' is set to 'Enabled' for Excel -[ACSC - Microsoft Office 2016 - 19c Ensure'Block all unmanaged add-ins' is set to 'Enabled' for Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> !restricttolist; -# -# -#19d Ensure 'List of managed add-ins' is set to 'Enabled' for PowerPoint -[ACSC - Microsoft Office 2016 - 19d Ensure 'List of managed add-ins' is set to 'Enabled' for PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> !policyon; -# -# -#19e Ensure'Block all unmanaged add-ins' is set to 'Enabled' for Word -[ACSC - Microsoft Office 2016 - 19e Ensure'Block all unmanaged add-ins' is set to 'Enabled' for Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> !restricttolist; -# -# -#19f Ensure 'List of managed add-ins' is set to 'Enabled' for Word -[ACSC - Microsoft Office 2016 - 19f Ensure 'List of managed add-ins' is set to 'Enabled' for Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> !policyon; -# -# -#21 Ensure if Extension Hardening functionality in Microsoft Excel is enabled -[ACSC - Microsoft Office 2016 - 21 Ensure if Extension Hardening functionality in Microsoft Excel is enabled] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> !extensionhardening; -# -# -#23a Ensure dBase III / IV files are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23a Ensure dBase III / IV files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !dbasefiles; -# -# -#23b Ensure Dif and Sylk files are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23b Ensure Dif and Sylk files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !difandsylkfiles; -# -# -#23c Ensure Excel 2 macrosheets and add-in files are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23c Ensure Excel 2 macrosheets and add-in files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl2macros; -# -# -#23d Ensure Excel 2 worksheets are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23d Ensure Excel 2 worksheets are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl2worksheets; -# -# -#23e Ensure Excel 3 macrosheets and add-in files are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23e Ensure Excel 3 macrosheets and add-in files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl3macros; -# -# -#23f Ensure Excel 3 worksheets and add-in files are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23f Ensure Excel 3 worksheets and add-in files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl3worksheets; -# -# -#23g Ensure Excel 4 macrosheets and add-in files are blocked in Microsoft Escel -[ACSC - Microsoft Office 2016 - 23g Ensure Excel 4 macrosheets and add-in files are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl4macros; -# -# -#23h Ensure Excel 4 workbooks are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23h Ensure Excel 4 workbooks are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl4workbooks; -# -# -#23i Ensure Excel 4 worksheets are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23i Ensure Excel 4 worksheets are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl4worksheets; -# -# -#23j Ensure Excel 95 workbooks are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23j Ensure Excel 95 workbooks are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl95workbooks; -# -# -#23k Ensure Excel 95-97 workbooks and templates are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23k Ensure Excel 95-97 workbooks and templates are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl9597workbooksandtemplates; -# -# -#23l Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel -[ACSC - Microsoft Office 2016 - l Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !openinprotectedview; -# -# -#23m Ensure Web pages and Excel 2003 XML spreadsheets are blocked in Microsoft Excel -[ACSC - Microsoft Office 2016 - 23m Ensure Web pages and Excel 2003 XML spreadsheets are blocked in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !htmlandxmlssfiles; -# -# -#23n Ensure PowerPoint beta converters are blocked in Microsoft PowerPoint -[ACSC - Microsoft Office 2016 - 23n Ensure PowerPoint beta converters are blocked in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> !powerpoint12betafilesfromconverters; -# -# -#23o Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint -[ACSC - Microsoft Office 2016 - 23o Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> !openinprotectedview; -# -# -#23p Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Word -[ACSC - Microsoft Office 2016 - 23p Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !openinprotectedview; -# -# -#23q Ensure Word 2 and earlier binary documents and templates are blocked in Microsoft Word -[ACSC - Microsoft Office 2016 - 23q Ensure Word 2 and earlier binary documents and templates are blocked in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word2files -> !2; -# -# -#23r Ensure Word 6.0 binary documents and templates are blocked in Microsoft Word -[ACSC - Microsoft Office 2016 - 23r Ensure Word 6.0 binary documents and templates are blocked in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !word60files; -# -# -#23s Ensure Word 95 binary documents and templates are blocked in Microsoft Word -[ACSC - Microsoft Office 2016 - 23s Ensure Word 95 binary documents and templates are blocked in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !word95files; -# -# -#23t Ensure Word 97 binary documents and templates are blocked in Microsoft Word -[ACSC - Microsoft Office 2016 - 23t Ensure Word 97 binary documents and templates are blocked in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files -> !2; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !word97files; -# -# -#25a Ensure Make hidden markup visible is set to 'Enabled' in Microsoft PowerPoint -[ACSC - Microsoft Office 2016 - 25a Ensure Make hidden markup visible is set to 'Enabled' in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> !markupopensave; -# -# -#25b Ensure Make hidden markup visible is set to 'Enabled' in Microsoft Word -[ACSC - Microsoft Office 2016 - 25b Ensure Make hidden markup visible is set to 'Enabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> !showmarkupopensave; -# -# -#27a Ensure Turn off error reporting for files that fail file validation is set to 'Enabled' in Microsoft Office -[ACSC - Microsoft Office 2016 - 27a Ensure Turn off error reporting for files that fail file validation is set to 'Enabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> !disablereporting; -# -# -#27b Ensure Turn off file validation ins set to 'Disabled' in Microsoft Excel -[ACSC - Microsoft Office 2016 - 27b Ensure Turn off file validation ins set to 'Disabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> !enableonload; -# -# -#27c Ensure Turn off file validation ins set to 'Disabled' in Microsoft PowerPoint -[ACSC - Microsoft Office 2016 - 27c Ensure Turn off file validation ins set to 'Disabled' in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> !enableonload; -# -# -#27d Ensure Turn off file validation ins set to 'Disabled' in Microsoft Word -[ACSC - Microsoft Office 2016 - 27d Ensure Turn off file validation ins set to 'Disabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> !enableonload; -# -# -#29a Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Excel -[ACSC - Microsoft Office 2016 - 29a Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> !disableinternetfilesinpv; -# -# -#29b Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Excel -[ACSC - Microsoft Office 2016 - 29b Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> !disableunsafelocationsinpv; -# -# -#29c Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft Excel -[ACSC - Microsoft Office 2016 - 29c Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> !openinprotectedview; -# -# -#29d Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Excel -[ACSC - Microsoft Office 2016 - 29d Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> !disableattachmentsinpv; -# -# -#29e Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft PowerPoint -[ACSC - Microsoft Office 2016 - 29e Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> !disableinternetfilesinpv; -# -# -#29f Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft PowerPoint -[ACSC - Microsoft Office 2016 - 29f Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> !disableunsafelocationsinpv; -# -# -#29g Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft PowerPoint -[ACSC - Microsoft Office 2016 - 29g Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> !openinprotectedview; -# -# -#29h Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft PowerPoint -[ACSC - Microsoft Office 2016 - 29h Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft PowerPoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> !disableattachmentsinpv; -# -# -#29i Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Word -[ACSC - Microsoft Office 2016 - 29i Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv; -# -# -#29j Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Word -[ACSC - Microsoft Office 2016 - 29j Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> !disableunsafelocationsinpv; -# -# -#29k Ensure Set document behaviour if file validation fails is set to 'Enable' (Block files) in Microsoft Word -[ACSC - Microsoft Office 2016 - 29k Ensure Set document behaviour if file validation fails is set to 'Enable' (Block files) in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> !openinprotectedview; -# -# -#29l Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Word -[ACSC - Microsoft Office 2016 - 29l Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> !disableattachmentsinpv; -# -# -#31a Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Excel -[ACSC - Microsoft Office 2016 - 31a Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> !disabletrusteddocuments; -# -# -#31b Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Excel -[ACSC - Microsoft Office 2016 - 31b Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Excel] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> !disablenetworktrusteddocuments; -# -# -#31c Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Powerpoint -[ACSC - Microsoft Office 2016 - 31c Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Powerpoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> disabletrusteddocuments -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> !disabletrusteddocuments; -# -# -#31d Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Powerpoint -[ACSC - Microsoft Office 2016 - 31d Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Powerpoint] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> disablenetworktrusteddocuments -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> !disablenetworktrusteddocuments; -# -# -#31e Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Word -[ACSC - Microsoft Office 2016 - 31e Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> !disabletrusteddocuments; -# -# -#31f Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Word -[ACSC - Microsoft Office 2016 - 31f Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Word] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> !disablenetworktrusteddocuments; -# -# -#34a Ensure Allow including screenshot with Office Feedback is set to 'Disabled' in Microsoft Office -[ACSC - Microsoft Office 2016 - 34a Ensure Allow including screenshot with Office Feedback is set to 'Disabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> !includescreenshot; -# -# -#34b Ensure Automatically receive small updates to improve reliability is set to 'Disabled' in Microsoft Office -[ACSC - Microsoft Office 2016 - 34b Ensure Automatically receive small updates to improve reliability is set to 'Disabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> !updatereliabilitydata; -# -# -#34c Ensure Disable Opt-in Wizard on first run is set to 'Enabled' in Microsoft Office -[ACSC - Microsoft Office 2016 - 34c Ensure Disable Opt-in Wizard on first run is set to 'Enabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin -> !1; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> !shownfirstrunoptin; -# -# -#34d Ensure Enable Customer Experience Improvement Program is set to 'Disabled' in Microsoft Office -[ACSC - Microsoft Office 2016 - 34d Ensure Enable Customer Experience Improvement Program is set to 'Disabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> !qmenable; -# -# -#34e Ensure Page Send Office Feedback is set to 'Disabled' in Microsoft Office -[ACSC - Microsoft Office 2016 - 34e Ensure Page Send Office Feedback is set to 'Disabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> !enabled; -# -# -#34f Ensure Send personal information is set to 'Disabled' in Microsoft Office -[ACSC - Microsoft Office 2016 - 34f Ensure Send personal information is set to 'Disabled' in Microsoft Office] [any] [https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf] -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata -> !0; -r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> !sendcustomerdata; -# -# -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_apache2224_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_apache2224_rcl.txt deleted file mode 100644 index 417e5b4..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_apache2224_rcl.txt +++ /dev/null @@ -1,505 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry , use "->" to look for a specific entry and another -# "->" to look for the value. -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Apache Https Server -# Based on Center for Internet Security Benchmark for Apache HttpSserver 2.4 v1.3.1 and Apache HttpsServer 2.2 v3.4.1 (https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308) -# -# -$main-conf=/etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf; -$conf-dirs=/etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled,/etc/httpd/conf.d,/etc/httpd/modsecurity.d; -$ssl-confs=/etc/apache2/mods-enabled/ssl.conf,/etc/httpd/conf.d/ssl.conf; -$mods-en=/etc/apache2/mods-enabled; -$request-confs=/etc/httpd/conf/httpd.conf,/etc/apache2/mods-enabled/reqtimeout.conf; -$traceen=/etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf,/etc/apache2/conf-enabled/security.conf; -# -# -#2.3 Disable WebDAV Modules -[CIS - Apache Configuration - 2.3: WebDAV Modules are enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sdav; -d:$conf-dirs -> load -> !r:^# && r:loadmodule\sdav; -f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sdav; -d:$mods-en -> dav.load; -# -# -#2.4 Disable Status Module -[CIS - Apache Configuration - 2.4: Status Module is enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sstatus; -d:$conf-dirs -> load -> !r:^# && r:loadmodule\sstatus; -f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sstatus; -d:$mods-en -> status.load; -# -# -#2.5 Disable Autoindex Module -[CIS - Apache Configuration - 2.5: Autoindex Module is enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sautoindex; -d:$conf-dirs -> load -> !r:^# && r:loadmodule\sautoindex; -f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sautoindex; -d:$mods-en -> autoindex.load; -# -# -#2.6 Disable Proxy Modules -[CIS - Apache Configuration - 2.6: Proxy Modules are enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sproxy; -d:$conf-dirs -> load -> !r:^# && r:loadmodule\sproxy; -f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sproxy; -d:$mods-en -> proxy.load; -# -# -#2.7 Disable User Directories Modules -[CIS - Apache Configuration - 2.7: User Directories Modules are enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:loadmodule\suserdir; -d:$conf-dirs -> load -> !r:^# && r:loadmodule\suserdir; -f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\suserdir; -d:$mods-en -> userdir.load; -# -# -#2.8 Disable Info Module -[CIS - Apache Configuration - 2.8: Info Module is enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo; -d:$conf-dirs -> load -> !r:^# && r:loadmodule\sinfo; -d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo; -d:$mods-en -> info.load; -# -# -#3.2 Give the Apache User Account an Invalid Shell -[CIS - Apache Configuration - 3.2: Apache User Account has got a valid shell] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:/etc/passwd -> r:/var/www && !r:\.*/bin/false$|/sbin/nologin$; -# -# -#3.3 Lock the Apache User Account -[CIS - Apache Configuration - 3.3: Lock the Apache User Account] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:/etc/shadow -> r:^daemon|^wwwrun|^www-data|^apache && !r:\p!\.*$; -# -# -#4.4 Restrict Override for All Directories -[CIS - Apache Configuration - 4.4: Restrict Override for All Directories] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && !r:\w+ && r:allowoverride && !r:none$; -d:$conf-dirs -> conf -> !r:^# && !r:\w+ && r:allowoverridelist; -f:$main-conf -> !r:^# && !r:\w+ && r:allowoverride && !r:none$; -f:$main-conf -> !r:^# && !r:\w+ && r:allowoverridelist; -# -# -#5.3 Minimize Options for Other Directories -[CIS - Apache Configuration - 5.3: Minimize Options for other directories] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:options\sincludes; -f:$main-conf -> !r:^# && r:options\sincludes; -# -# -#5.4.1 Remove default index.html sites -[CIS - Apache Configuration - 5.4.1: Remove default index.html sites] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:/var/www -> index.html; -d:/var/www/html -> index.html; -# -# -#5.4.2 Remove the Apache user manual -[CIS - Apache Configuration - 5.4.2: Remove the Apache user manual] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:/etc/httpd/conf.d -> manual.conf; -d:/etc/apache2/conf-enabled -> apache2-doc.conf; -# -# -#5.4.5 Verify that no Handler is enabled -[CIS - Apache Configuration - 5.4.5: A Handler is configured] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:/wsethandler; -f:$main-conf -> !r:^# && r:/wsethandler; -# -# -#5.5 Remove default CGI content printenv -[CIS - Apache Configuration - 5.5: Remove default CGI content printenv] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:/var/www/cgi-bin -> printenv; -d:/usr/lib/cgi-bin -> printenv; -# -# -#5.6 Remove default CGI content test-cgi -[CIS - Apache Configuration - 5.6: Remove default CGI content test-cgi] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:/var/www/cgi-bin -> test-cgi; -d:/usr/lib/cgi-bin -> test-cgi; -# -# -#5.7 Limit HTTP Request Method -[CIS - Apache Configuration - 5.7: Disable HTTP Request Method] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:; -# -# -#5.8 Disable HTTP Trace Method -[CIS - Apache Configuration - 5.8: Disable HTTP Trace Method] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$traceen -> !r:^# && r:traceenable\s+on\s*$; -# -# -#5.9 Restrict HTTP Protocol Versions -[CIS - Apache Configuration - 5.9: Restrict HTTP Protocol Versions] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:/etc/httpd/conf/httpd.conf -> !r:loadmodule\srewrite; -d:$mods-en -> !f:rewrite.load; -f:$main-conf -> !r:rewriteengine\son; -f:$main-conf -> !r:rewritecond && !r:%{THE_REQUEST} && !r:!HTTP/1\\.1\$; -f:$main-conf -> !r:rewriterule && !r:.* - [F]; -# -# -#5.12 Deny IP Address Based Requests -[CIS - Apache Configuration - 5.12: Deny IP Address Based Requests] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:/etc/httpd/conf/httpd.conf -> !r:loadmodule\srewrite; -d:$mods-en -> !f:rewrite.load; -f:$main-conf -> !r:rewriteengine\son; -f:$main-conf -> !r:rewritecond && !r:%{HTTP_HOST} && !r:www\\.\w+\\.\w+ [NC]$; -f:$main-conf -> !r:rewritecond && !r:%{REQUEST_URI} && !r:/error [NC]$; -f:$main-conf -> !r:rewriterule && !r:.\(.*\) - [L,F]$; -# -# -#5.13 Restrict Listen Directive -[CIS - Apache Configuration - 5.13: Restrict Listen Directive] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:listen\s80$; -d:$conf-dirs -> conf -> !r:^# && r:listen\s0.0.0.0\p80; -d:$conf-dirs -> conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p80; -f:$main-conf -> !r:^# && r:listen\s80$; -f:$main-conf -> !r:^# && r:listen\s0.0.0.0\p\d*; -f:$main-conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*; -f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s80$; -f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s0.0.0.0\p\d*; -f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*; -f:/etc/apache2/ports.conf -> !r:^# && r:listen\s80$; -f:/etc/apache2/ports.conf -> !r:^# && r:listen\s0.0.0.0\p\d*; -f:/etc/apache2/ports.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*; -# -# -#5.14 Restrict Browser Frame Options -[CIS - Apache Configuration - 5.14: Restrict Browser Frame Options] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:header\salways\sappend\sx-frame-options && !r:sameorigin|deny; -# -# -#6.1 Configure the Error Log to notice at least -[CIS - Apache Configuration - 6.1: Configure the Error Log to notice at least] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:^# && r:loglevel\snotice\score\p && r:warn|emerg|alert|crit|error|notice; -f:$main-conf -> !r:loglevel\snotice\score\p && !r:info|debug; -# -# -#6.2 Configure a Syslog facility for Error Log -[CIS - Apache Configuration - 6.2: Configure a Syslog facility for Error Log] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:errorlog\s+\p*syslog\p\.*\p*; -# -# -#7.6 Disable SSL Insecure Renegotiation -[CIS - Apache Configuration - 7.6: Disable SSL Insecure Renegotiation] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s+on\s*; -f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s*$; -# -# -#7.7 Ensure SSL Compression is not enabled -[CIS - Apache Configuration - 7.7: Ensure SSL Compression is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s+on\s*; -f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s*$; -# -# -#7.8 Disable SSL TLS v1.0 Protocol -[CIS - Apache Configuration - 7.8: Disable insecure TLS Protocol] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$ssl-confs -> !r:^\t*\s*sslprotocol; -f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+all; -f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+\.*tlsv1\P\s*; -f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+\.*sslv2\P\s*; -f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+\.*sslv3\P\s*; -# -# -#7.9 Enable OCSP Stapling -[CIS - Apache Configuration - 7.9: Enable OCSP Stapling] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+ssl; -d:$mods-en -> !f:ssl.load; -f:$ssl-confs -> !r:\t*\s*# && r:sslusestapling\s+off; -f:$ssl-confs -> !r:\t*\s*sslusestapling\s+on; -f:$ssl-confs -> !r:\t*\s*sslstaplingcache\s+\.+; -# -# -#7.10 Enable HTTP Strict Transport Security -[CIS - Apache Configuration - 7.10: Enable HTTP Strict Transport Security] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:/etc/apache2/apache2.conf -> !r:Header\salways\sset\sStrict-Transport-Security\s"max-age=\d\d\d\d*"; -f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=1\d\d"; -f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=2\d\d"; -f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=3\d\d"; -f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=4\d\d"; -f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=5\d\d"; -# -# -#8.1 Set ServerToken to Prod or ProductOnly -[CIS - Apache Configuration - 8.1: Set ServerToken to Prod or ProductOnly] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+major; -d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minor; -d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+min; -d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minimal; -d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+os; -d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+full; -# -# -#8.2: Set ServerSignature to Off -[CIS - Apache Configuration - 8.2: Set ServerSignature to Off] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^# && r:serversignature\s+email; -d:$conf-dirs -> conf -> !r:^# && r:serversignature\s+on; -# -# -#8.3: Prevent Information Leakage via Default Apache Content -[CIS - Apache Configuration - 8.3: Prevent Information Leakage via Default Apache Content] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -d:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf; -d:$conf-dirs -> conf -> !r:^\t*\s*# && r:alias\s*/icons/\s*\.*; -# -# -#9.1:Set TimeOut to 10 or less -[CIS - Apache Configuration - 9.1: Set TimeOut to 10 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:^# && r:timeout\s+9\d; -f:$main-conf -> !r:^# && r:timeout\s+8\d; -f:$main-conf -> !r:^# && r:timeout\s+7\d; -f:$main-conf -> !r:^# && r:timeout\s+6\d; -f:$main-conf -> !r:^# && r:timeout\s+5\d; -f:$main-conf -> !r:^# && r:timeout\s+4\d; -f:$main-conf -> !r:^# && r:timeout\s+3\d; -f:$main-conf -> !r:^# && r:timeout\s+2\d; -f:$main-conf -> !r:^# && r:timeout\s+11; -f:$main-conf -> !r:^# && r:timeout\s+12; -f:$main-conf -> !r:^# && r:timeout\s+13; -f:$main-conf -> !r:^# && r:timeout\s+14; -f:$main-conf -> !r:^# && r:timeout\s+15; -f:$main-conf -> !r:^# && r:timeout\s+16; -f:$main-conf -> !r:^# && r:timeout\s+17; -f:$main-conf -> !r:^# && r:timeout\s+18; -f:$main-conf -> !r:^# && r:timeout\s+19; -f:$main-conf -> !r:^timeout\s+\d\d*; -f:$main-conf -> !r:^# && r:timeout\s+\d\d\d+; -# -# -#9.2:Set the KeepAlive directive to On -[CIS - Apache Configuration - 9.2: Set the KeepAlive directive to On] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:^# && r:keepalive\s+off; -f:$main-conf -> !r:keepalive\s+on; -# -# -#9.3:Set MaxKeepAliveRequests to 100 or greater -[CIS - Apache Configuration - 9.3: Set MaxKeepAliveRequest to 100 or greater] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:^maxkeepaliverequests\s+\d\d\d+; -# -# -#9.4: Set KeepAliveTimeout Low to Mitigate Denial of Service -[CIS - Apache Configuration - 9.4: Set KeepAliveTimeout Low] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:keepalivetimeout\s+\d\d*; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+16; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+17; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+18; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+19; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+2\d; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+3\d; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+4\d; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+5\d; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+6\d; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+7\d; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+8\d; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+9\d; -f:$main-conf -> !r:^# && r:keepalivetimeout\s+\d\d\d+; -# -# -#9.5 Set Timeout Limits for Request Headers -[CIS - Apache Configuration - 9.5: Set Timeout Limits for Request Headers] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+reqtimeout; -d:$mods-en -> !f:reqtimeout.load; -f:$request-confs -> !r:^\t*\s*requestreadtimeout\.+header\p\d\d*\D\d\d*; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D41; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D42; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D43; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D44; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D45; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D46; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D47; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D48; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D49; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D5\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D6\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D7\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D8\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D9\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D\d\d\d+; -# -# -#9.6 Set Timeout Limits for Request Body -[CIS - Apache Configuration - 9.6: Set Timeout Limits for Request Body] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+reqtimeout; -d:$mods-en -> !f:reqtimeout.load; -f:$request-confs -> !r:\t*\s*requestreadtimeout\.+body\p\d\d*; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p21; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p22; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p23; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p24; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p25; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p26; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p27; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p28; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p29; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p3\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p4\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p5\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p6\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p7\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p8\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p9\d; -f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p\d\d\d+; -# -# -#10.1 Set the LimitRequestLine directive to 512 or less -[CIS - Apache Configuration - 10.1: Set LimitRequestLine to 512 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:^limitrequestline\s+\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\13; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\14; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\15; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\16; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\17; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\18; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\19; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\2\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\3\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\4\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\5\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\6\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\7\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\8\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+5\9\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+6\d\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+7\d\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+8\d\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+9\d\d; -f:$main-conf -> !r:^# && r:limitrequestline\s+\d\d\d\d+; -# -# -#10.2 Set the LimitRequestFields directive to 100 or less -[CIS - Apache Configuration - 10.2: Set LimitRequestFields to 100 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:^limitrequestfields\s\d\d*; -f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d1; -f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d2; -f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d3; -f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d4; -f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d5; -f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d6; -f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d7; -f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d8; -f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d9; -f:$main-conf -> !r:^# && r:limitrequestfields\s+11\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+12\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+13\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+14\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+15\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+16\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+17\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+18\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+19\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+2\d\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+3\d\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+4\d\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+5\d\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+6\d\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+7\d\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+8\d\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+9\d\d; -f:$main-conf -> !r:^# && r:limitrequestfields\s+\d\d\d\d+; -# -# -#10.3 Set the LimitRequestFieldsize directive to 1024 or less -[CIS - Apache Configuration - 10.3: Set LimitRequestFieldsize to 1024 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:^limitrequestfieldsize\s+\d\d*; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d25; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d26; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d27; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d28; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d29; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d3\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d4\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d5\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d6\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d7\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d8\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d9\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+11\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+12\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+13\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+14\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+15\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+16\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+17\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+18\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+19\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+2\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+3\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+4\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+5\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+6\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+7\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+8\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+9\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+\d\d\d\d\d+; -# -# -#10.4 Set the LimitRequestBody directive to 102400 or less -[CIS - Apache Configuration - 10.4: Set LimitRequestBody to 102400 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308] -f:$main-conf -> !r:^limitrequestbody\s+\d\d*; -f:$main-conf -> !r:^# && r:limitrequestbody\s+0\s*$; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d1; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d2; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d3; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d4; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d5; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d6; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d7; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d8; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d9; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d241\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d242\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d243\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d244\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d245\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d246\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d247\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d248\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d249\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d25\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d26\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d27\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d28\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d29\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d3\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d4\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d5\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d6\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d7\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d8\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d9\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+11\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+12\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+13\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+14\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+15\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+16\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+17\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+18\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+19\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+2\d\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+3\d\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+4\d\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+5\d\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+6\d\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+7\d\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+8\d\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+9\d\d\d\d\d; -f:$main-conf -> !r:^# && r:limitrequestbody\s+\d\d\d\d\d\d\d+; diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_debian_linux_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_debian_linux_rcl.txt deleted file mode 100644 index 0cfd9a0..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_debian_linux_rcl.txt +++ /dev/null @@ -1,196 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry , use "->" to look for a specific entry and another -# "->" to look for the value. -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Debian/Ubuntu -# Based on Center for Internet Security Benchmark for Debian Linux v1.0 - -# Main one. Only valid for Debian/Ubuntu. -[CIS - Testing against the CIS Debian Linux Benchmark v1.0] [all required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/debian_version; -f:/proc/sys/kernel/ostype -> Linux; - - -# Section 1.4 - Partition scheme. -[CIS - Debian Linux - 1.4 - Robust partition scheme - /tmp is not on its own partition {CIS: 1.4 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/fstab -> !r:/tmp; - -[CIS - Debian Linux - 1.4 - Robust partition scheme - /opt is not on its own partition {CIS: 1.4 Debian Linux}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/opt; -f:/etc/fstab -> !r:/opt; - -[CIS - Debian Linux - 1.4 - Robust partition scheme - /var is not on its own partition {CIS: 1.4 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/fstab -> !r:/var; - - -# Section 2.3 - SSH configuration -[CIS - Debian Linux - 2.3 - SSH Configuration - Protocol version 1 enabled {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1; - -[CIS - Debian Linux - 2.3 - SSH Configuration - IgnoreRHosts disabled {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no; - -[CIS - Debian Linux - 2.3 - SSH Configuration - Empty passwords permitted {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes; - -[CIS - Debian Linux - 2.3 - SSH Configuration - Host based authentication enabled {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes; - -[CIS - Debian Linux - 2.3 - SSH Configuration - Root login allowed {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes; - - -# Section 2.4 Enable system accounting -#[CIS - Debian Linux - 2.4 - System Accounting - Sysstat not installed {CIS: 2.4 Debian Linux}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -#f:!/etc/default/sysstat; -#f:!/var/log/sysstat; - -#[CIS - Debian Linux - 2.4 - System Accounting - Sysstat not enabled {CIS: 2.4 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -#f:!/etc/default/sysstat; -#f:/etc/default/sysstat -> !r:^# && r:ENABLED="false"; - - -# Section 2.5 Install and run Bastille -#[CIS - Debian Linux - 2.5 - System harderning - Bastille is not installed {CIS: 2.5 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -#f:!/etc/Bastille; - - -# Section 2.6 Ensure sources.list Sanity -[CIS - Debian Linux - 2.6 - Sources list sanity - Security updates not enabled {CIS: 2.6 Debian Linux} {PCI_DSS: 6.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:!/etc/apt/sources.list; -f:!/etc/apt/sources.list -> !r:^# && r:http://security.debian|http://security.ubuntu; - - -# Section 3 - Minimize inetd services -[CIS - Debian Linux - 3.3 - Telnet enabled on inetd {CIS: 3.3 Debian Linux} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/inetd.conf -> !r:^# && r:telnet; - -[CIS - Debian Linux - 3.4 - FTP enabled on inetd {CIS: 3.4 Debian Linux} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/inetd.conf -> !r:^# && r:/ftp; - -[CIS - Debian Linux - 3.5 - rsh/rlogin/rcp enabled on inetd {CIS: 3.5 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/inetd.conf -> !r:^# && r:shell|login; - -[CIS - Debian Linux - 3.6 - tftpd enabled on inetd {CIS: 3.6 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/inetd.conf -> !r:^# && r:tftp; - -[CIS - Debian Linux - 3.7 - imap enabled on inetd {CIS: 3.7 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/inetd.conf -> !r:^# && r:imap; - -[CIS - Debian Linux - 3.8 - pop3 enabled on inetd {CIS: 3.8 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/inetd.conf -> !r:^# && r:pop; - -[CIS - Debian Linux - 3.9 - Ident enabled on inetd {CIS: 3.9 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/inetd.conf -> !r:^# && r:ident; - - -# Section 4 - Minimize boot services -[CIS - Debian Linux - 4.1 - Disable inetd - Inetd enabled but no services running {CIS: 4.1 Debian Linux} {PCI_DSS: 2.2.2}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -p:inetd; -f:!/etc/inetd.conf -> !r:^# && r:wait; - -[CIS - Debian Linux - 4.3 - GUI login enabled {CIS: 4.3 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/inittab -> !r:^# && r:id:5; - -[CIS - Debian Linux - 4.6 - Disable standard boot services - Samba Enabled {CIS: 4.6 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/init.d/samba; - -[CIS - Debian Linux - 4.7 - Disable standard boot services - NFS Enabled {CIS: 4.7 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/init.d/nfs-common; -f:/etc/init.d/nfs-user-server; -f:/etc/init.d/nfs-kernel-server; - -[CIS - Debian Linux - 4.9 - Disable standard boot services - NIS Enabled {CIS: 4.9 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/init.d/nis; - -[CIS - Debian Linux - 4.13 - Disable standard boot services - Web server Enabled {CIS: 4.13 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/init.d/apache; -f:/etc/init.d/apache2; - -[CIS - Debian Linux - 4.15 - Disable standard boot services - DNS server Enabled {CIS: 4.15 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/init.d/bind; - -[CIS - Debian Linux - 4.16 - Disable standard boot services - MySQL server Enabled {CIS: 4.16 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/init.d/mysql; - -[CIS - Debian Linux - 4.16 - Disable standard boot services - PostgreSQL server Enabled {CIS: 4.16 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/init.d/postgresql; - -[CIS - Debian Linux - 4.17 - Disable standard boot services - Webmin Enabled {CIS: 4.17 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/init.d/webmin; - -[CIS - Debian Linux - 4.18 - Disable standard boot services - Squid Enabled {CIS: 4.18 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/init.d/squid; - - -# Section 5 - Kernel tuning -[CIS - Debian Linux - 5.1 - Network parameters - Source routing accepted {CIS: 5.1 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1; - -[CIS - Debian Linux - 5.1 - Network parameters - ICMP broadcasts accepted {CIS: 5.1 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0; - -[CIS - Debian Linux - 5.2 - Network parameters - IP Forwarding enabled {CIS: 5.2 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/proc/sys/net/ipv4/ip_forward -> 1; -f:/proc/sys/net/ipv6/ip_forward -> 1; - - -# Section 7 - Permissions -[CIS - Debian Linux - 7.1 - Partition /var without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev; - -[CIS - Debian Linux - 7.1 - Partition /tmp without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev; - -[CIS - Debian Linux - 7.1 - Partition /opt without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev; - -[CIS - Debian Linux - 7.1 - Partition /home without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ; - -[CIS - Debian Linux - 7.2 - Removable partition /media without 'nodev' set {CIS: 7.2 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nodev; - -[CIS - Debian Linux - 7.2 - Removable partition /media without 'nosuid' set {CIS: 7.2 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nosuid; - -[CIS - Debian Linux - 7.3 - User-mounted removable partition /media {CIS: 7.3 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && r:user; - - -# Section 8 - Access and authentication -[CIS - Debian Linux - 8.8 - LILO Password not set {CIS: 8.8 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/lilo.conf -> !r:^# && !r:restricted; -f:/etc/lilo.conf -> !r:^# && !r:password=; - -[CIS - Debian Linux - 8.8 - GRUB Password not set {CIS: 8.8 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/boot/grub/menu.lst -> !r:^# && !r:password; - -[CIS - Debian Linux - 9.2 - Account with empty password present {CIS: 9.2 Debian Linux} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/shadow -> r:^\w+::; - -[CIS - Debian Linux - 13.11 - Non-root account with uid 0 {CIS: 13.11 Debian Linux} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf] -f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:; - diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_debianlinux7-8_L1_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_debianlinux7-8_L1_rcl.txt deleted file mode 100644 index a71868e..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_debianlinux7-8_L1_rcl.txt +++ /dev/null @@ -1,686 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# Level 1 CIS Checks for Debian Linux 7 and Debian Linux 8 -# Based on Center for Internet Security Benchmark v1.0.0 for Debian Linux 7 (https://workbench.cisecurity.org/benchmarks/80) and Benchmark v1.0.0 for Debian Linux 8 (https://workbench.cisecurity.org/benchmarks/81) -# -$rc_dirs=/etc/rc0.d,/etc/rc1.d,/etc/rc2.d,/etc/rc3.d,/etc/rc4.d,/etc/rc5.d,/etc/rc6.d,/etc/rc7.d,/etc/rc8.d,/etc/rc9.d,/etc/rca.d,/etc/rcb.d,/etc/rcc.d,/etc/rcs.d,/etc/rcS.d; -$rsyslog_files=/etc/rsyslog.conf,/etc/rsyslog.d/*; -$profiledfiles=/etc/profile.d/*; -$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/; -# -# -#2.1 Create Separate Partition for /tmp -[CIS - Debian Linux 7/8 - 2.1 Create Separate Partition for /tmp] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/tmp; -# -# -#2.2 Set nodev option for /tmp Partition -[CIS - Debian Linux 7/8 - 2.2 Set nodev option for /tmp Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*nodev; -# -# -#2.3 Set nosuid option for /tmp Partition -[CIS - Debian Linux 7/8 - 2.3 Set nosuid option for /tmp Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*nosuid; -# -# -#2.4 Set noexec option for /tmp Partition -[CIS - Debian Linux 7/8 - 2.4 Set noexec option for /tmp Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*noexec; -# -# -#2.5 Create Separate Partition for /var -[CIS - Debian Linux 7/8 - 2.5 Create Separate Partition for /var] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/var; -# -# -#2.6 Bind Mount the /var/tmp directory to /tmp -[CIS - Debian Linux 7/8 - 2.6 Bind Mount the /var/tmp directory to /tmp] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/tmp\s+/var/tmp\s+none\s+\.*bind\.*0\s+0; -# -# -#2.7 Create Separate Partition for /var/log -[CIS - Debian Linux 7/8 - 2.7 Create Separate Partition for /var/log] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/var/log; -# -# -#2.8 Create Separate Partition for /var/log/audit -[CIS - Debian Linux 7/8 - 2.8 Create Separate Partition for /var/log/audit] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/var/log/audit; -# -# -#2.9 Create Separate Partition for /home -[CIS - Debian Linux 7/8 - 2.9 Create Separate Partition for /home] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/home; -# -# -#2.10 Add nodev Option to /home -[CIS - Debian Linux 7/8 - 2.10 Add nodev Option to /home] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/home\s+\w+\s+\.*nodev; -# -# -#2.11 Add nodev Option to Removable Media Partitions -[CIS - Debian Linux 7/8 - 2.11 Add nodev Option to Removable Media Partitions] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*nodev; -# -# -#2.12 Add noexec Option to Removable Media Partitions -[CIS - Debian Linux 7/8 - 2.12 Add noexec Option to Removable Media Partitions] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*noexec; -# -# -#2.13 Add nosuid Option to Removable Media Partitions -[CIS - Debian Linux 7/8 - 2.13 Add nosuid Option to Removable Media Partitions] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*nosuid; -# -# -#2.14 Add nodev Option to /run/shm Partition -[CIS - Debian Linux 7/8 - 2.14 Add nodev Option to /run/shm Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*nodev; -# -# -#2.15 Add nosuid Option to /run/shm Partition -[CIS - Debian Linux 7/8 - 2.15 Add nosuid Option to /run/shm Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*nosuid; -# -# -#2.16 Add noexec Option to /run/shm Partition -[CIS - Debian Linux 7/8 - 2.16 Add noexec Option to /run/shm Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*noexec; -# -# -#2.25 Disable Automounting -[CIS - Debian Linux 7/8 - 2.25 Disable Automounting] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:autofsc; -# -# -#3.3 Set Boot Loader Password -[CIS - Debian Linux 7/8 - 3.3 Set Boot Loader Password] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/boot/grub/grub.cfg -> !r:^set superusers; -f:/boot/grub/grub.cfg -> !r:^password; -f:/etc/grub.d -> !r:^set superusers; -f:/etc/grub.d -> !r:^password; -# -# -#3.4 Require Authentication for Single-User Mode -[CIS - Debian Linux 7/8 - 3.4 Require Authentication for Single-User Mode] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/shadow -> r:^root:!:; -f:/etc/shadow -> r:^root:*:; -f:/etc/shadow -> r:^root:*!:; -f:/etc/shadow -> r:^root:!*:; -# -# -#4.1 Restrict Core Dumps -[CIS - Debian Linux 7/8 - 4.1 Restrict Core Dumps] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/security/limits.conf -> !r:^* hard core 0; -f:/etc/sysctl.conf -> !r:^fs.suid_dumpable = 0; -# -# -#4.3 Enable Randomized Virtual Memory Region Placement -[CIS - Debian Linux 7/8 - 4.3 Enable Randomized Virtual Memory Region Placement] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^kernel.randomize_va_space = 2; -# -# -#5.1.1 Ensure NIS is not installed -[CIS - Debian Linux 7/8 - 5.1.1 Ensure NIS is not installed] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/init.d/nis; -# -# -#5.1.2 Ensure rsh server is not enabled -[CIS - Debian Linux 7/8 - 5.1.2 Ensure rsh server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/inetd.conf -> !r:^# && r:shell|login|exec; -# -# -#5.1.4 Ensure talk server is not enabled -[CIS - Debian Linux 7/8 - 5.1.4 Ensure talk server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/inetd.conf -> !r:^# && r:talk|ntalk; -# -# -#5.1.6 Ensure telnet server is not enabled -[CIS - Debian Linux 7/8 - 5.1.6 Ensure telnet server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/inetd.conf -> !r:^# && r:telnet; -# -# -#5.1.7 Ensure tftp-server is not enabled -[CIS - Debian Linux 7/8 - 5.1.7 Ensure tftp-server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/inetd.conf -> !r:^# && r:tftp; -# -# -#5.1.8 Ensure xinetd is not enabled -[CIS - Debian Linux 7/8 - 5.1.8 Ensure xinetd is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:xinetd; -# -# -#5.2 Ensure chargen is not enabled -[CIS - Debian Linux 7/8 - 5.2 Ensure chargen is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/inetd.conf -> !r:^# && r:chargen; -# -# -#5.3 Ensure daytime is not enabled -[CIS - Debian Linux 7/8 - 5.3 Ensure daytime is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/inetd.conf -> !r:^# && r:daytime; -# -# -#5.4 Ensure echo is not enabled -[CIS - Debian Linux 7/8 - 5.4 Ensure echo is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/inetd.conf -> !r:^# && r:echo; -# -# -#5.5 Ensure discard is not enabled -[CIS - Debian Linux 7/8 - 5.5 Ensure discard is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/inetd.conf -> !r:^# && r:discard; -# -# -#5.6 Ensure time is not enabled -[CIS - Debian Linux 7/8 - 5.6 Ensure time is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/inetd.conf -> !r:^# && r:time; -# -# -#6.2 Ensure Avahi Server is not enabled -[CIS - Debian Linux 7/8 - 6.2 Ensure Avahi Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:avahi-daemon; -# -# -#6.3 Ensure print server is not enabled -[CIS - Debian Linux 7/8 - 6.3 Ensure print server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:cups; -d:$rc_dirs -> S -> r:cups-browsed; -# -# -#6.4 Ensure DHCP Server is not enabled -[CIS - Debian Linux 7/8 - 6.4 Ensure DHCP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:disc-dhcp-server; -# -# -#6.5 Configure Network Time Protocol (NTP) -[CIS - Debian Linux 7/8 - 6.5 Configure Network Time Protocol (NTP)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ntp.conf -> !r:^restrict -4 default kod nomodify notrap nopeer noquery; -f:/etc/ntp.conf -> !r:^restrict -6 default kod nomodify notrap nopeer noquery; -f:/etc/ntp.conf -> !r:^server\s\.+; -# -# -#6.6 Ensure LDAP is not ennabled -[CIS - Debian Linux 7/8 - 6.6 Ensure LDAP is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:/etc/init.d -> r:ldap; -# -# -#6.7 Ensure NFS and RPC are not enabled -[CIS - Debian Linux 7/8 - 6.7 Ensure NFS and RPC are not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:rpcbind; -d:$rc_dirs -> S -> r:nfs-kernel-server; -# -# -#6.8 Ensure DNS Server is not enabled -[CIS - Debian Linux 7/8 - 6.8 Ensure DNS Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:bind9; -# -# -#6.9 Ensure FTP Server is not enabled -[CIS - Debian Linux 7/8 - 6.9 Ensure FTP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:vsftpd; -# -# -#6.10 Ensure HTTP Server is not enabled -[CIS - Debian Linux 7/8 - 6.10 Ensure HTTP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:apache2; -# -# -#6.11 Ensure IMAP and POP server is not enabled -[CIS - Debian Linux 7/8 - 6.11 Ensure IMAP and POP server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:dovecot; -# -# -#6.12 Ensure Samba is not enabled -[CIS - Debian Linux 7/8 - 6.12 Ensure Samba is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:samba; -# -# -#6.13 Ensure HTTP Proxy Server is not enabled -[CIS - Debian Linux 7/8 - 6.13 Ensure HTTP Proxy Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:squid3; -# -# -#6.14 Ensure SNMP Server is not enabled -[CIS - Debian Linux 7/8 - 6.14 Ensure SNMP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$rc_dirs -> S -> r:snmpd; -# -# -#6.15 Configure Mail Transfer Agent for Local-Only Mode -[CIS - Debian Linux 7/8 - 6.15 Configure Mail Transfer Agent for Local Only Mode] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && !r:'127.0.0.1\s*\p\s*::1'$|'::1\s*\p\s*127.0.0.1'$|'127.0.0.1'$|'::1'$; -# -# -#6.16 Ensure rsync service is not enabled -[CIS - Debian Linux 7/8 - 6.16 Ensure rsync service is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE=true|inetd; -f:/etc/default/rsync -> !r:^RSYNC_ENABLE=false; -# -# -#7.1.1 Disable IP Forwarding -[CIS - Debian Linux 7/8 - 7.1.1 Disable IP Forwarding] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.ip_forward=1; -f:/etc/sysctl.conf -> !r:^net.ipv4.ip_forward=0; -# -# -#7.1.2 Disable Send Packet Redirects -[CIS - Debian Linux 7/8 - 7.1.2 Disable Send Packet Redirects] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.send_redirects=1; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.send_redirects=0; -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.send_redirects=1; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.send_redirects=0; -# -# -#7.2.1 Disable Source Routed Packet Acceptance -[CIS - Debian Linux 7/8 - 7.2.1 Disable Source Routed Packet Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.accept_source_route=1; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.accept_source_route=0; -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.accept_source_route=1; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.accept_source_route=0; -# -# -#7.2.2 Disable ICMP Redirect Acceptance -[CIS - Debian Linux 7/8 - 7.2.2 Disable ICMP Redirect Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.accept_redirects=1; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.accept_redirects=0; -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.accept_redirects=1; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.accept_redirects=0; -# -# -#7.2.3 Disable Secure ICMP Redirect Acceptance -[CIS - Debian Linux 7/8 - 7.2.3 Disable Secure ICMP Redirect Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.secure_redirects=1; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.secure_redirects=0; -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.secure_redirects=1; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.secure_redirects=0; -# -# -#7.2.4 Log Suspicious Packets -[CIS - Debian Linux 7/8 - 7.2.4 Log Suspicious Packets] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.log_martians=0; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.log_martians=1; -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.log_martians=0; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.log_martians=1; -# -# -#7.2.5 Enable Ignore Broadcast Requests -[CIS - Debian Linux 7/8 - 7.2.5 Enable Ignore Broadcast Requests] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.icmp_echo_ignore_broadcasts=0; -f:/etc/sysctl.conf -> !r:^net.ipv4.icmp_echo_ignore_broadcasts=1; -# -# -#7.2.6 Enable Bad Error Message Protection -[CIS - Debian Linux 7/8 - 7.2.6 Enable Bad Error Message Protection] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.icmp_ignore_bogus_error_responses=0; -f:/etc/sysctl.conf -> !r:^net.ipv4.icmp_ignore_bogus_error_responses=1; -# -# -#7.2.7 Enable RFC-recommended Source Route Validation -[CIS - Debian Linux 7/8 - 7.2.7 Enable RFC-recommended Source Route Validation] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.rp_filter=0; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.rp_filter=1; -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.rp_filter=0; -f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.rp_filter=1; -# -# -#7.2.8 Enable TCP SYN Cookies -[CIS - Debian Linux 7/8 - 7.2.8 Enable TCP SYN Cookies] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.tcp_syncookies=0; -f:/etc/sysctl.conf -> !r:^net.ipv4.tcp_syncookies=1; -# -# -#7.3.1 Disable IPv6 Router Advertisements -[CIS - Debian Linux 7/8 - 7.3.1 Disable IPv6 Router Advertisements] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.all.accept_ra=1; -f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.accept_ra=0; -f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.default.accept_ra=1; -f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.accept_ra=0; -# -# -#7.3.2 Disable IPv6 Redirect Acceptance -[CIS - Debian Linux 7/8 - 7.3.2 Disable IPv6 Redirect Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.all.accept_redirects=1; -f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.accept_redirects=0; -f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.default.accept_redirects=1; -f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.accept_redirects=0; -# -# -#7.3.3 Disable IPv6 -[CIS - Debian Linux 7/8 - 7.3.3 Disable IPv6] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.all.disable_ipv6=0; -f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.disable_ipv6=1; -f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.default.disable_ipv6=0; -f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.disable_ipv6=1; -f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.lo.disable_ipv6=0; -f:/etc/sysctl.conf -> !r:^net.ipv6.conf.lo.disable_ipv6=1; -# -# -#7.4.2 Create /etc/hosts.allow -[CIS - Debian Linux 7/8 - 7.4.2 Create /etc/hosts.allow] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/hosts.allow; -f:/etc/hosts.allow -> !r:^ALL:\.*; -# -# -#7.4.4 Create /etc/hosts.deny -[CIS - Debian Linux 7/8 - 7.4.4 Create /etc/hosts.deny] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/hosts.deny; -f:/etc/hosts.deny -> !r:^ALL:\s*ALL; -# -# -#7.5.1 Disable DCCP -[CIS - Debian Linux 7/8 - 7.5.1 Disable DCCP] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install dccp /bin/true; -# -# -#7.5.2 Disable SCTP -[CIS - Debian Linux 7/8 - 7.5.2 Disable SCTP] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install sctp /bin/true; -# -# -#7.5.3 Disable RDS -[CIS - Debian Linux 7/8 - 7.5.3 Disable RDS] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install rds /bin/true; -# -# -#7.5.4 Disable TIPC -[CIS - Debian Linux 7/8 - 7.5.4 Disable TIPC] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install tipc /bin/true; -# -# -#7.7 Ensure Firewall is active (RunLevel 2, 3, 4, 5; Priority 01) -[CIS - Debian Linux 7/8 - 7.7 Ensure Firewall is active (RunLevel 2, 3, 4, 5; Priority 01)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/rc2.d/S01iptables-persistent; -f:!/etc/rc3.d/S01iptables-persistent; -f:!/etc/rc4.d/S01iptables-persistent; -f:!/etc/rc5.d/S01iptables-persistent; -# -# -#8.2.2 Ensure the rsyslog Service is activated (RunLevel 2, 3, 4, 5; Priority 01) -[CIS - Debian Linux 7/8 - 8.2.2 Ensure the rsyslog Service is activated (RunLevel 2, 3, 4, 5; Priority 01)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/rc2.d/S01rsyslog; -f:!/etc/rc3.d/S01rsyslog; -f:!/etc/rc4.d/S01rsyslog; -f:!/etc/rc5.d/S01rsyslog; -# -# -#8.2.3 Configure /etc/rsyslog.conf -[CIS - Debian Linux 7/8 - 8.2.3 Configure /etc/rsyslog.conf] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:$rsyslog_files -> !r:^*.emerg\s*\t*\s*\S; -f:$rsyslog_files -> !r:^mail.*\s*\t*\s*\S; -f:$rsyslog_files -> !r:^mail.info\s*\t*\s*\S; -f:$rsyslog_files -> !r:^mail.warning\s*\t*\s*\S; -f:$rsyslog_files -> !r:^mail.err\s*\t*\s*\S; -f:$rsyslog_files -> !r:^news.crit\s*\t*\s*\S; -f:$rsyslog_files -> !r:^news.err\s*\t*\s*\S; -f:$rsyslog_files -> !r:^news.notice\s*\t*\s*\S; -f:$rsyslog_files -> !r:^*.=warning;*.=err\s*\t*\s*\S; -f:$rsyslog_files -> !r:^*.crit\s*\t*\s*\S; -f:$rsyslog_files -> !r:^*.*;mail.none;news.none\s*\t*\s*\S; -f:$rsyslog_files -> !r:^local0,local1.*\s*\t*\s*\S; -f:$rsyslog_files -> !r:^local2,local3.*\s*\t*\s*\S; -f:$rsyslog_files -> !r:^local4,local5.*\s*\t*\s*\S; -f:$rsyslog_files -> !r:^local6,local7.*\s*\t*\s*\S; -# -# -#8.2.5 Configure rsyslog to Send Logs to a Remote Log Host -[CIS - Debian Linux 7/8 - 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/rsyslog.conf -> !r:^*.* @@\w+.\w+.\w+; -# -# -#8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts -[CIS - Debian Linux 7/8 - 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:$rsyslog_files -> !r:^\$ModLoad imtcp.so; -f:$rsyslog_files -> !r:^\$InputTCPServerRun 514; -# -# -#8.4 Configure logrotate -[CIS - Debian Linux 7/8 - 8.4 Configure logrotate] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/logrotate.d/rsyslog; -f:/etc/logrotate.d/rsyslog -> !r:\S+; -# -# -#9.1.1 Enable cron Daemon (RunLevel 2, 3, 4, 5; Priority 15) -[CIS - Debian Linux 7/8 - 9.1.1 Enable cron Daemon (RunLevel 2, 3, 4, 5; Priority 15)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/rc2.d/S15anacron; -f:!/etc/rc2.d/S15cron; -f:!/etc/rc3.d/S15anacron; -f:!/etc/rc3.d/S15cron; -f:!/etc/rc4.d/S15anacron; -f:!/etc/rc4.d/S15cron; -f:!/etc/rc5.d/S15anacron; -f:!/etc/rc5.d/S15cron; -# -# -#9.1.8 Restrict at/cron to Authorized Users -[CIS - Debian Linux 7/8 - 9.1.8 Restrict at/cron to Authorized Users] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/cron.allow; -f:!/etc/at.allow; -# -# -#9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib -[CIS - Debian Linux 7/8 - 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/pam.d/common-password -> !r:password required pam_cracklib.so retry=\d minlen=\d\d+ dcredit=-\d+ ucredit=-\d+ ocredit=-\d+ lcredit=-\d+; -# -# -#9.2.2 Set Lockout for Failed Password Attempts -[CIS - Debian Linux 7/8 - 9.2.2 Set Lockout for Failed Password Attempts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/pam.d/login -> !r:auth required pam_tally2.so onerr=fail audit silent deny=\d unlock_time=\d\d\d+; -# -# -#9.2.3 Limit Password Reuse -[CIS - Debian Linux 7/8 - 9.2.3 Limit Password Reuse] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/pam.d/common-password -> !r:password [success=1 default=ignore] pam_unix.so obscure sha512 remember=\d; -# -# -#9.3.1 Set SSH Protocol to 2 -[CIS - Debian Linux 7/8 - 9.3.1 Set SSH Protocol to 2] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^# && r:protocol 1; -f:/etc/ssh/sshd_config -> !r:^protocol 2$; -# -# -#9.3.2 Set LogLevel to INFO -[CIS - Debian Linux 7/8 - 9.3.2 Set LogLevel to INFO] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^LogLevel\s+INFO; -# -# -#9.3.4 Disable SSH X11 Forwarding -[CIS - Debian Linux 7/8 - 9.3.4 Disable SSH X11 Forwarding] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^X11Forwarding\s+no; -# -# -#9.3.5 Set SSH MaxAuthTries to 4 or Less -[CIS - Debian Linux 7/8 - 9.3.5 Set SSH MaxAuthTries to 4 or Less] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^MaxAuthTries\s+\d; -f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+\d\d+; -f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+5; -f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+6; -f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+7; -f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+8; -f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+9; -# -# -#9.3.6 Set SSH IgnoreRhosts to Yes -[CIS - Debian Linux 7/8 - 9.3.6 Set SSH IgnoreRhosts to Yes] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^IgnoreRhosts\s+yes; -# -# -#9.3.7 Set SSH HostbasedAuthentication to No -[CIS - Debian Linux 7/8 - 9.3.7 Set SSH HostbasedAuthentication to No] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^HostbasedAuthentication\s+no; -# -# -#9.3.8 Disable SSH Root Login -[CIS - Debian Linux 7/8 - 9.3.8 Disable SSH Root Login] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+yes; -f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s+no; -# -# -#9.3.9 Set SSH PermitEmptyPasswords to No -[CIS - Debian Linux 7/8 - 9.3.9 Set SSH PermitEmptyPasswords to No] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+yes; -f:/etc/ssh/sshd_config -> !r:^PermitEmptyPasswords\s+no; -# -# -#9.3.10 Do Not Allow Users to Set Environment Options -[CIS - Debian Linux 7/8 - 9.3.10 Do Not Allow Users to Set Environment Options] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+yes; -f:/etc/ssh/sshd_config -> !r:^PermitUserEnvironment\s+no; -# -# -#9.3.12 Set Idle Timeout Interval for User Login -[CIS - Debian Linux 7/8 - 9.3.12 Set Idle Timeout Interval for User Login] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^ClientAliveInterval\s+\d+; -f:/etc/ssh/sshd_config -> !r:^ClientAliveCountMax\s+\d; -# -# -#9.3.13 Limit Access via SSH -[CIS - Debian Linux 7/8 - 9.3.13 Limit Access via SSH] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+; -# -# -#9.3.14 Set SSH Banner -[CIS - Debian Linux 7/8 - 9.3.14 Set SSH Banner] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/ssh/sshd_config -> !r:^Banner\s+\S+; -# -# -#9.5 Restrict Access to the su Command -[CIS - Debian Linux 7/8 - 9.5 Restrict Access to the su Command] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/pam.d/su -> !r:auth required pam_wheel.so use_uid; -# -# -#10.1.1 Set Password Expiration Days -[CIS - Debian Linux 7/8 - 10.1.1 Set Password Expiration Days] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/login.defs -> !r:^PASS_MAX_DAYS\s+\d+; -f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+\d\d\d+; -f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+91; -f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+92; -f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+93; -f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+94; -f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+95; -f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+96; -f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+97; -f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+98; -f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+99; -# -# -#10.1.2 Set Password Change Minimum Number of Days -[CIS - Debian Linux 7/8 - 10.1.2 Set Password Change Minimum Number of Days] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/login.defs -> !r:^PASS_MIN_DAYS\s+\d+; -f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+1; -f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+2; -f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+3; -f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+4; -f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+5; -f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+6; -# -# -#10.1.3 Set Password Expiring Warning Days -[CIS - Debian Linux 7/8 - 10.1.3 Set Password Expiring Warning Days] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/login.defs -> !r:^PASS_WARN_DAYS\s+\d+; -f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+1; -f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+2; -f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+3; -f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+4; -f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+5; -f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+6; -# -# -#10.3 Set Default Group for root Account -[CIS - Debian Linux 7/8 - 10.3 Set Default Group for root Account] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/passwd -> !r:^root:\w+:\w+:0:; -# -# -#10.4 Set Default umask for Users -[CIS - Debian Linux 7/8 - 10.4 Set Default umask for Users] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:$profiledfiles -> !r:^umask 077; -f:/etc/bash.bashrc -> !r:^umask 077; -# -# -#10.5 Lock Inactive User Accounts -[CIS - Debian Linux 7/8 - 10.5 Lock Inactive User Accounts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/default/useradd -> !r:^INACTIVE=\d\d*; -# -# -#11.1 Set Warning Banner for Standard Login Services -[CIS - Debian Linux 7/8 - 11.1 Set Warning Banner for Standard Login Services] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/motd; -f:!/etc/issue; -f:!/etc/issue.net; -# -# -#11.2 Remove OS Information from Login Warning Banners -[CIS - Debian Linux 7/8 - 11.2 Remove OS Information from Login Warning Banners] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/motd -> r:debian|gnu|linux; -# -# -#13.1 Ensure Password Fields are Not Empty -[CIS - Debian Linux 7/8 - 13.1 Ensure Password Fields are Not Empty] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/shadow -> r:^\w+::; -# -# -#13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File -[CIS - Debian Linux 7/8 - 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/passwd -> !r:^# && r:^+:; -# -# -#13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File -[CIS - Debian Linux 7/8 - 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/shadow -> !r:^# && r:^+:; -# -# -#13.4 Verify No Legacy "+" Entries Exist in /etc/group File -[CIS - Debian Linux 7/8 - 13.4 Verify No Legacy "+" Entries Exist in /etc/group File] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/group -> !r:^# && r:^+:; -# -# -#13.5 Verify No UID 0 Accounts Exist Other Than root -[CIS - Debian Linux 7/8 - 13.5 Verify No UID 0 Accounts Exist Other Than root] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:; -# -# -#13.10 Check for Presence of User .rhosts Files -[CIS - Debian Linux 7/8 - 13.10 Check for Presence of User .rhosts Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$home_dirs -> r:^.rhosts$; -# -# -#13.18 Check for Presence of User .netrc Files -[CIS - Debian Linux 7/8 - 13.18 Check for Presence of User .netrc Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$home_dirs -> r:^.netrc$; -# -# -#13.19 Check for Presence of User .forward Files -[CIS - Debian Linux 7/8 - 13.19 Check for Presence of User .forward Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -d:$home_dirs -> r:^.forward$; -# -# -#13.20 Ensure shadow group is empty -[CIS - Debian Linux 7/8 - 13.20 Ensure shadow group is empty] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+; diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt deleted file mode 100644 index 621152e..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt +++ /dev/null @@ -1,245 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# Level 2 CIS Checks for Debian Linux 7 and Debian Linux 8 -# Based on Center for Internet Security Benchmark v1.0.0 for Debian Linux 7 (https://workbench.cisecurity.org/benchmarks/80) and Benchmark v1.0.0 for Debian Linux 8 (https://workbench.cisecurity.org/benchmarks/81) -# -# -$rc_dirfiles=/etc/rc0.d/*,/etc/rc1.d/*,/etc/rc2.d/*,/etc/rc3.d/*,/etc/rc4.d/*,/etc/rc5.d/*,/etc/rc6.d/*,/etc/rc7.d/*,/etc/rc8.d/*,/etc/rc9.d/*,/etc/rca.d/*,/etc/rcb.d/*,/etc/rcc.d/*,/etc/rcs.d/*,/etc/rcS.d/*; -# -# -#2.18 Disable Mounting of cramfs Filesystems -[CIS - Debian Linux 7/8 - 2.18 Disable Mounting of cramfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install cramfs /bin/true; -# -# -#2.19 Disable Mounting of freevxfs Filesystems -[CIS - Debian Linux 7/8 - 2.19 Disable Mounting of freevxfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install freevxfs /bin/true; -# -# -#2.20 Disable Mounting of jffs2 Filesystems -[CIS - Debian Linux 7/8 - 2.20 Disable Mounting of jffs2 Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install jffs2 /bin/true; -# -# -#2.21 Disable Mounting of hfs Filesystems -[CIS - Debian Linux 7/8 - 2.21 Disable Mounting of hfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install hfs /bin/true; -# -# -#2.22 Disable Mounting of hfsplus Filesystems -[CIS - Debian Linux 7/8 - 2.22 Disable Mounting of hfsplus Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install hfsplus /bin/true; -# -# -#2.23 Disable Mounting of squashfs Filesystems -[CIS - Debian Linux 7/8 - 2.23 Disable Mounting of squashfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install squashfs /bin/true; -# -# -#2.24 Disable Mounting of udf Filesystems -[CIS - Debian Linux 7/8 - 2.24 Disable Mounting of udf Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/modprobe.d/CIS.conf; -f:/etc/modprobe.d/CIS.conf -> !r:^install udf /bin/true; -# -# -#4.5 Activate AppArmor -[CIS - Debian Linux 7/8 - 4.5 Activate AppArmor] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/default/grub -> !r:apparmor=1 && !r:security=apparmor; -# -# -#8.1.1.1 Configure Audit Log Storage Size -[CIS - Debian Linux 7/8 - 8.1.1.1 Configure Audit Log Storage Size] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/auditd.conf; -f:/etc/audit/auditd.conf -> !r:max_log_file\s*=\s*\d+; -# -# -#8.1.1.2 Disable System on Audit Log Full -[CIS - Debian Linux 7/8 - 8.1.1.2 Disable System on Audit Log Full] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/auditd.conf; -f:/etc/audit/auditd.conf -> !r:^space_left_action\s*=\s*email; -f:/etc/audit/auditd.conf -> !r:^# && r:space_left_action\s*=\s*ignore|syslog|suspend|single|halt; -f:/etc/audit/auditd.conf -> !r:^action_mail_acct\s*=\s*root; -f:/etc/audit/auditd.conf -> !r:^admin_space_left_action\s*=\s*halt; -f:/etc/audit/auditd.conf -> !r:^# && r:admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single; -# -# -#8.1.1.3 Keep All Auditing Information -[CIS - Debian Linux 7/8 - 8.1.1.3 Keep All Auditing Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/auditd.conf; -f:/etc/audit/auditd.conf -> !r:^max_log_file_action\s*=\s*keep_logs; -f:/etc/audit/auditd.conf -> !r:^# && r:max_log_file_action\s*=\s*ignore|syslog|suspend|rotate; -# -# -#8.1.3 Enable Auditing for Processes That Start Prior to auditd -[CIS - Debian Linux 7/8 - 8.1.3 Enable Auditing for Processes That Start Prior to auditd] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/default/grub -> !r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*; -# -# -#8.1.4 Record Events That Modify Date and Time Information -[CIS - Debian Linux 7 - 8.1.4 Record Events That Modify Date and Time Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change; -f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S clock_settime -k time-change; -f:/etc/audit/audit.rules -> !r:^-w /etc/localtime -p wa -k time-change; -# -# -#8.1.5 Record Events That Modify User/Group Information -[CIS - Debian Linux 7/8 - 8.1.5 Record Events That Modify User/Group Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-w /etc/group -p wa -k identity; -f:/etc/audit/audit.rules -> !r:^-w /etc/passwd -p wa -k identity; -f:/etc/audit/audit.rules -> !r:^-w /etc/gshadow -p wa -k identity; -f:/etc/audit/audit.rules -> !r:^-w /etc/shadow -p wa -k identity; -f:/etc/audit/audit.rules -> !r:^-w /etc/security/opasswd -p wa -k identity; -# -# -#8.1.6 Record Events That Modify the System's Network Environment -[CIS - Debian Linux 7/8 - 8.1.6 Record Events That Modify the System's Network Environment] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale; -f:/etc/audit/audit.rules -> !r:^-w /etc/issue -p wa -k system-locale; -f:/etc/audit/audit.rules -> !r:^-w /etc/issue.net -p wa -k system-locale; -f:/etc/audit/audit.rules -> !r:^-w /etc/hosts -p wa -k system-locale; -f:/etc/audit/audit.rules -> !r:^-w /etc/network -p wa -k system-locale; -# -# -#8.1.7 Record Events That Modify the System's Mandatory Access Controls -[CIS - Debian Linux 7/8 - 8.1.7 Record Events That Modify the System's Mandatory Access Controls] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-w /etc/selinux/ -p wa -k MAC-policy; -# -# -#8.1.8 Collect Login and Logout Events -[CIS - Debian Linux 7/8 - 8.1.8 Collect Login and Logout Events] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-w /var/log/faillog -p wa -k logins; -f:/etc/audit/audit.rules -> !r:^-w /var/log/lastlog -p wa -k logins; -f:/etc/audit/audit.rules -> !r:^-w /var/log/tallylog -p wa -k logins; -# -# -#8.1.9 Collect Session Initiation Information -[CIS - Debian Linux 7/8 - 8.1.9 Collect Session Initiation Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-w /var/run/utmp -p wa -k session; -f:/etc/audit/audit.rules -> !r:^-w /var/log/wtmp -p wa -k session; -f:/etc/audit/audit.rules -> !r:^-w /var/log/btmp -p wa -k session; -# -# -#8.1.10 Collect Discretionary Access Control Permission Modification Events -[CIS - Debian Linux 7/8 - 8.1.10 Collect Discretionary Access Control Permission Modification Events] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\; -f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod; -f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\; -f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod; -f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\; -f:/etc/audit/audit.rules -> !r:^lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod; -# -# -#8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files -[CIS - Debian Linux 7/8 - 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\; -f:/etc/audit/audit.rules -> !r:^-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access; -f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\; -f:/etc/audit/audit.rules -> !r:^-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access; -# -# -#8.1.13 Collect Successful File System Mounts -[CIS - Debian Linux 7/8 - 8.1.13 Collect Successful File System Mounts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts; -# -# -#8.1.14 Collect File Deletion Events by User -[CIS - Debian Linux 7/8 - 8.1.14 Collect File Deletion Events by User] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\; -f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k delete; -# -# -#8.1.15 Collect Changes to System Administration Scope (sudoers) -[CIS - Debian Linux 7/8 - 8.1.15 Collect Changes to System Administration Scope (sudoers)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-w /etc/sudoers -p wa -k scope; -# -# -#8.1.16 Collect System Administrator Actions (sudolog) -[CIS - Debian Linux 7/8 - 8.1.16 Collect System Administrator Actions (sudolog)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-w /var/log/sudo.log -p wa -k actions; -# -# -#8.1.17 Collect Kernel Module Loading and Unloading -[CIS - Debian Linux 7/8 - 8.1.17 Collect Kernel Module Loading and Unloading] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-w /sbin/insmod -p x -k modules; -f:/etc/audit/audit.rules -> !r:^-w /sbin/rmmod -p x -k modules; -f:/etc/audit/audit.rules -> !r:^-w /sbin/modprobe -p x -k modules; -f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|-a always,exit -F arch=b64 -S init_module -S delete_module -k modules; -# -# -#8.1.18 Make the Audit Configuration Immutable -[CIS - Debian Linux 7/8 - 8.1.18 Make the Audit Configuration Immutable] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/etc/audit; -f:!/etc/audit/audit.rules; -f:/etc/audit/audit.rules -> !r:^-e 2$; -# -# -#8.3.1 Install AIDE -[CIS - Debian Linux 7/8 - 8.3.1 Install AIDE] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:!/usr/sbin/aideinit; -# -# -#8.3.2 Implement Periodic Execution of File Integrity -[CIS - Debian Linux 7/8 - 8.3.2 Implement Periodic Execution of File Integrity] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] -f:/etc/crontab -> !r:/usr/sbin/aide --check; -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt deleted file mode 100644 index f851f40..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt +++ /dev/null @@ -1,158 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry , use "->" to look for a specific entry and another -# "->" to look for the value. -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for MYSQL -# Based on Center for Internet Security Benchmark for MYSQL v1.1.0 -# -$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/; -$enviroment_files=/*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile; -$mysql-cnfs=/etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf; -# -# -#1.3 Disable MySQL Command History -[CIS - MySQL Configuration - 1.3: Disable MySQL Command History] [any] [https://workbench.cisecurity.org/files/1310/download] -d:$home_dirs -> ^.mysql_history$; -# -# -#1.5 Disable Interactive Login -[CIS - MySQL Configuration - 1.5: Disable Interactive Login] [any] [https://workbench.cisecurity.org/files/1310/download] -f:/etc/passwd -> r:^mysql && !r:\.*/bin/false$|/sbin/nologin$; -# -# -#1.6 Verify That 'MYSQL_PWD' Is Not In Use -[CIS - MySQL Configuration - 1.6: 'MYSQL_PWD' Is in Use] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$enviroment_files -> r:\.*MYSQL_PWD\.*; -# -# -#4.3 Ensure 'allow-suspicious-udfs' Is Set to 'FALSE' -[CIS - MySQL Configuration - 4.3: 'allow-suspicious-udfs' Is Set in my.cnf'] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:allow-suspicious-udfs\.+true; -f:$mysql-cnfs -> r:allow-suspicious-udfs\s*$; -# -# -#4.4 Ensure 'local_infile' Is Disabled -[CIS - MySQL Configuration - 4.4: local_infile is not forbidden in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:local-infile\s*=\s*1; -f:$mysql-cnfs -> r:local-infile\s*$; -# -# -#4.5 Ensure 'mysqld' Is Not Started with '--skip-grant-tables' -[CIS - MySQL Configuration - 4.5: skip-grant-tables is set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:skip-grant-tables\s*=\s*true; -f:$mysql-cnfs -> !r:skip-grant-tables\s*=\s*false; -f:$mysql-cnfs -> r:skip-grant-tables\s*$; -# -# -#4.6 Ensure '--skip-symbolic-links' Is Enabled -[CIS - MySQL Configuration - 4.6: skip_symbolic_links is not enabled in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:skip_symbolic_links\s*=\s*no; -f:$mysql-cnfs -> !r:skip_symbolic_links\s*=\s*yes; -f:$mysql-cnfs -> r:skip_symbolic_links\s*$; -# -# -#4.8 Ensure 'secure_file_priv' is not empty -[CIS - MySQL Configuration - 4.8: Ensure 'secure_file_priv' is not empty] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> r:^# && r:secure_file_priv=\s*\S+\s*; -f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*; -f:$mysql-cnfs -> r:secure_file_priv\s*$; -# -# -#4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES' -[CIS - MySQL Configuration - 4.9: strict_all_tables is not set at sql_mode section of my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:strict_all_tables\s*$; -# -# -#6.1 Ensure 'log_error' is not empty -[CIS - MySQL Configuration - 6.1: log-error is not set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> r:^# && r:log_error\s*=\s*\S+\s*; -f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*; -f:$mysql-cnfs -> r:log_error\s*$; -# -# -#6.2 Ensure Log Files are not Stored on a non-system partition -[CIS - MySQL Configuration - 6.2: log files are maybe stored on systempartition] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/\S*\s*; -f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/var/\S*\s*; -f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/usr/\S*\s*; -f:$mysql-cnfs -> r:log_bin\s*$; -# -# -#6.3 Ensure 'log_warning' is set to 2 at least -[CIS - MySQL Configuration - 6.3: log warnings is set low] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*0; -f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*1; -f:$mysql-cnfs -> !r:log_warnings\s*=\s*\d+; -f:$mysql-cnfs -> r:log_warnings\s*$; -# -# -#6.5 Ensure 'log_raw' is set to 'off' -[CIS - MySQL Configuration - 6.5: log_raw is not set to off] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:log-raw\s*=\s*on; -f:$mysql-cnfs -> r:log-raw\s*$; -# -# -#7.1 Ensure 'old_password' is not set to '1' or 'On' -[CIS - MySQL Configuration - 7.1:Ensure 'old_passwords' is not set to '1' or 'on'] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1; -f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on; -f:$mysql-cnfs -> !r:old_passwords\s*=\s*2; -f:$mysql-cnfs -> r:old_passwords\s*$; -# -# -#7.2 Ensure 'secure_auth' is set to 'ON' -[CIS - MySQL Configuration - 7.2: Ensure 'secure_auth' is set to 'ON'] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:secure_auth\s*=\s*off; -f:$mysql-cnfs -> !r:secure_auth\s*=\s*on; -f:$mysql-cnfs -> r:secure_auth\s*$; -# -# -#7.3 Ensure Passwords Are Not Stored in the Global Configuration -[CIS - MySQL Configuration - 7.3: Passwords are stored in global configuration] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:^\s*password\.*; -# -# -#7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER' -[CIS - MySQL Configuration - 7.4: Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:no_auto_create_user\s*$; -f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$; -# -# -#7.6 Ensure Password Policy is in Place -[CIS - MySQL Configuration - 7.6: Ensure Password Policy is in Place ] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:plugin-load\s*=\s*validate_password.so\s*$; -f:$mysql-cnfs -> !r:validate-password\s*=\s*force_plus_permanent\s*$; -f:$mysql-cnfs -> !r:validate_password_length\s*=\s*14\s$; -f:$mysql-cnfs -> !r:validate_password_mixed_case_count\s*=\s*1\s*$; -f:$mysql-cnfs -> !r:validate_password_number_count\s*=\s*1\s*$; -f:$mysql-cnfs -> !r:validate_password_special_char_count\s*=\s*1; -f:$mysql-cnfs -> !r:validate_password_policy\s*=\s*medium\s*; -# -# -#9.2 Ensure 'master_info_repository' is set to 'Table' -[CIS - MySQL Configuration - 9.2: Ensure 'master_info_repositrory' is set to 'Table'] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:master_info_repository\s*=\s*file; -f:$mysql-cnfs -> !r:master_info_repository\s*=\s*table; -f:$mysql-cnfs -> r:master_info_repository\s*$; diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt deleted file mode 100644 index 8655a31..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt +++ /dev/null @@ -1,208 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry , use "->" to look for a specific entry and another -# "->" to look for the value. -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for MYSQL -# Based on Center for Internet Security Benchmark for MYSQL v1.1.0 -# -$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/; -$enviroment_files=/*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile; -$mysql-cnfs=/etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf; -# -# -#1.3 Disable MySQL Command History -[CIS - MySQL Configuration - 1.3: Disable MySQL Command History] [any] [https://workbench.cisecurity.org/files/1310/download] -d:$home_dirs -> ^.mysql_history$; -# -# -#1.5 Disable Interactive Login -[CIS - MySQL Configuration - 1.5: Disable Interactive Login] [any] [https://workbench.cisecurity.org/files/1310/download] -f:/etc/passwd -> r:^mysql && !r:\.*/bin/false$|/sbin/nologin$; -# -# -#1.6 Verify That 'MYSQL_PWD' Is Not In Use -[CIS - MySQL Configuration - 1.6: 'MYSQL_PWD' Is in Use] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$enviroment_files -> r:\.*MYSQL_PWD\.*; -# -# -#4.3 Ensure 'allow-suspicious-udfs' Is Set to 'FALSE' -[CIS - MySQL Configuration - 4.3: 'allow-suspicious-udfs' Is Set in my.cnf'] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:allow-suspicious-udfs\.+true; -f:$mysql-cnfs -> r:allow-suspicious-udfs\s*$; -# -# -#4.4 Ensure 'local_infile' Is Disabled -[CIS - MySQL Configuration - 4.4: local_infile is not forbidden in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:local-infile\s*=\s*1; -f:$mysql-cnfs -> r:local-infile\s*$; -# -# -#4.5 Ensure 'mysqld' Is Not Started with '--skip-grant-tables' -[CIS - MySQL Configuration - 4.5: skip-grant-tables is set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:skip-grant-tables\s*=\s*true; -f:$mysql-cnfs -> !r:skip-grant-tables\s*=\s*false; -f:$mysql-cnfs -> r:skip-grant-tables\s*$; -# -# -#4.6 Ensure '--skip-symbolic-links' Is Enabled -[CIS - MySQL Configuration - 4.6: skip_symbolic_links is not enabled in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:skip_symbolic_links\s*=\s*no; -f:$mysql-cnfs -> !r:skip_symbolic_links\s*=\s*yes; -f:$mysql-cnfs -> r:skip_symbolic_links\s*$; -# -# -#4.8 Ensure 'secure_file_priv' is not empty -[CIS - MySQL Configuration - 4.8: Ensure 'secure_file_priv' is not empty] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> r:^# && r:secure_file_priv=\s*\S+\s*; -f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*; -f:$mysql-cnfs -> r:secure_file_priv\s*$; -# -# -#4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES' -[CIS - MySQL Configuration - 4.9: strict_all_tables is not set at sql_mode section of my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:strict_all_tables\s*$; -# -# -#6.1 Ensure 'log_error' is not empty -[CIS - MySQL Configuration - 6.1: log-error is not set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> r:^# && r:log_error\s*=\s*\S+\s*; -f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*; -f:$mysql-cnfs -> r:log_error\s*$; -# -# -#6.2 Ensure Log Files are not Stored on a non-system partition -[CIS - MySQL Configuration - 6.2: log files are maybe stored on systempartition] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/\S*\s*; -f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/var/\S*\s*; -f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/usr/\S*\s*; -f:$mysql-cnfs -> r:log_bin\s*$; -# -# -#6.3 Ensure 'log_warning' is set to 2 at least -[CIS - MySQL Configuration - 6.3: log warnings is set low] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*0; -f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*1; -f:$mysql-cnfs -> !r:log_warnings\s*=\s*\d+; -f:$mysql-cnfs -> r:log_warnings\s*$; -# -# -#6.4 Ensure 'log_raw' is set to 'off' -[CIS - MySQL Configuration - 6.4: log_raw is not set to off] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:log-raw\s*=\s*on; -f:$mysql-cnfs -> r:log-raw\s*$; -# -# -#6.5 Ensure audit_log_connection_policy is not set to 'none' -[CIS - MySQL Configuration - 6.5: audit_log_connection_policy is set to 'none' change it to all or erros] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r^# && r::audit_log_connection_policy\s*=\s*none; -f:$mysql-cnfs -> r:audit_log_connection_policy\s*$; -# -# -#6.6 Ensure audit_log_exclude_account is set to Null -[CIS - MySQL Configuration - 6.6:audit_log_exclude_accounts is not set to Null] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:audit_log_exclude_accounts\s*=\s* && !r:null\s*$; -f:$mysql-cnfs -> r:audit_log_exclude_accounts\s*$; -# -# -#6.7 Ensure audit_log_include_accounts is set to Null -[CIS - MySQL Configuration - 6.7:audit_log_include_accounts is not set to Null] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && !r:null\s*$; -f:$mysql-cnfs -> r:audit_log_include_accounts\s*$; -# -# -#6.9 Ensure audit_log_policy is not set to all -[CIS - MySQL Configuration - 6.9: audit_log_policy is not set to all] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:audit_log_policy\s*=\s*queries; -f:$mysql-cnfs -> !r:^# && r:audit_log_policy\s*=\s*none; -f:$mysql-cnfs -> !r:^# && r:audit_log_policy\s*=\s*logins; -f:$mysql-cnfs -> r:audit_log_policy\s*$; -# -# -#6.10 Ensure audit_log_statement_policy is set to all -[CIS - MySQL Configuration - 6.10: Ensure audit_log_statement_policy is set to all] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:audit_log_statement_policy\.+errors; -f:$mysql-cnfs -> !r:^# && r:audit_log_statement_policy\.+none; -f:$mysql-cnfs -> r:audit_log_statement_policy\s*$; -# -# -#6.11 Ensure audit_log_strategy is set to synchronous or semisynchronous -[CIS - MySQL Configuration - 6.11: Ensure audit_log_strategy is set to all] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:audit_log_strategy\.+asynchronous; -f:$mysql-cnfs -> !r:^# && r:audit_log_strategy\.+performance; -f:$mysql-cnfs -> !r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous; -f:$mysql-cnfs -> r:audit_log_strategy\s*$; -# -# -#6.12 Make sure the audit plugin can't be unloaded -[CIS - MySQL Configuration - 6.12: Audit plugin can be unloaded] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:^audit_log\s*=\s*on\s*; -f:$mysql-cnfs -> !r:^# && r:^audit_log\s*=\s*off\s*; -f:$mysql-cnfs -> !r:^# && r:^audit_log\s*=\s*force\s*; -f:$mysql-cnfs -> !r:^audit_log\s*=\s*force_plus_permanent\s*; -f:$mysql-cnfs -> r:^audit_log\s$; -# -# -#7.1 Ensure 'old_password' is not set to '1' or 'On' -[CIS - MySQL Configuration - 7.1:Ensure 'old_passwords' is not set to '1' or 'on'] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1; -f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on; -f:$mysql-cnfs -> !r:old_passwords\s*=\s*2; -f:$mysql-cnfs -> r:old_passwords\s*$; -# -# -#7.2 Ensure 'secure_auth' is set to 'ON' -[CIS - MySQL Configuration - 7.2: Ensure 'secure_auth' is set to 'ON'] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:secure_auth\s*=\s*off; -f:$mysql-cnfs -> !r:secure_auth\s*=\s*on; -f:$mysql-cnfs -> r:secure_auth\s*$; -# -# -#7.3 Ensure Passwords Are Not Stored in the Global Configuration -[CIS - MySQL Configuration - 7.3: Passwords are stored in global configuration] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:^\s*password\.*; -# -# -#7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER' -[CIS - MySQL Configuration - 7.4: Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:no_auto_create_user\s*$; -f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$; -# -# -#7.6 Ensure Password Policy is in Place -[CIS - MySQL Configuration - 7.6: Ensure Password Policy is in Place ] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:plugin-load\s*=\s*validate_password.so\s*$; -f:$mysql-cnfs -> !r:validate-password\s*=\s*force_plus_permanent\s*$; -f:$mysql-cnfs -> !r:validate_password_length\s*=\s*14\s$; -f:$mysql-cnfs -> !r:validate_password_mixed_case_count\s*=\s*1\s*$; -f:$mysql-cnfs -> !r:validate_password_number_count\s*=\s*1\s*$; -f:$mysql-cnfs -> !r:validate_password_special_char_count\s*=\s*1; -f:$mysql-cnfs -> !r:validate_password_policy\s*=\s*medium\s*; -# -# -#9.2 Ensure 'master_info_repository' is set to 'Table' -[CIS - MySQL Configuration - 9.2: Ensure 'master_info_repositrory' is set to 'Table'] [any] [https://workbench.cisecurity.org/files/1310/download] -f:$mysql-cnfs -> !r:^# && r:master_info_repository\s*=\s*file; -f:$mysql-cnfs -> !r:master_info_repository\s*=\s*table; -f:$mysql-cnfs -> r:master_info_repository\s*$; diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt deleted file mode 100644 index 72fe818..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt +++ /dev/null @@ -1,845 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - - -# CIS Checks for Red Hat / CentOS 5 -# Based on CIS Benchmark for Red Hat Enterprise Linux 5 v2.1.0 - -# TODO: URL is invalid currently - -# RC scripts location -$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; - - -[CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v2.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 5; -f:/etc/redhat-release -> r:^CentOS && r:release 5; -f:/etc/redhat-release -> r:^Cloud && r:release 5; -f:/etc/redhat-release -> r:^Oracle && r:release 5; -f:/etc/redhat-release -> r:^Better && r:release 5; - - -# 1.1.1 /tmp: partition -[CIS - RHEL5 - - Build considerations - Robust partition scheme - /tmp is not on its own partition {CIS: 1.1.1 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:/tmp; - -# 1.1.2 /tmp: nodev -[CIS - RHEL5 - 1.1.2 - Partition /tmp without 'nodev' set {CIS: 1.1.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev; - -# 1.1.3 /tmp: nosuid -[CIS - RHEL5 - 1.1.3 - Partition /tmp without 'nosuid' set {CIS: 1.1.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid; - -# 1.1.4 /tmp: noexec -[CIS - RHEL5 - 1.1.4 - Partition /tmp without 'noexec' set {CIS: 1.1.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev; - -# 1.1.5 Build considerations - Partition scheme. -[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r^# && !r:/var; - -# 1.1.6 bind mount /var/tmp to /tmp -[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind; - -# 1.1.7 /var/log: partition -[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 1.1.7 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> ^# && !r:/var/log; - -# 1.1.8 /var/log/audit: partition -[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 1.1.8 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> ^# && !r:/var/log/audit; - -# 1.1.9 /home: partition -[CIS - RHEL5 - - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 1.1.9 Debian RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> ^# && !r:/home; - -# 1.1.10 /home: nodev -[CIS - RHEL5 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/home && !r:nodev; - -# 1.1.11 nodev on removable media partitions (not scored) -[CIS - RHEL5 - 1.1.11 - Removable partition /media without 'nodev' set {CIS: 1.1.11 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nodev; - -# 1.1.12 noexec on removable media partitions (not scored) -[CIS - RHEL5 - 1.1.12 - Removable partition /media without 'noexec' set {CIS: 1.1.12 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:noexec; - -# 1.1.13 nosuid on removable media partitions (not scored) -[CIS - RHEL5 - 1.1.13 - Removable partition /media without 'nosuid' set {CIS: 1.1.13 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nosuid; - -# 1.1.14 /dev/shm: nodev -[CIS - RHEL5 - 1.1.11 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev; - -# 1.1.15 /dev/shm: nosuid -[CIS - RHEL5 - 1.1.11 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid; - -# 1.1.16 /dev/shm: noexec -[CIS - RHEL5 - 1.1.11 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec; - -# 1.1.17 sticky bit on world writable directories (Scored) -# TODO - -# 1.1.18 disable cramfs (not scored) - -# 1.1.19 disable freevxfs (not scored) - -# 1.1.20 disable jffs2 (not scored) - -# 1.1.21 disable hfs (not scored) - -# 1.1.22 disable hfsplus (not scored) - -# 1.1.23 disable squashfs (not scored) - -# 1.1.24 disable udf (not scored) - - -########################################## -# 1.2 Software Updates -########################################## - -# 1.2.1 Configure rhn updates (not scored) - -# 1.2.2 verify RPM gpg keys (Scored) -# TODO - -# 1.2.3 verify gpgcheck enabled (Scored) -# TODO - -# 1.2.4 Disable rhnsd (not scored) - -# 1.2.5 Disable yum-updatesd (Scored) -[CIS - RHEL5 - 1.2.5 - yum-updatesd not Disabled {CIS: 1.2.5 RHEL5} {PCI_DSS: 6.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec; -p:yum-updatesd; - -# 1.2.6 Obtain updates with yum (not scored) - -# 1.2.7 Verify package integrity (not scored) - - -############################################### -# 1.3 Advanced Intrusion Detection Environment -############################################### -# -# Skipped, this control is obsoleted by OSSEC -# - - -############################################### -# 1.4 Configure SELinux -############################################### - -# 1.4.1 enable selinux in /etc/grub.conf -[CIS - RHEL5 - 1.4.1 - SELinux Disabled in /etc/grub.conf {CIS: 1.4.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/grub.conf -> !r:selinux=0; - -# 1.4.2 Set selinux state -[CIS - RHEL5 - 1.4.2 - SELinux not set to enforcing {CIS: 1.4.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/selinux/config -> r:SELINUX=enforcing; - -# 1.4.3 Set seliux policy -[CIS - RHEL5 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/selinux/config -> r:SELINUXTYPE=targeted; - -# 1.4.4 Remove SETroubleshoot -[CIS - RHEL5 - 1.4.4 - SELinux setroubleshoot enabled {CIS: 1.4.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dsetroubleshoot$; - -# 1.4.5 Disable MCS Translation service mcstrans -[CIS - RHEL5 - 1.4.5 - SELinux mctrans enabled {CIS: 1.4.5 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dmctrans$; - -# 1.4.6 Check for unconfined daemons -# TODO - - -############################################### -# 1.5 Secure Boot Settings -############################################### - -# 1.5.1 Set User/Group Owner on /etc/grub.conf -# TODO (no mode tests) - -# 1.5.2 Set Permissions on /etc/grub.conf (Scored) -# TODO (no mode tests) - -# 1.5.3 Set Boot Loader Password (Scored) -[CIS - RHEL5 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/boot/grub/menu.lst -> !r:^# && !r:password; - -# 1.5.4 Require Authentication for Single-User Mode (Scored) -[CIS - RHEL5 - 1.5.4 - Authentication for single user mode not enabled {CIS: 1.5.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/inittab -> !r:^# && r:S:wait; - -# 1.5.5 Disable Interactive Boot (Scored) -[CIS - RHEL5 - 1.5.5 - Interactive Boot not disabled {CIS: 1.5.5 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no; - - - -############################################### -# 1.6 Additional Process Hardening -############################################### - -# 1.6.1 Restrict Core Dumps (Scored) -[CIS - RHEL5 - 1.6.1 - Interactive Boot not disabled {CIS: 1.6.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0; - -# 1.6.2 Configure ExecShield (Scored) -[CIS - RHEL5 - 1.6.2 - ExecShield not enabled {CIS: 1.6.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/kernel/exec-shield -> 0; - -# 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored) -[CIS - RHEL5 - 1.6.3 - Randomized Virtual Memory Region Placement not enabled {CIS: 1.6.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/kernel/randomize_va_space -> 0; - -# 1.6.4 Enable XD/NX Support on 32-bit x86 Systems (Scored) -# TODO - -# 1.6.5 Disable Prelink (Scored) -[CIS - RHEL5 - 1.6.5 - Prelink not disabled {CIS: 1.6.5 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/sysconfig/prelink -> !r:PRELINKING=no; - - -############################################### -# 1.7 Use the Latest OS Release -############################################### - - -############################################### -# 2 OS Services -############################################### - -############################################### -# 2.1 Remove Legacy Services -############################################### - -# 2.1.1 Remove telnet-server (Scored) -# TODO: detect it is installed at all -[CIS - RHEL5 - 2.1.1 - Telnet enabled on xinetd {CIS: 2.1.1 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no; - - -# 2.1.2 Remove telnet Clients (Scored) -# TODO - -# 2.1.3 Remove rsh-server (Scored) -[CIS - RHEL5 - 2.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.1.3 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no; -f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no; -f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no; - -# 2.1.4 Remove rsh (Scored) -# TODO - -# 2.1.5 Remove NIS Client (Scored) -[CIS - RHEL5 - 2.1.5 - Disable standard boot services - NIS (client) Enabled {CIS: 2.1.5 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dypbind$; - -# 2.1.6 Remove NIS Server (Scored) -[CIS - RHEL5 - 2.1.5 - Disable standard boot services - NIS (server) Enabled {CIS: 2.1.6 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dypserv$; - -# 2.1.7 Remove tftp (Scored) -# TODO - -# 2.1.8 Remove tftp-server (Scored) -[CIS - RHEL5 - 2.1.8 - tftpd enabled on xinetd {CIS: 2.1.8 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no; - -# 2.1.9 Remove talk (Scored) -# TODO - -# 2.1.10 Remove talk-server (Scored) -[CIS - RHEL5 - 2.1.10 - talk enabled on xinetd {CIS: 2.1.10 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no; - -# 2.1.11 Remove xinetd (Scored) -# TODO - -# 2.1.12 Disable chargen-dgram (Scored) -# TODO - -# 2.1.13 Disable chargen-stream (Scored) -# TODO - -# 2.1.14 Disable daytime-dgram (Scored) -# TODO - -# 2.1.15 Disable daytime-stream (Scored) -# TODO - -# 2.1.16 Disable echo-dgram (Scored) -# TODO - -# 2.1.17 Disable echo-stream (Scored) -# TODO - -# 2.1.18 Disable tcpmux-server (Scored) -# TODO - - -############################################### -# 3 Special Purpose Services -############################################### - -############################################### -# 3.1 Disable Avahi Server -############################################### - -# 3.1.1 Disable Avahi Server (Scored) -[CIS - RHEL5 - 3.1.1 - Avahi daemon not disabled {CIS: 3.1.1 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -p:avahi-daemon; - -# 3.1.2 Service Only via Required Protocol (Not Scored) -# TODO - -# 3.1.3 Check Responses TTL Field (Scored) -# TODO - -# 3.1.4 Prevent Other Programs from Using Avahi’s Port (Not Scored) -# TODO - -# 3.1.5 Disable Publishing (Not Scored) - -# 3.1.6 Restrict Published Information (if publishing is required) (Not scored) - -# 3.2 Set Daemon umask (Scored) -[CIS - RHEL5 - 3.2 - Set daemon umask - Default umask is higher than 027 {CIS: 3.2 RHEL5}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/init.d/functions -> !r:^# && r:^umask && <:umask 027; - -# 3.3 Remove X Windows (Scored) -[CIS - RHEL5 - 3.3 - X11 not disabled {CIS: 3.3 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/inittab -> !r:^# && r:id:5; - -# 3.4 Disable Print Server - CUPS (Not Scored) - -# 3.5 Remove DHCP Server (Not Scored) -# TODO - -# 3.6 Configure Network Time Protocol (NTP) (Scored) -#[CIS - RHEL5 - 3.6 - NTPD not disabled {CIS: 3.6 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -# TODO. - -# 3.7 Remove LDAP (Not Scored) - -# 3.8 Disable NFS and RPC (Not Scored) -[CIS - RHEL5 - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dnfs$; -d:$rc_dirs -> ^S\d\dnfslock$; - -# 3.9 Remove DNS Server (Not Scored) -# TODO - -# 3.10 Remove FTP Server (Not Scored) -[CIS - RHEL5 - 3.10 - VSFTP enabled on xinetd {CIS: 3.10 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no; - -# 3.11 Remove HTTP Server (Not Scored) -[CIS - RHEL5 - 3.11 - Disable standard boot services - Apache web server Enabled {CIS: 3.11 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dhttpd$; - -# 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) -[CIS - RHEL5 - 3.12 - imap enabled on xinetd {CIS: 3.12 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no; - -[CIS - RHEL5 - 3.12 - pop3 enabled on xinetd {CIS: 3.12 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no; - -# 3.13 Remove Samba (Not Scored) -[CIS - RHEL5 - 3.13 - Disable standard boot services - Samba Enabled {CIS: 3.13 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dsamba$; -d:$rc_dirs -> ^S\d\dsmb$; - -# 3.14 Remove HTTP Proxy Server (Not Scored) -[CIS - RHEL5 - 3.14 - Disable standard boot services - Squid Enabled {CIS: 3.14 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dsquid$; - -# 3.15 Remove SNMP Server (Not Scored) -[CIS - RHEL5 - 3.15 - Disable standard boot services - SNMPD process Enabled {CIS: 3.15 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dsnmpd$; - -# 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored) -# TODO - - -############################################### -# 4 Network Configuration and Firewalls -############################################### - -############################################### -# 4.1 Modify Network Parameters (Host Only) -############################################### - -# 4.1.1 Disable IP Forwarding (Scored) -[CIS - RHEL5 - 4.1.1 - Network parameters - IP Forwarding enabled {CIS: 4.1.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/net/ipv4/ip_forward -> 1; -f:/proc/sys/net/ipv6/ip_forward -> 1; - -# 4.1.2 Disable Send Packet Redirects (Scored) -[CIS - RHEL5 - 4.1.2 - Network parameters - IP send redirects enabled {CIS: 4.1.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0; -f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0; - - -############################################### -# 4.2 Modify Network Parameters (Host and Router) -############################################### - -# 4.2.1 Disable Source Routed Packet Acceptance (Scored) -[CIS - RHEL5 - 4.2.1 - Network parameters - Source routing accepted {CIS: 4.2.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1; - -# 4.2.2 Disable ICMP Redirect Acceptance (Scored) -[CIS - RHEL5 - 4.2.2 - Network parameters - ICMP redirects accepted {CIS: 4.2.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1; -f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1; - -# 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) -[CIS - RHEL5 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1; -f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1; - -# 4.2.4 Log Suspicious Packets (Scored) -[CIS - RHEL5 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/log_martians -> 0; - -# 4.2.5 Enable Ignore Broadcast Requests (Scored) -[CIS - RHEL5 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0; - -# 4.2.6 Enable Bad Error Message Protection (Scored) -[CIS - RHEL5 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0; - -# 4.2.7 Enable RFC-recommended Source Route Validation (Scored) -[CIS - RHEL5 - 4.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 4.2.7 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0; -f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0; - -# 4.2.8 Enable TCP SYN Cookies (Scored) -[CIS - RHEL5 - 4.2.8 - Network parameters - SYN Cookies not enabled {CIS: 4.2.8 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/proc/sys/net/ipv4/tcp_syncookies -> 0; - - -############################################### -# 4.3 Wireless Networking -############################################### - -# 4.3.1 Deactivate Wireless Interfaces (Not Scored) - - -############################################### -# 4.4 Disable ipv6 -############################################### - -############################################### -# 4.4.1 Configure IPv6 -############################################### - -# 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored) - -# 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored) - -# 4.4.2 Disable IPv6 (Not Scored) - - -############################################### -# 4.5 Install TCP Wrappers -############################################### - -# 4.5.1 Install TCP Wrappers (Not Scored) - -# 4.5.2 Create /etc/hosts.allow (Not Scored) - -# 4.5.3 Verify Permissions on /etc/hosts.allow (Scored) -# TODO - -# 4.5.4 Create /etc/hosts.deny (Not Scored) - -# 4.5.5 Verify Permissions on /etc/hosts.deny (Scored) -# TODO - - -############################################### -# 4.6 Uncommon Network Protocols -############################################### - -# 4.6.1 Disable DCCP (Not Scored) - -# 4.6.2 Disable SCTP (Not Scored) - -# 4.6.3 Disable RDS (Not Scored) - -# 4.6.4 Disable TIPC (Not Scored) - -# 4.7 Enable IPtables (Scored) -# TODO - -# 4.8 Enable IP6tables (Not Scored) - - -############################################### -# 5 Logging and Auditing -############################################### - -############################################### -# 5.1 Configure Syslog -############################################### - -# 5.1.1 Configure /etc/syslog.conf (Not Scored) - -# 5.1.2 Create and Set Permissions on syslog Log Files (Scored) - -# 5.1.3 Configure syslog to Send Logs to a Remote Log Host (Scored) - -# 5.1.4 Accept Remote syslog Messages Only on Designated Log Hosts (Not Scored) - - -############################################### -# 5.2 Configure rsyslog -############################################### - -# 5.2.1 Install the rsyslog package (Not Scored) - -# 5.2.2 Activate the rsyslog Service (Not Scored) - -# 5.2.3 Configure /etc/rsyslog.conf (Not Scored) - -# 5.2.4 Create and Set Permissions on rsyslog Log Files (Not Scored) - -# 5.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Not Scored) - -# 5.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) - - -############################################### -# 5.3 Configure System Accounting (auditd) -############################################### - -############################################### -# 5.3.1 Configure Data Retention -############################################### - -# 5.3.1.1 Configure Audit Log Storage Size (Not Scored) - -# 5.3.1.2 Disable System on Audit Log Full (Not Scored) - -# 5.3.1.3 Keep All Auditing Information (Scored) - -# 5.3.2 Enable auditd Service (Scored) - -# 5.3.3 Configure Audit Log Storage Size (Not Scored) - -# 5.3.4 Disable System on Audit Log Full (Not Scored) - -# 5.3.5 Keep All Auditing Information (Scored) - -# 5.3.6 Enable Auditing for Processes That Start Prior to auditd (Scored) - -# 5.3.7 Record Events That Modify Date and Time Information (Scored) - -# 5.3.8 Record Events That Modify User/Group Information (Scored) - -# 5.3.9 Record Events That Modify the System’s Network Environment (Scored) - -# 5.3.10 Record Events That Modify the System’s Mandatory Access Controls (Scored) - -# 5.3.11 Collect Login and Logout Events (Scored) - -# 5.3.12 Collect Session Initiation Information (Scored) - -# 5.3.13 Collect Discretionary Access Control Permission Modification Events (Scored) - -# 5.3.14 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored) - -# 5.3.15 Collect Use of Privileged Commands (Scored) - -# 5.3.16 Collect Successful File System Mounts (Scored) - -# 5.3.17 Collect File Deletion Events by User (Scored) - -# 5.3.18 Collect Changes to System Administration Scope (sudoers) (Scored) - -# 5.3.19 Collect System Administrator Actions (sudolog) (Scored) - -# 5.3.20 Collect Kernel Module Loading and Unloading (Scored) - -# 5.3.21 Make the Audit Configuration Immutable (Scored) - -# 5.4 Configure logrotate (Not Scored) - - -############################################### -# 6 System Access, Authentication and Authorization -############################################### - -############################################### -# 6.1 Configure cron and anacron -############################################### - -# 6.1.1 Enable anacron Daemon (Scored) - -# 6.1.2 Enable cron Daemon (Scored) - -# 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored) - -# 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored) - -# 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored) - -# 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored) - -# 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored) - -# 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored) - -# 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored) - -# 6.1.10 Restrict at Daemon (Scored) - -# 6.1.11 Restrict at/cron to Authorized Users (Scored) - -############################################### -# 6.1 Configure SSH -############################################### - -# 6.2.1 Set SSH Protocol to 2 (Scored) -[CIS - RHEL5 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1; - -# 6.2.2 Set LogLevel to INFO (Scored) - -# 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored) - -# 6.2.4 Disable SSH X11 Forwarding (Scored) - -# 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - -# 6.2.6 Set SSH IgnoreRhosts to Yes (Scored) -[CIS - RHEL5 - 6.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 6.2.6 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no; - -# 6.2.7 Set SSH HostbasedAuthentication to No (Scored) -[CIS - RHEL5 - 6.2.7 - SSH Configuration - Host based authentication enabled {CIS: 6.2.7 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes; - -# 6.2.8 Disable SSH Root Login (Scored) -[CIS - RHEL5 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes; - -# 6.2.9 Set SSH PermitEmptyPasswords to No (Scored) -[CIS - RHEL5 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes; - -# 6.2.10 Do Not Allow Users to Set Environment Options (Scored) - -# 6.2.11 Use Only Approved Ciphers in Counter Mode (Scored) - -# 6.2.12 Set Idle Timeout Interval for User Login (Not Scored) - -# 6.2.13 Limit Access via SSH (Scored) - -# 6.2.14 Set SSH Banner (Scored) - -# 6.2.15 Enable SSH UsePrivilegeSeparation (Scored) - - -############################################### -# 6.3 Configure PAM -############################################### - -# 6.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) - -# 6.3.2 Set Lockout for Failed Password Attempts (Not Scored) - -# 6.3.3 Use pam_deny.so to Deny Services (Not Scored) - -# 6.3.4 Upgrade Password Hashing Algorithm to SHA-512 (Scored) - -# 6.3.5 Limit Password Reuse (Scored) - -# 6.3.6 Remove the pam_ccreds Package (Scored) - -# 6.4 Restrict root Login to System Console (Not Scored) - -# 6.5 Restrict Access to the su Command (Scored) - - -############################################### -# 7 User Accounts and Environment -############################################### - -############################################### -# 7.1 Set Shadow Password Suite Parameters (/etc/login.defs) -############################################### - -# 7.1.1 Set Password Expiration Days (Scored) - -# 7.1.2 Set Password Change Minimum Number of Days (Scored) - -# 7.1.3 Set Password Expiring Warning Days (Scored) - -# 7.2 Disable System Accounts (Scored) - -# 7.3 Set Default Group for root Account (Scored) - -# 7.4 Set Default umask for Users (Scored) - -# 7.5 Lock Inactive User Accounts (Scored) - - -############################################### -# 8 Warning Banners -############################################### - -############################################### -# 8.1 Warning Banners for Standard Login Services -############################################### - -# 8.1.1 Set Warning Banner for Standard Login Services (Scored) - -# 8.1.2 Remove OS Information from Login Warning Banners (Scored) - -# 8.2 Set GNOME Warning Banner (Not Scored) - - -############################################### -# 9 System Maintenance -############################################### - -############################################### -# 9.1 Verify System File Permissions -############################################### - -# 9.1.1 Verify System File Permissions (Not Scored) - -# 9.1.2 Verify Permissions on /etc/passwd (Scored) - -# 9.1.3 Verify Permissions on /etc/shadow (Scored) - -# 9.1.4 Verify Permissions on /etc/gshadow (Scored) - -# 9.1.5 Verify Permissions on /etc/group (Scored) - -# 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored) - -# 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored) - -# 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored) - -# 9.1.9 Verify User/Group Ownership on /etc/group (Scored) - -# 9.1.10 Find World Writable Files (Not Scored) - -# 9.1.11 Find Un-owned Files and Directories (Scored) - -# 9.1.12 Find Un-grouped Files and Directories (Scored) - -# 9.1.13 Find SUID System Executables (Not Scored) - -# 9.1.14 Find SGID System Executables (Not Scored) - - -############################################### -# 9.2 Review User and Group Settings -############################################### - -# 9.2.1 Ensure Password Fields are Not Empty (Scored) - -# 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored) - -# 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored) - -# 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored) - -# 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) -[CIS - RHEL5 - 9.2.5 - Non-root account with uid 0 {CIS: 9.2.5 RHEL5} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:; - -# 9.2.6 Ensure root PATH Integrity (Scored) - -# 9.2.7 Check Permissions on User Home Directories (Scored) - -# 9.2.8 Check User Dot File Permissions (Scored) - -# 9.2.9 Check Permissions on User .netrc Files (Scored) - -# 9.2.10 Check for Presence of User .rhosts Files (Scored) - -# 9.2.11 Check Groups in /etc/passwd (Scored) - -# 9.2.12 Check That Users Are Assigned Home Directories (Scored) - -# 9.2.13 Check That Defined Home Directories Exist (Scored) - -# 9.2.14 Check User Home Directory Ownership (Scored) - -# 9.2.15 Check for Duplicate UIDs (Scored) - -# 9.2.16 Check for Duplicate GIDs (Scored) - -# 9.2.17 Check That Reserved UIDs Are Assigned to System Accounts - -# 9.2.18 Check for Duplicate User Names (Scored) - -# 9.2.19 Check for Duplicate Group Names (Scored) - -# 9.2.20 Check for Presence of User .netrc Files (Scored) - -# 9.2.21 Check for Presence of User .forward Files (Scored) - -# Other/Legacy Tests -[CIS - RHEL5 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/shadow -> r:^\w+::; - -[CIS - RHEL5 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -f:/etc/security/console.perms -> r:^ \d+ ; -f:/etc/security/console.perms -> r:^ \d+ ; - -[CIS - RHEL5 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dkudzu$; - -[CIS - RHEL5 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dpostgresql$; - -[CIS - RHEL5 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dmysqld$; - -[CIS - RHEL5 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dnamed$; - -[CIS - RHEL5 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf] -d:$rc_dirs -> ^S\d\dnetfs$; diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt deleted file mode 100644 index b7f80d7..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt +++ /dev/null @@ -1,787 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - - -# CIS Checks for Red Hat / CentOS 6 -# Based on CIS Benchmark for Red Hat Enterprise Linux 6 v1.3.0 - -# RC scripts location -$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; - - -[CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v2.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 6; -f:/etc/redhat-release -> r:^CentOS && r:release 6; -f:/etc/redhat-release -> r:^Cloud && r:release 6; -f:/etc/redhat-release -> r:^Oracle && r:release 6; -f:/etc/redhat-release -> r:^Better && r:release 6; - -# 1.1.1 /tmp: partition -[CIS - RHEL6 - Build considerations - Robust partition scheme - /tmp is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:/tmp; - -# 1.1.2 /tmp: nodev -[CIS - RHEL6 - 1.1.2 - Partition /tmp without 'nodev' set {CIS: 1.1.2 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev; - -# 1.1.3 /tmp: nosuid -[CIS - RHEL6 - 1.1.3 - Partition /tmp without 'nosuid' set {CIS: 1.1.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid; - -# 1.1.4 /tmp: noexec -[CIS - RHEL6 - 1.1.4 - Partition /tmp without 'noexec' set {CIS: 1.1.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev; - -# 1.1.5 Build considerations - Partition scheme. -[CIS - RHEL6 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r^# && !r:/var; - -# 1.1.6 bind mount /var/tmp to /tmp -[CIS - RHEL6 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind; - -# 1.1.7 /var/log: partition -[CIS - RHEL6 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 1.1.7 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> ^# && !r:/var/log; - -# 1.1.8 /var/log/audit: partition -[CIS - RHEL6 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 1.1.8 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> ^# && !r:/var/log/audit; - -# 1.1.9 /home: partition -[CIS - RHEL6 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 1.1.9 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> ^# && !r:/home; - -# 1.1.10 /home: nodev -[CIS - RHEL6 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:^# && r:/home && !r:nodev; - -# 1.1.11 nodev on removable media partitions (not scored) -[CIS - RHEL6 - 1.1.11 - Removable partition /media without 'nodev' set {CIS: 1.1.11 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nodev; - -# 1.1.12 noexec on removable media partitions (not scored) -[CIS - RHEL6 - 1.1.12 - Removable partition /media without 'noexec' set {CIS: 1.1.12 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:noexec; - -# 1.1.13 nosuid on removable media partitions (not scored) -[CIS - RHEL6 - 1.1.13 - Removable partition /media without 'nosuid' set {CIS: 1.1.13 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nosuid; - -# 1.1.14 /dev/shm: nodev -[CIS - RHEL6 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev; - -# 1.1.15 /dev/shm: nosuid -[CIS - RHEL6 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid; - -# 1.1.16 /dev/shm: noexec -[CIS - RHEL6 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec; - -# 1.1.17 sticky bit on world writable directories (Scored) -# TODO - -# 1.1.18 disable cramfs (not scored) - -# 1.1.19 disable freevxfs (not scored) - -# 1.1.20 disable jffs2 (not scored) - -# 1.1.21 disable hfs (not scored) - -# 1.1.22 disable hfsplus (not scored) - -# 1.1.23 disable squashfs (not scored) - -# 1.1.24 disable udf (not scored) - - -########################################## -# 1.2 Software Updates -########################################## - -# 1.2.1 Configure rhn updates (not scored) - -# 1.2.2 verify RPM gpg keys (Scored) -# TODO - -# 1.2.3 verify gpgcheck enabled (Scored) -# TODO - -# 1.2.4 Disable rhnsd (not scored) - -# 1.2.5 Obtain Software Package Updates with yum (Not Scored) - -# 1.2.6 Obtain updates with yum (not scored) - - -############################################### -# 1.3 Advanced Intrusion Detection Environment -############################################### -# -# Skipped, this control is obsoleted by OSSEC -# - -############################################### -# 1.4 Configure SELinux -############################################### - -# 1.4.1 enable selinux in /etc/grub.conf -[CIS - RHEL6 - 1.4.1 - SELinux Disabled in /etc/grub.conf {CIS: 1.4.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/grub.conf -> !r:selinux=0; - -# 1.4.2 Set selinux state -[CIS - RHEL6 - 1.4.2 - SELinux not set to enforcing {CIS: 1.4.2 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/selinux/config -> r:SELINUX=enforcing; - -# 1.4.3 Set seliux policy -[CIS - RHEL6 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/selinux/config -> r:SELINUXTYPE=targeted; - -# 1.4.4 Remove SETroubleshoot -[CIS - RHEL6 - 1.4.4 - SELinux setroubleshoot enabled {CIS: 1.4.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dsetroubleshoot$; - -# 1.4.5 Disable MCS Translation service mcstrans -[CIS - RHEL6 - 1.4.5 - SELinux mctrans enabled {CIS: 1.4.5 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dmctrans$; - -# 1.4.6 Check for unconfined daemons -# TODO - - -############################################### -# 1.5 Secure Boot Settings -############################################### - -# 1.5.1 Set User/Group Owner on /etc/grub.conf -# TODO (no mode tests) - -# 1.5.2 Set Permissions on /etc/grub.conf (Scored) -# TODO (no mode tests) - -# 1.5.3 Set Boot Loader Password (Scored) -[CIS - RHEL6 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/boot/grub/menu.lst -> !r:^# && !r:password; - -# 1.5.4 Require Authentication for Single-User Mode (Scored) -[CIS - RHEL6 - 1.5.4 - Authentication for single user mode not enabled {CIS: 1.5.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/inittab -> !r:^# && r:S:wait; - -# 1.5.5 Disable Interactive Boot (Scored) -[CIS - RHEL6 - 1.5.5 - Interactive Boot not disabled {CIS: 1.5.5 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no; - - -############################################### -# 1.6 Additional Process Hardening -############################################### - -# 1.6.1 Restrict Core Dumps (Scored) -[CIS - RHEL6 - 1.6.1 - Interactive Boot not disabled {CIS: 1.6.1 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0; - -# 1.6.2 Configure ExecShield (Scored) -[CIS - RHEL6 - 1.6.2 - ExecShield not enabled {CIS: 1.6.2 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/kernel/exec-shield -> 0; - -# 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored) -[CIS - RHEL6 - 1.6.3 - Randomized Virtual Memory Region Placement not enabled {CIS: 1.6.3 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/kernel/randomize_va_space -> 0; - - -############################################### -# 1.7 Use the Latest OS Release (Not Scored) -############################################### - - -############################################### -# 2 OS Services -############################################### - -############################################### -# 2.1 Remove Legacy Services -############################################### - -# 2.1.1 Remove telnet-server (Scored) -# TODO: detect it is installed at all -[CIS - RHEL6 - 2.1.1 - Telnet enabled on xinetd {CIS: 2.1.1 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no; - - -# 2.1.2 Remove telnet Clients (Scored) -# TODO - -# 2.1.3 Remove rsh-server (Scored) -[CIS - RHEL6 - 2.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.1.3 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no; -f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no; -f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no; - -# 2.1.4 Remove rsh (Scored) -# TODO - -# 2.1.5 Remove NIS Client (Scored) -[CIS - RHEL6 - 2.1.5 - Disable standard boot services - NIS (client) Enabled {CIS: 2.1.5 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dypbind$; - -# 2.1.6 Remove NIS Server (Scored) -[CIS - RHEL6 - 2.1.6 - Disable standard boot services - NIS (server) Enabled {CIS: 2.1.6 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dypserv$; - -# 2.1.7 Remove tftp (Scored) -# TODO - -# 2.1.8 Remove tftp-server (Scored) -[CIS - RHEL6 - 2.1.8 - tftpd enabled on xinetd {CIS: 2.1.8 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no; - -# 2.1.9 Remove talk (Scored) -# TODO - -# 2.1.10 Remove talk-server (Scored) -[CIS - RHEL6 - 2.1.10 - talk enabled on xinetd {CIS: 2.1.10 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no; - -# 2.1.11 Remove xinetd (Scored) -# TODO - -# 2.1.12 Disable chargen-dgram (Scored) -# TODO - -# 2.1.13 Disable chargen-stream (Scored) -# TODO - -# 2.1.14 Disable daytime-dgram (Scored) -# TODO - -# 2.1.15 Disable daytime-stream (Scored) -# TODO - -# 2.1.16 Disable echo-dgram (Scored) -# TODO - -# 2.1.17 Disable echo-stream (Scored) -# TODO - -# 2.1.18 Disable tcpmux-server (Scored) -# TODO - - -############################################### -# 3 Special Purpose Services -############################################### - -# 3.1 Set Daemon umask (Scored) -[CIS - RHEL6 - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 RHEL6} {PCI_DSS: 2.2.2}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/init.d/functions -> !r:^# && r:^umask && <:umask 027; - -# 3.2 Remove X Windows (Scored) -[CIS - RHEL6 - 3.2 - X11 not disabled {CIS: 3.2 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/inittab -> !r:^# && r:id:5; - -# 3.3 Disable Avahi Server (Scored) -[CIS - RHEL6 - 3.2 - Avahi daemon not disabled {CIS: 3.3 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -p:avahi-daemon; - -# 3.4 Disable Print Server - CUPS (Not Scored) - -# 3.5 Remove DHCP Server (Not Scored) -# TODO - -# 3.6 Configure Network Time Protocol (NTP) (Scored) -#[CIS - RHEL6 - 3.6 - NTPD not disabled {CIS: 1.1.1 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -# TODO. - -# 3.7 Remove LDAP (Not Scored) - -# 3.8 Disable NFS and RPC (Not Scored) -[CIS - RHEL6 - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dnfs$; -d:$rc_dirs -> ^S\d\dnfslock$; - -# 3.9 Remove DNS Server (Not Scored) -# TODO - -# 3.10 Remove FTP Server (Not Scored) -[CIS - RHEL6 - 3.10 - VSFTP enabled on xinetd {CIS: 3.10 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no; - -# 3.11 Remove HTTP Server (Not Scored) -[CIS - RHEL6 - 3.11 - Disable standard boot services - Apache web server Enabled {CIS: 3.11 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dhttpd$; - -# 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) -[CIS - RHEL6 - 3.12 - imap enabled on xinetd {CIS: 3.12 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no; - -[CIS - RHEL6 - 3.12 - pop3 enabled on xinetd {CIS: 3.12 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no; - -# 3.13 Remove Samba (Not Scored) -[CIS - RHEL6 - 3.13 - Disable standard boot services - Samba Enabled {CIS: 3.13 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dsamba$; -d:$rc_dirs -> ^S\d\dsmb$; - -# 3.14 Remove HTTP Proxy Server (Not Scored) -[CIS - RHEL6 - 3.14 - Disable standard boot services - Squid Enabled {CIS: 3.14 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dsquid$; - -# 3.15 Remove SNMP Server (Not Scored) -[CIS - RHEL6 - 3.15 - Disable standard boot services - SNMPD process Enabled {CIS: 3.15 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dsnmpd$; - -# 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored) -# TODO - - -############################################### -# 4 Network Configuration and Firewalls -############################################### - -############################################### -# 4.1 Modify Network Parameters (Host Only) -############################################### - -# 4.1.1 Disable IP Forwarding (Scored) -[CIS - RHEL6 - 4.1.1 - Network parameters - IP Forwarding enabled {CIS: 4.1.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/net/ipv4/ip_forward -> 1; -f:/proc/sys/net/ipv6/ip_forward -> 1; - -# 4.1.2 Disable Send Packet Redirects (Scored) -[CIS - RHEL6 - 4.1.2 - Network parameters - IP send redirects enabled {CIS: 4.1.2 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0; -f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0; - - -############################################### -# 4.2 Modify Network Parameters (Host and Router) -############################################### - -# 4.2.1 Disable Source Routed Packet Acceptance (Scored) -[CIS - RHEL6 - 4.2.1 - Network parameters - Source routing accepted {CIS: 4.2.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1; - -# 4.2.2 Disable ICMP Redirect Acceptance (Scored) -#[CIS - RHEL6 - 4.2.2 - Network parameters - ICMP redirects accepted {CIS: 1.1.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -#f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1; -#f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1; - -# 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) -[CIS - RHEL6 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1; -f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1; - -# 4.2.4 Log Suspicious Packets (Scored) -[CIS - RHEL6 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/net/ipv4/conf/all/log_martians -> 0; - -# 4.2.5 Enable Ignore Broadcast Requests (Scored) -[CIS - RHEL6 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0; - -# 4.2.6 Enable Bad Error Message Protection (Scored) -[CIS - RHEL6 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0; - -# 4.2.7 Enable RFC-recommended Source Route Validation (Scored) -[CIS - RHEL6 - 4.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 4.2.7 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0; -f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0; - -# 4.2.8 Enable TCP SYN Cookies (Scored) -[CIS - RHEL6 - 4.2.8 - Network parameters - SYN Cookies not enabled {CIS: 4.2.8 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/proc/sys/net/ipv4/tcp_syncookies -> 0; - - -############################################### -# 4.3 Wireless Networking -############################################### - -# 4.3.1 Deactivate Wireless Interfaces (Not Scored) - - -############################################### -# 4.4 Disable ipv6 -############################################### - -############################################### -# 4.4.1 Configure IPv6 -############################################### - -# 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored) - -# 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored) - -# 4.4.2 Disable IPv6 (Not Scored) - - -############################################### -# 4.5 Install TCP Wrappers -############################################### - -# 4.5.1 Install TCP Wrappers (Not Scored) - -# 4.5.2 Create /etc/hosts.allow (Not Scored) - -# 4.5.3 Verify Permissions on /etc/hosts.allow (Scored) -# TODO - -# 4.5.4 Create /etc/hosts.deny (Not Scored) - -# 4.5.5 Verify Permissions on /etc/hosts.deny (Scored) -# TODO - - -############################################### -# 4.6 Uncommon Network Protocols -############################################### - -# 4.6.1 Disable DCCP (Not Scored) - -# 4.6.2 Disable SCTP (Not Scored) - -# 4.6.3 Disable RDS (Not Scored) - -# 4.6.4 Disable TIPC (Not Scored) - -# 4.7 Enable IPtables (Scored) -# TODO - -# 4.8 Enable IP6tables (Not Scored) - - -############################################### -# 5 Logging and Auditing -############################################### - -############################################### -# 5.1 Configure Syslog -############################################### - -# 5.1.1 Install the rsyslog package (Scored) -# TODO - -# 5.1.2 Activate the rsyslog Service (Scored) -# TODO - -# 5.1.3 Configure /etc/rsyslog.conf (Not Scored) - -# 5.1.4 Create and Set Permissions on rsyslog Log Files (Scored) - -# 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored) - -# 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) - - -############################################### -# 5.2 Configure System Accounting (auditd) -############################################### - -############################################### -# 5.2.1 Configure Data Retention -############################################### - -# 5.2.1.1 Configure Audit Log Storage Size (Not Scored) - -# 5.2.1.2 Disable System on Audit Log Full (Not Scored) - -# 5.2.1.3 Keep All Auditing Information (Scored) - -# 5.2.2 Enable auditd Service (Scored) - -# 5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored) - -# 5.2.4 Record Events That Modify Date and Time Information (Scored) - -# 5.2.5 Record Events That Modify User/Group Information (Scored) - -# 5.2.6 Record Events That Modify the System’s Network Environment (Scored) - -# 5.2.7 Record Events That Modify the System’s Mandatory Access Controls (Scored) - -# 5.2.8 Collect Login and Logout Events (Scored) - -# 5.2.9 Collect Session Initiation Information (Scored) - -# 5.2.10 Collect Discretionary Access Control Permission Modification Events (Scored) - -# 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored) - -# 5.2.12 Collect Use of Privileged Commands (Scored) - -# 5.2.13 Collect Successful File System Mounts (Scored) - -# 5.2.14 Collect File Deletion Events by User (Scored) - -# 5.2.15 Collect Changes to System Administration Scope (sudoers) (Scored) - -# 5.2.16 Collect System Administrator Actions (sudolog) (Scored) - -# 5.2.17 Collect Kernel Module Loading and Unloading (Scored) - -# 5.2.18 Make the Audit Configuration Immutable (Scored) - -# 5.3 Configure logrotate (Not Scored) - - -############################################### -# 6 System Access, Authentication and Authorization -############################################### - -############################################### -# 6.1 Configure cron and anacron -############################################### - -# 6.1.1 Enable anacron Daemon (Scored) - -# 6.1.2 Enable cron Daemon (Scored) - -# 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored) - -# 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored) - -# 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored) - -# 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored) - -# 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored) - -# 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored) - -# 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored) - -# 6.1.10 Restrict at Daemon (Scored) - -# 6.1.11 Restrict at/cron to Authorized Users (Scored) - -############################################### -# 6.1 Configure SSH -############################################### - -# 6.2.1 Set SSH Protocol to 2 (Scored) -[CIS - RHEL6 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1; - -# 6.2.2 Set LogLevel to INFO (Scored) - -# 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored) - -# 6.2.4 Disable SSH X11 Forwarding (Scored) - -# 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - -# 6.2.6 Set SSH IgnoreRhosts to Yes (Scored) -[CIS - RHEL6 - 6.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 6.2.6 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no; - -# 6.2.7 Set SSH HostbasedAuthentication to No (Scored) -[CIS - RHEL6 - 6.2.7 - SSH Configuration - Host based authentication enabled {CIS: 6.2.7 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes; - -# 6.2.8 Disable SSH Root Login (Scored) -[CIS - RHEL6 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes; - -# 6.2.9 Set SSH PermitEmptyPasswords to No (Scored) -[CIS - RHEL6 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes; - -# 6.2.10 Do Not Allow Users to Set Environment Options (Scored) - -# 6.2.11 Use Only Approved Ciphers in Counter Mode (Scored) - -# 6.2.12 Set Idle Timeout Interval for User Login (Not Scored) - -# 6.2.13 Limit Access via SSH (Scored) - -# 6.2.14 Set SSH Banner (Scored) - - -############################################### -# 6.3 Configure PAM -############################################### - -# 6.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) - -# 6.3.2 Set Lockout for Failed Password Attempts (Not Scored) - -# 6.3.3 Use pam_deny.so to Deny Services (Not Scored) - -# 6.3.4 Upgrade Password Hashing Algorithm to SHA-512 (Scored) - -# 6.3.5 Limit Password Reuse (Scored) - -# 6.4 Restrict root Login to System Console (Not Scored) - -# 6.5 Restrict Access to the su Command (Scored) - - -############################################### -# 7 User Accounts and Environment -############################################### - -############################################### -# 7.1 Set Shadow Password Suite Parameters (/etc/login.defs) -############################################### - -# 7.1.1 Set Password Expiration Days (Scored) - -# 7.1.2 Set Password Change Minimum Number of Days (Scored) - -# 7.1.3 Set Password Expiring Warning Days (Scored) - -# 7.2 Disable System Accounts (Scored) - -# 7.3 Set Default Group for root Account (Scored) - -# 7.4 Set Default umask for Users (Scored) - -# 7.5 Lock Inactive User Accounts (Scored) - - -############################################### -# 8 Warning Banners -############################################### - -############################################### -# 8.1 Warning Banners for Standard Login Services -############################################### - -# 8.1 Set Warning Banner for Standard Login Services (Scored) - -# 8.2 Remove OS Information from Login Warning Banners (Scored) - -# 8.3 Set GNOME Warning Banner (Not Scored) - - -############################################### -# 9 System Maintenance -############################################### - -############################################### -# 9.1 Verify System File Permissions -############################################### - -# 9.1.1 Verify System File Permissions (Not Scored) - -# 9.1.2 Verify Permissions on /etc/passwd (Scored) - -# 9.1.3 Verify Permissions on /etc/shadow (Scored) - -# 9.1.4 Verify Permissions on /etc/gshadow (Scored) - -# 9.1.5 Verify Permissions on /etc/group (Scored) - -# 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored) - -# 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored) - -# 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored) - -# 9.1.9 Verify User/Group Ownership on /etc/group (Scored) - -# 9.1.10 Find World Writable Files (Not Scored) - -# 9.1.11 Find Un-owned Files and Directories (Scored) - -# 9.1.12 Find Un-grouped Files and Directories (Scored) - -# 9.1.13 Find SUID System Executables (Not Scored) - -# 9.1.14 Find SGID System Executables (Not Scored) - - -############################################### -# 9.2 Review User and Group Settings -############################################### - -# 9.2.1 Ensure Password Fields are Not Empty (Scored) - -# 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored) - -# 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored) - -# 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored) - -# 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) -[CIS - RHEL6 - 9.2.5 - Non-root account with uid 0 {CIS: 9.2.5 RHEL6} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:; - -# 9.2.6 Ensure root PATH Integrity (Scored) - -# 9.2.7 Check Permissions on User Home Directories (Scored) - -# 9.2.8 Check User Dot File Permissions (Scored) - -# 9.2.9 Check Permissions on User .netrc Files (Scored) - -# 9.2.10 Check for Presence of User .rhosts Files (Scored) - -# 9.2.11 Check Groups in /etc/passwd (Scored) - -# 9.2.12 Check That Users Are Assigned Valid Home Directories (Scored) - -# 9.2.13 Check User Home Directory Ownership (Scored) - -# 9.2.14 Check for Duplicate UIDs (Scored) - -# 9.2.15 Check for Duplicate GIDs (Scored) - -# 9.2.16 Check for Duplicate User Names (Scored) - -# 9.2.17 Check for Duplicate Group Names (Scored) - -# 9.2.18 Check for Presence of User .netrc Files (Scored) - -# 9.2.19 Check for Presence of User .forward Files (Scored) - - -# Other/Legacy Tests -[CIS - RHEL6 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/shadow -> r:^\w+::; - -[CIS - RHEL6 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -f:/etc/security/console.perms -> r:^ \d+ ; -f:/etc/security/console.perms -> r:^ \d+ ; - -[CIS - RHEL6 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dkudzu$; - -[CIS - RHEL6 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dpostgresql$; - -[CIS - RHEL6 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dmysqld$; - -[CIS - RHEL6 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dnamed$; - -[CIS - RHEL6 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf] -d:$rc_dirs -> ^S\d\dnetfs$; diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt deleted file mode 100644 index c2257e9..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt +++ /dev/null @@ -1,818 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - - -# CIS Checks for Red Hat / CentOS 7 -# Based on CIS Benchmark for Red Hat Enterprise Linux 7 v1.1.0 - -# Vars -$sshd_file=/etc/ssh/sshd_config; - -# RC scripts location -$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; - - -[CIS - Testing against the CIS Red Hat Enterprise Linux 7 Benchmark v1.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 7; -f:/etc/redhat-release -> r:^CentOS && r:release 7; -f:/etc/redhat-release -> r:^Cloud && r:release 7; -f:/etc/redhat-release -> r:^Oracle && r:release 7; -f:/etc/redhat-release -> r:^Better && r:release 7; -f:/etc/redhat-release -> r:^OpenVZ && r:release 7; - -# 1.1.1 /tmp: partition -[CIS - RHEL7 - Build considerations - Robust partition scheme - /tmp is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:/tmp; - -# 1.1.2 /tmp: nodev -[CIS - RHEL7 - 1.1.2 - Partition /tmp without 'nodev' set {CIS: 1.1.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev; - -# 1.1.3 /tmp: nosuid -[CIS - RHEL7 - 1.1.3 - Partition /tmp without 'nosuid' set {CIS: 1.1.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid; - -# 1.1.4 /tmp: noexec -[CIS - RHEL7 - 1.1.4 - Partition /tmp without 'noexec' set {CIS: 1.1.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:noexec; - -# 1.1.5 Build considerations - Partition scheme. -[CIS - RHEL7 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r^# && !r:/var; - -# 1.1.6 bind mount /var/tmp to /tmp -[CIS - RHEL7 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind; - -# 1.1.7 /var/log: partition -[CIS - RHEL7 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 1.1.7 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> ^# && !r:/var/log; - -# 1.1.8 /var/log/audit: partition -[CIS - RHEL7 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 1.1.8 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> ^# && !r:/var/log/audit; - -# 1.1.9 /home: partition -[CIS - RHEL7 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 1.1.9 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> ^# && !r:/home; - -# 1.1.10 /home: nodev -[CIS - RHEL7 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/home && !r:nodev; - -# 1.1.11 nodev on removable media partitions (not scored) -[CIS - RHEL7 - 1.1.11 - Removable partition /media without 'nodev' set {CIS: 1.1.11 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nodev; - -# 1.1.12 noexec on removable media partitions (not scored) -[CIS - RHEL7 - 1.1.12 - Removable partition /media without 'noexec' set {CIS: 1.1.12 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:noexec; - -# 1.1.13 nosuid on removable media partitions (not scored) -[CIS - RHEL7 - 1.1.13 - Removable partition /media without 'nosuid' set {CIS: 1.1.13 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nosuid; - -# 1.1.14 /dev/shm: nodev -[CIS - RHEL7 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev; - -# 1.1.15 /dev/shm: nosuid -[CIS - RHEL7 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid; - -# 1.1.16 /dev/shm: noexec -[CIS - RHEL7 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec; - -# 1.1.17 sticky bit on world writable directories (Scored) -# TODO - -# 1.1.18 disable cramfs (not scored) - -# 1.1.19 disable freevxfs (not scored) - -# 1.1.20 disable jffs2 (not scored) - -# 1.1.21 disable hfs (not scored) - -# 1.1.22 disable hfsplus (not scored) - -# 1.1.23 disable squashfs (not scored) - -# 1.1.24 disable udf (not scored) - - -########################################## -# 1.2 Software Updates -########################################## - -# 1.2.1 Configure rhn updates (not scored) - -# 1.2.2 verify RPM gpg keys (Scored) -# TODO - -# 1.2.3 verify gpgcheck enabled (Scored) -# TODO - -# 1.2.4 Disable rhnsd (not scored) - -# 1.2.5 Obtain Software Package Updates with yum (Not Scored) - -# 1.2.6 Obtain updates with yum (not scored) - - -############################################### -# 1.3 Advanced Intrusion Detection Environment -############################################### -# -# Skipped, this control is obsoleted by OSSEC -# - -############################################### -# 1.4 Configure SELinux -############################################### - -# 1.4.1 enable selinux in /etc/grub.conf -[CIS - RHEL7 - 1.4.1 - SELinux Disabled in /etc/grub.conf {CIS: 1.4.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/grub.conf -> r:selinux=0; -f:/etc/grub2.cfg -> r:selinux=0; - -# 1.4.2 Set selinux state -[CIS - RHEL7 - 1.4.2 - SELinux not set to enforcing {CIS: 1.4.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/selinux/config -> !r:SELINUX=enforcing; - -# 1.4.3 Set seliux policy -[CIS - RHEL7 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/selinux/config -> !r:SELINUXTYPE=targeted; - -# 1.4.4 Remove SETroubleshoot -[CIS - RHEL7 - 1.4.4 - SELinux setroubleshoot enabled {CIS: 1.4.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dsetroubleshoot$; -f:/usr/share/dbus-1/services/sealert.service -> r:Exec=/usr/bin/sealert; - -# 1.4.5 Disable MCS Translation service mcstrans -[CIS - RHEL7 - 1.4.5 - SELinux mctrans enabled {CIS: 1.4.5 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dmctrans$; -f:/usr/lib/systemd/system/mcstransd.service -> r:ExecStart=/usr/sbin/mcstransd; - -# 1.4.6 Check for unconfined daemons -# TODO - - -############################################### -# 1.5 Secure Boot Settings -############################################### - -# 1.5.1 Set User/Group Owner on /etc/grub.conf -# TODO (no mode tests) -# stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0" - -# 1.5.2 Set Permissions on /etc/grub.conf (Scored) -# TODO (no mode tests) -# stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00" - -# 1.5.3 Set Boot Loader Password (Scored) -[CIS - RHEL7 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/boot/grub2/grub.cfg -> !r:^# && !r:password; - - - -############################################### -# 1.6 Additional Process Hardening -############################################### - -# 1.6.1 Restrict Core Dumps (Scored) -[CIS - RHEL7 - 1.6.1 - Interactive Boot not disabled {CIS: 1.6.1 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0; - -# 1.6.1 Enable Randomized Virtual Memory Region Placement (Scored) -# Note this is also labeled 1.6.1 in the CIS benchmark. -[CIS - RHEL7 - 1.6.1 - Randomized Virtual Memory Region Placement not enabled {CIS: 1.6.3 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/kernel/randomize_va_space -> !r:^2$; - - -############################################### -# 1.7 Use the Latest OS Release (Not Scored) -############################################### - - -############################################### -# 2 OS Services -############################################### - -############################################### -# 2.1 Remove Legacy Services -############################################### - -# 2.1.1 Remove telnet-server (Scored) -# TODO: detect it is installed at all -[CIS - RHEL7 - 2.1.1 - Telnet enabled on xinetd {CIS: 2.1.1 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no; -f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd; - - -# 2.1.2 Remove telnet Clients (Scored) -# TODO - -# 2.1.3 Remove rsh-server (Scored) -[CIS - RHEL7 - 2.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.1.3 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no; -f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no; -f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no; -# TODO (finish this) -f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart; -f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart; -f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart; - -# 2.1.4 Remove rsh (Scored) -# TODO - -# 2.1.5 Remove NIS Client (Scored) -[CIS - RHEL7 - 2.1.5 - Disable standard boot services - NIS (client) Enabled {CIS: 2.1.5 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dypbind$; -f:/usr/lib/systemd/system/ypbind.service -> r:Exec; - -# 2.1.6 Remove NIS Server (Scored) -[CIS - RHEL7 - 2.1.6 - Disable standard boot services - NIS (server) Enabled {CIS: 2.1.6 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dypserv$; -f:/usr/lib/systemd/system/ypserv.service -> r:Exec; - -# 2.1.7 Remove tftp (Scored) -# TODO - -# 2.1.8 Remove tftp-server (Scored) -[CIS - RHEL7 - 2.1.8 - tftpd enabled on xinetd {CIS: 2.1.8 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no; -f:/usr/lib/systemd/system/tftp.service -> r:Exec; - -# 2.1.9 Remove talk (Scored) -# TODO - -# 2.1.10 Remove talk-server (Scored) -[CIS - RHEL7 - 2.1.10 - talk enabled on xinetd {CIS: 2.1.10 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no; -f:/usr/lib/systemd/system/ntalk.service -> r:Exec; - -# 2.1.11 Remove xinetd (Scored) -[CIS - RHEL7 - 2.1.11 - xinetd detected {CIS: 2.1.11 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/usr/lib/systemd/system/xinetd.service -> r:Exec; - -# 2.1.12 Disable chargen-dgram (Scored) -[CIS - RHEL7 - 2.1.12 - chargen-dgram enabled on xinetd {CIS: 2.1.12 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/chargen-dgram -> !r:^# && r:disable && r:no; - -# 2.1.13 Disable chargen-stream (Scored) -[CIS - RHEL7 - 2.1.13 - chargen-stream enabled on xinetd {CIS: 2.1.13 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/chargen-stream -> !r:^# && r:disable && r:no; - -# 2.1.14 Disable daytime-dgram (Scored) -[CIS - RHEL7 - 2.1.14 - daytime-dgram enabled on xinetd {CIS: 2.1.14 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/daytime-dgram -> !r:^# && r:disable && r:no; - -# 2.1.15 Disable daytime-stream (Scored) -[CIS - RHEL7 - 2.1.15 - daytime-stream enabled on xinetd {CIS: 2.1.15 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/daytime-stream -> !r:^# && r:disable && r:no; - - -# 2.1.16 Disable echo-dgram (Scored) -[CIS - RHEL7 - 2.1.16 - echo-dgram enabled on xinetd {CIS: 2.1.16 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/echo-dgram -> !r:^# && r:disable && r:no; - -# 2.1.17 Disable echo-stream (Scored) -[CIS - RHEL7 - 2.1.17 - echo-stream enabled on xinetd {CIS: 2.1.17 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/echo-stream -> !r:^# && r:disable && r:no; - -# 2.1.18 Disable tcpmux-server (Scored) -[CIS - RHEL7 - 2.1.18 - tcpmux-server enabled on xinetd {CIS: 2.1.18 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/tcpmux-server -> !r:^# && r:disable && r:no; - - -############################################### -# 3 Special Purpose Services -############################################### - -# 3.1 Set Daemon umask (Scored) -[CIS - RHEL7 - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 RHEL7} {PCI_DSS: 2.2.2}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/sysconfig/init -> !r:^# && r:^umask && <:umask 027; - -# 3.2 Remove X Windows (Scored) -[CIS - RHEL7 - 3.2 - X11 not disabled {CIS: 3.2 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/usr/lib/systemd/system/default.target -> r:Graphical; -p:gdm-x-session; - -# 3.3 Disable Avahi Server (Scored) -[CIS - RHEL7 - 3.2 - Avahi daemon not disabled {CIS: 3.3 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -p:avahi-daemon; - -# 3.4 Disable Print Server - CUPS (Not Scored) - -# 3.5 Remove DHCP Server (Scored) -[CIS - RHEL7 - 3.5 - DHCPnot disabled {CIS: 3.5 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/usr/lib/systemd/system/dhcpd.service -> r:Exec; - -# 3.6 Configure Network Time Protocol (NTP) (Scored) -[CIS - RHEL7 - 3.6 - NTPD not Configured {CIS: 3.6 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server; -f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"; - -# 3.7 Remove LDAP (Not Scored) - -# 3.8 Disable NFS and RPC (Not Scored) -[CIS - RHEL7 - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dnfs$; -d:$rc_dirs -> ^S\d\dnfslock$; - -# 3.9 Remove DNS Server (Not Scored) -# TODO - -# 3.10 Remove FTP Server (Not Scored) -[CIS - RHEL7 - 3.10 - VSFTP enabled on xinetd {CIS: 3.10 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no; - -# 3.11 Remove HTTP Server (Not Scored) -[CIS - RHEL7 - 3.11 - Disable standard boot services - Apache web server Enabled {CIS: 3.11 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dhttpd$; - -# 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) -[CIS - RHEL7 - 3.12 - imap enabled on xinetd {CIS: 3.12 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no; - -[CIS - RHEL7 - 3.12 - pop3 enabled on xinetd {CIS: 3.12 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no; - -# 3.13 Remove Samba (Not Scored) -[CIS - RHEL7 - 3.13 - Disable standard boot services - Samba Enabled {CIS: 3.13 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dsamba$; -d:$rc_dirs -> ^S\d\dsmb$; - -# 3.14 Remove HTTP Proxy Server (Not Scored) -[CIS - RHEL7 - 3.14 - Disable standard boot services - Squid Enabled {CIS: 3.14 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dsquid$; - -# 3.15 Remove SNMP Server (Not Scored) -[CIS - RHEL7 - 3.15 - Disable standard boot services - SNMPD process Enabled {CIS: 3.15 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dsnmpd$; - -# 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored) -# TODO - - -############################################### -# 4 Network Configuration and Firewalls -############################################### - -############################################### -# 4.1 Modify Network Parameters (Host Only) -############################################### - -# 4.1.1 Disable IP Forwarding (Scored) -[CIS - RHEL7 - 4.1.1 - Network parameters - IP Forwarding enabled {CIS: 4.1.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/ip_forward -> 1; -f:/proc/sys/net/ipv6/ip_forward -> 1; - -# 4.1.2 Disable Send Packet Redirects (Scored) -[CIS - RHEL7 - 4.1.2 - Network parameters - IP send redirects enabled {CIS: 4.1.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0; -f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0; - - -############################################### -# 4.2 Modify Network Parameters (Host and Router) -############################################### - -# 4.2.1 Disable Source Routed Packet Acceptance (Scored) -[CIS - RHEL7 - 4.2.1 - Network parameters - Source routing accepted {CIS: 4.2.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1; - -# 4.2.2 Disable ICMP Redirect Acceptance (Scored) -[CIS - RHEL7 - 4.2.2 - Network parameters - ICMP redirects accepted {CIS: 1.1.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1; -f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1; - -# 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) -[CIS - RHEL7 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1; -f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1; - -# 4.2.4 Log Suspicious Packets (Scored) -[CIS - RHEL7 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/log_martians -> 0; - -# 4.2.5 Enable Ignore Broadcast Requests (Scored) -[CIS - RHEL7 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0; - -# 4.2.6 Enable Bad Error Message Protection (Scored) -[CIS - RHEL7 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0; - -# 4.2.7 Enable RFC-recommended Source Route Validation (Scored) -[CIS - RHEL7 - 4.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 4.2.7 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0; -f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0; - -# 4.2.8 Enable TCP SYN Cookies (Scored) -[CIS - RHEL7 - 4.2.8 - Network parameters - SYN Cookies not enabled {CIS: 4.2.8 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/tcp_syncookies -> 0; - - -############################################### -# 4.3 Wireless Networking -############################################### - -# 4.3.1 Deactivate Wireless Interfaces (Not Scored) - - -############################################### -# 4.4 Disable ipv6 -############################################### - -############################################### -# 4.4.1 Configure IPv6 -############################################### - -# 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored) - -# 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored) - -# 4.4.2 Disable IPv6 (Not Scored) - - -############################################### -# 4.5 Install TCP Wrappers -############################################### - -# 4.5.1 Install TCP Wrappers (Not Scored) - -# 4.5.2 Create /etc/hosts.allow (Not Scored) - -# 4.5.3 Verify Permissions on /etc/hosts.allow (Scored) -# TODO - -# 4.5.4 Create /etc/hosts.deny (Not Scored) - -# 4.5.5 Verify Permissions on /etc/hosts.deny (Scored) -# TODO - - -############################################### -# 4.6 Uncommon Network Protocols -############################################### - -# 4.6.1 Disable DCCP (Not Scored) - -# 4.6.2 Disable SCTP (Not Scored) - -# 4.6.3 Disable RDS (Not Scored) - -# 4.6.4 Disable TIPC (Not Scored) - -# 4.7 Enable IPtables (Scored) -#[CIS - RHEL7 - 4.7 - Uncommon Network Protocols - Firewalld not enabled {CIS: 4.7 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -#f:/usr/lib/systemd/system/firewalld.service -> TODO; - - -############################################### -# 5 Logging and Auditing -############################################### - -############################################### -# 5.1 Configure Syslog -############################################### - -# 5.1.1 Install the rsyslog package (Scored) -# TODO - -# 5.1.2 Activate the rsyslog Service (Scored) -# TODO - -# 5.1.3 Configure /etc/rsyslog.conf (Not Scored) - -# 5.1.4 Create and Set Permissions on rsyslog Log Files (Scored) - -# 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored) - -# 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) - - -############################################### -# 5.2 Configure System Accounting (auditd) -############################################### - -############################################### -# 5.2.1 Configure Data Retention -############################################### - -# 5.2.1.1 Configure Audit Log Storage Size (Not Scored) - -# 5.2.1.2 Disable System on Audit Log Full (Not Scored) - -# 5.2.1.3 Keep All Auditing Information (Scored) - -# 5.2.2 Enable auditd Service (Scored) - -# 5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored) - -# 5.2.4 Record Events That Modify Date and Time Information (Scored) - -# 5.2.5 Record Events That Modify User/Group Information (Scored) - -# 5.2.6 Record Events That Modify the System’s Network Environment (Scored) - -# 5.2.7 Record Events That Modify the System’s Mandatory Access Controls (Scored) - -# 5.2.8 Collect Login and Logout Events (Scored) - -# 5.2.9 Collect Session Initiation Information (Scored) - -# 5.2.10 Collect Discretionary Access Control Permission Modification Events (Scored) - -# 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored) - -# 5.2.12 Collect Use of Privileged Commands (Scored) - -# 5.2.13 Collect Successful File System Mounts (Scored) - -# 5.2.14 Collect File Deletion Events by User (Scored) - -# 5.2.15 Collect Changes to System Administration Scope (sudoers) (Scored) - -# 5.2.16 Collect System Administrator Actions (sudolog) (Scored) - -# 5.2.17 Collect Kernel Module Loading and Unloading (Scored) - -# 5.2.18 Make the Audit Configuration Immutable (Scored) - -# 5.3 Configure logrotate (Not Scored) - - -############################################### -# 6 System Access, Authentication and Authorization -############################################### - -############################################### -# 6.1 Configure cron and anacron -############################################### - -# 6.1.1 Enable anacron Daemon (Scored) - -# 6.1.2 Enable cron Daemon (Scored) - -# 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored) - -# 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored) - -# 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored) - -# 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored) - -# 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored) - -# 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored) - -# 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored) - -# 6.1.10 Restrict at Daemon (Scored) - -# 6.1.11 Restrict at/cron to Authorized Users (Scored) - -############################################### -# 6.1 Configure SSH -############################################### - -# 6.2.1 Set SSH Protocol to 2 (Scored) -[CIS - RHEL7 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1; - -# 6.2.2 Set LogLevel to INFO (Scored) -[CIS - RHEL7 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO; - -# 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored) -# TODO - -# 6.2.4 Disable SSH X11 Forwarding (Scored) -# TODO - -# 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) -[ CIS - RHEL7 - 6.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less {CIS - RHEL7 - 6.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$; -f:$sshd_file -> r:^#\s*MaxAuthTries; -f:$sshd_file -> !r:MaxAuthTries; - -# 6.2.6 Set SSH IgnoreRhosts to Yes (Scored) -[CIS - RHEL7 - 6.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 6.2.6 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no; - -# 6.2.7 Set SSH HostbasedAuthentication to No (Scored) -[CIS - RHEL7 - 6.2.7 - SSH Configuration - Host based authentication enabled {CIS: 6.2.7 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes; - -# 6.2.8 Disable SSH Root Login (Scored) -[CIS - RHEL7 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes; -f:/etc/ssh/sshd_config -> r:^#\s*PermitRootLogin; - -# 6.2.9 Set SSH PermitEmptyPasswords to No (Scored) -[CIS - RHEL7 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes; -f:/etc/ssh/sshd_config -> r:^#\s*PermitEmptyPasswords; - -# 6.2.10 Do Not Allow Users to Set Environment Options (Scored) - -# 6.2.11 Use Only Approved Ciphers in Counter Mode (Scored) - -# 6.2.12 Set Idle Timeout Interval for User Login (Not Scored) - -# 6.2.13 Limit Access via SSH (Scored) - -# 6.2.14 Set SSH Banner (Scored) - - -############################################### -# 6.3 Configure PAM -############################################### - -# 6.3.1 Upgrade Password Hashing Algorithm to SHA-512 (Scored) -# authconfig --test | grep hashing | grep sha512 - -# 6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) - -# 6.3.3 Set Lockout for Failed Password Attempts (Not Scored) - -# 6.3.4 Limit Password Reuse (Scored) - - -# 6.4 Restrict root Login to System Console (Not Scored) - -# 6.5 Restrict Access to the su Command (Scored) - - -############################################### -# 7 User Accounts and Environment -############################################### - -############################################### -# 7.1 Set Shadow Password Suite Parameters (/etc/login.defs) -############################################### - -# 7.1.1 Set Password Expiration Days (Scored) - -# 7.1.2 Set Password Change Minimum Number of Days (Scored) - -# 7.1.3 Set Password Expiring Warning Days (Scored) - -# 7.2 Disable System Accounts (Scored) - -# 7.3 Set Default Group for root Account (Scored) - -# 7.4 Set Default umask for Users (Scored) - -# 7.5 Lock Inactive User Accounts (Scored) - - -############################################### -# 8 Warning Banners -############################################### - -############################################### -# 8.1 Warning Banners for Standard Login Services -############################################### - -# 8.1 Set Warning Banner for Standard Login Services (Scored) - -# 8.2 Remove OS Information from Login Warning Banners (Scored) - -# 8.3 Set GNOME Warning Banner (Not Scored) - - -############################################### -# 9 System Maintenance -############################################### - -############################################### -# 9.1 Verify System File Permissions -############################################### - -# 9.1.1 Verify System File Permissions (Not Scored) - -# 9.1.2 Verify Permissions on /etc/passwd (Scored) - -# 9.1.3 Verify Permissions on /etc/shadow (Scored) - -# 9.1.4 Verify Permissions on /etc/gshadow (Scored) - -# 9.1.5 Verify Permissions on /etc/group (Scored) - -# 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored) - -# 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored) - -# 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored) - -# 9.1.9 Verify User/Group Ownership on /etc/group (Scored) - -# 9.1.10 Find World Writable Files (Not Scored) - -# 9.1.11 Find Un-owned Files and Directories (Scored) - -# 9.1.12 Find Un-grouped Files and Directories (Scored) - -# 9.1.13 Find SUID System Executables (Not Scored) - -# 9.1.14 Find SGID System Executables (Not Scored) - - -############################################### -# 9.2 Review User and Group Settings -############################################### - -# 9.2.1 Ensure Password Fields are Not Empty (Scored) - -# 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored) - -# 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored) - -# 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored) - -# 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) -[CIS - RHEL7 - 9.2.5 - Non-root account with uid 0 {CIS: 9.2.5 RHEL7} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:; - -# 9.2.6 Ensure root PATH Integrity (Scored) - -# 9.2.7 Check Permissions on User Home Directories (Scored) - -# 9.2.8 Check User Dot File Permissions (Scored) - -# 9.2.9 Check Permissions on User .netrc Files (Scored) - -# 9.2.10 Check for Presence of User .rhosts Files (Scored) - -# 9.2.11 Check Groups in /etc/passwd (Scored) - -# 9.2.12 Check That Users Are Assigned Valid Home Directories (Scored) - -# 9.2.13 Check User Home Directory Ownership (Scored) - -# 9.2.14 Check for Duplicate UIDs (Scored) - -# 9.2.15 Check for Duplicate GIDs (Scored) - -# 9.2.16 Check That Reserved UIDs Are Assigned to System Accounts (Scored) - -# 9.2.17 Check for Duplicate User Names (Scored) - -# 9.2.18 Check for Duplicate Group Names (Scored) - -# 9.2.19 Check for Presence of User .netrc Files (Scored) - -# 9.2.20 Check for Presence of User .forward Files (Scored) - - -# Other/Legacy Tests -[CIS - RHEL7 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/shadow -> r:^\w+::; - -[CIS - RHEL7 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -f:/etc/security/console.perms -> r:^ \d+ ; -f:/etc/security/console.perms -> r:^ \d+ ; - -[CIS - RHEL7 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dkudzu$; - -[CIS - RHEL7 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dpostgresql$; - -[CIS - RHEL7 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dmysqld$; - -[CIS - RHEL7 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dnamed$; - -[CIS - RHEL7 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dnetfs$; diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_rhel_linux_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_rhel_linux_rcl.txt deleted file mode 100644 index 7b03ad2..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_rhel_linux_rcl.txt +++ /dev/null @@ -1,281 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - - -# CIS Checks for Red Hat (RHEL 2.1, 3.0, 4.0 and Fedora Core 1,2,3,4 and 5). -# Based on CIS Benchmark for Red Hat Enterprise Linux v1.0.5 - - - -# RC scripts location -$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; - - - -# Main one. Only valid for Red Hat/Fedora. -[CIS - Testing against the CIS Red Hat Enterprise Linux Benchmark v1.0.5] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 4; -f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 3; -f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 2.1; -f:/etc/fedora-release -> r:^Fedora && r:release 1; -f:/etc/fedora-release -> r:^Fedora && r:release 2; -f:/etc/fedora-release -> r:^Fedora && r:release 3; -f:/etc/fedora-release -> r:^Fedora && r:release 4; -f:/etc/fedora-release -> r:^Fedora && r:release 5; - - -# Build considerations - Partition scheme. -[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /var is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/fstab -> !r:/var; - -[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /home is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/fstab -> !r:/home; - - -# Section 1.3 - SSH configuration -[CIS - Red Hat Linux - 1.3 - SSH Configuration - Protocol version 1 enabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1; - -[CIS - Red Hat Linux - 1.3 - SSH Configuration - IgnoreRHosts disabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no; - -[CIS - Red Hat Linux - 1.3 - SSH Configuration - Empty passwords permitted {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes; - -[CIS - Red Hat Linux - 1.3 - SSH Configuration - Host based authentication enabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes; - -[CIS - Red Hat Linux - 1.3 - SSH Configuration - Root login allowed {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes; - - -# Section 1.4 Enable system accounting -#[CIS - Red Hat Linux - 1.4 - System Accounting - Sysstat not installed] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -#f:!/var/log/sa; - - -# Section 2.5 Install and run Bastille -#[CIS - Red Hat Linux - 1.5 - System harderning - Bastille is not installed] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -#f:!/etc/Bastille; - - -# Section 2 - Minimize xinetd services -[CIS - Red Hat Linux - 2.3 - Telnet enabled on xinetd {CIS: 2.3 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/xinetd.c/telnet -> !r:^# && r:disable && r:no; - -[CIS - Red Hat Linux - 2.4 - VSFTP enabled on xinetd {CIS: 2.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/xinetd.c/vsftpd -> !r:^# && r:disable && r:no; - -[CIS - Red Hat Linux - 2.4 - WU-FTP enabled on xinetd {CIS: 2.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/xinetd.c/wu-ftpd -> !r:^# && r:disable && r:no; - -[CIS - Red Hat Linux - 2.5 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.5 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/xinetd.c/rlogin -> !r:^# && r:disable && r:no; -f:/etc/xinetd.c/rsh -> !r:^# && r:disable && r:no; -f:/etc/xinetd.c/shell -> !r:^# && r:disable && r:no; - -[CIS - Red Hat Linux - 2.6 - tftpd enabled on xinetd {CIS: 2.6 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/xinetd.c/tftpd -> !r:^# && r:disable && r:no; - -[CIS - Red Hat Linux - 2.7 - imap enabled on xinetd {CIS: 2.7 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/xinetd.c/imap -> !r:^# && r:disable && r:no; -f:/etc/xinetd.c/imaps -> !r:^# && r:disable && r:no; - -[CIS - Red Hat Linux - 2.8 - pop3 enabled on xinetd {CIS: 2.8 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/xinetd.c/ipop3 -> !r:^# && r:disable && r:no; -f:/etc/xinetd.c/pop3s -> !r:^# && r:disable && r:no; - - -# Section 3 - Minimize boot services -[CIS - Red Hat Linux - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 Red Hat Linux}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/init.d/functions -> !r:^# && r:^umask && >:umask 027; - -[CIS - Red Hat Linux - 3.4 - GUI login enabled {CIS: 3.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/inittab -> !r:^# && r:id:5; - -[CIS - Red Hat Linux - 3.7 - Disable standard boot services - Samba Enabled {CIS: 3.7 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dsamba$; -d:$rc_dirs -> ^S\d\dsmb$; - -[CIS - Red Hat Linux - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dnfs$; -d:$rc_dirs -> ^S\d\dnfslock$; - -[CIS - Red Hat Linux - 3.10 - Disable standard boot services - NIS Enabled {CIS: 3.10 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dypbind$; -d:$rc_dirs -> ^S\d\dypserv$; - -[CIS - Red Hat Linux - 3.13 - Disable standard boot services - NetFS Enabled {CIS: 3.13 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dnetfs$; - -[CIS - Red Hat Linux - 3.15 - Disable standard boot services - Apache web server Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dapache$; -d:$rc_dirs -> ^S\d\dhttpd$; - -[CIS - Red Hat Linux - 3.15 - Disable standard boot services - TUX web server Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dtux$; - -[CIS - Red Hat Linux - 3.16 - Disable standard boot services - SNMPD process Enabled {CIS: 3.16 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dsnmpd$; - -[CIS - Red Hat Linux - 3.17 - Disable standard boot services - DNS server Enabled {CIS: 3.17 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dnamed$; - -[CIS - Red Hat Linux - 3.18 - Disable standard boot services - MySQL server Enabled {CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dmysqld$; - -[CIS - Red Hat Linux - 3.18 - Disable standard boot services - PostgreSQL server Enabled {CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dpostgresql$; - -[CIS - Red Hat Linux - 3.19 - Disable standard boot services - Webmin Enabled {CIS: 3.19 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dwebmin$; - -[CIS - Red Hat Linux - 3.20 - Disable standard boot services - Squid Enabled {CIS: 3.20 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dsquid$; - -[CIS - Red Hat Linux - 3.21 - Disable standard boot services - Kudzu hardware detection Enabled {CIS: 3.21 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -d:$rc_dirs -> ^S\d\dkudzu$; - - -# Section 4 - Kernel tuning -[CIS - Red Hat Linux - 4.1 - Network parameters - Source routing accepted {CIS: 4.1 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1; - -[CIS - Red Hat Linux - 4.1 - Network parameters - ICMP broadcasts accepted {CIS: 4.1 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0; - -[CIS - Red Hat Linux - 4.2 - Network parameters - IP Forwarding enabled {CIS: 4.2 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/proc/sys/net/ipv4/ip_forward -> 1; -f:/proc/sys/net/ipv6/ip_forward -> 1; - - -# Section 6 - Permissions -[CIS - Red Hat Linux - 6.1 - Partition /var without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev; - -[CIS - Red Hat Linux - 6.1 - Partition /tmp without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev; - -[CIS - Red Hat Linux - 6.1 - Partition /opt without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev; - -[CIS - Red Hat Linux - 6.1 - Partition /home without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ; - -[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nodev' set {CIS: 6.2 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nodev; - -[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nosuid' set {CIS: 6.2 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nosuid; - -[CIS - Red Hat Linux - 6.3 - User-mounted removable partition allowed on the console {CIS: 6.3 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/security/console.perms -> r:^ \d+ ; -f:/etc/security/console.perms -> r:^ \d+ ; - - -# Section 7 - Access and authentication -[CIS - Red Hat Linux - 7.8 - LILO Password not set {CIS: 7.8 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/lilo.conf -> !r:^# && !r:restricted; -f:/etc/lilo.conf -> !r:^# && !r:password=; - -[CIS - Red Hat Linux - 7.8 - GRUB Password not set {CIS: 7.8 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/boot/grub/menu.lst -> !r:^# && !r:password; - -[CIS - Red Hat Linux - 8.2 - Account with empty password present {CIS: 8.2 Red Hat Linux} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/shadow -> r:^\w+::; - -[CIS - Red Hat Linux - SN.11 - Non-root account with uid 0 {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] -f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:; - - -# Tests specific for VMware ESX - Runs on Red Hat Linux - -# Will not be tested anywhere else. -[VMware ESX - Testing against the Security Harderning benchmark VI3 for ESX 3.5] [any required] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -f:/etc/vmware-release -> r:^VMware ESX; - - -# Virtual Machine Files and Settings - 1 -# 1.1 -[VMware ESX - VM settings - Copy operation between guest and console enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.copy.disable; -d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.copy.disable && r:false; - -# 1.2 -[VMware ESX - VM settings - Paste operation between guest and console enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.paste.disable; -d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.paste.disable && r:false; - -# 1.3 -[VMware ESX - VM settings - GUI Options enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.setGUIOptions.enable && r:true; - -# 1.4 -[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Rotate size not 100KB] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> !r:^log.rotateSize; -d:/vmfs/volumes -> .vmx$ -> r:^log.rotateSize && !r:"100000"; - -# 1.5 -[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Maximum number of logs not 10] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> !r:^log.keepOld; -d:/vmfs/volumes -> .vmx$ -> r:^log.keepOld && r:"10"; - -# 1.6 -[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Guests allowed to write SetInfo data to config] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.setinfo.disable; -d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.setinfo.disable && r:false; - -# 1.7 -[VMware ESX - VM settings - Nonpersistent Disks being used] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> r:^scsi\d:\d.mode && r:!independent-nonpersistent; - -# 1.8 -[VMware ESX - VM settings - Floppy drive present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> r:^floppy\d+.present && r:!false; - -[VMware ESX - VM settings - Serial port present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> r:^serial\d+.present && r:!false; - -[VMware ESX - VM settings - Parallel port present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> r:^parallel\d+.present && r:!false; - -# 1.9 -[VMware ESX - VM settings - Unauthorized Removal or Connection of Devices allowed] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> !r:^Isolation.tools.connectable.disable; -d:/vmfs/volumes -> .vmx$ -> r:^Isolation.tools.connectable.disable && r:false; - -# 1.10 -[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk Modification Operations - diskWiper enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.diskWiper.disable; -d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.diskWiper.disable && r:false; - -[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk Modification Operations - diskShrink enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] -d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.diskShrink.disable; -d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.diskShrink.disable && r:false; - - -# Configuring the Service Console in ESX 3.5 - 2 -# 2.1 diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_sles11_linux_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_sles11_linux_rcl.txt deleted file mode 100644 index 7b85d18..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_sles11_linux_rcl.txt +++ /dev/null @@ -1,728 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - - -# CIS Checks for SUSE SLES 11 -# Based on CIS Benchmark for SUSE Linux Enterprise Server 11 v1.1.0 - -# RC scripts location -$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; - - -[CIS - Testing against the CIS SUSE Linux Enterprise Server 11 Benchmark v1.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11"; -f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP1"; -f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP2"; -f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP3"; -f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4"; - -# 2.1 /tmp: partition -[CIS - SLES11 - 2.1 - Build considerations - Robust partition scheme - /tmp is not on its own partition {CIS: 2.2 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:/tmp; - -# 2.2 /tmp: nodev -[CIS - SLES11 - 2.2 - Partition /tmp without 'nodev' set {CIS: 2.2 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev; - -# 2.3 /tmp: nosuid -[CIS - SLES11 - 2.3 - Partition /tmp without 'nosuid' set {CIS: 2.3 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid; - -# 2.4 /tmp: noexec -[CIS - SLES11 - 2.4 - Partition /tmp without 'noexec' set {CIS: 2.4 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev; - -# 2.5 Build considerations - Partition scheme. -[CIS - SLES11 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 2.5 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r^# && !r:/var; - -# 2.6 bind mount /var/tmp to /tmp -[CIS - SLES11 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 2.6 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind; - -# 2.7 /var/log: partition -[CIS - SLES11 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 2.7 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> ^# && !r:/var/log; - -# 2.8 /var/log/audit: partition -[CIS - SLES11 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 2.8 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> ^# && !r:/var/log/audit; - -# 2.9 /home: partition -[CIS - SLES11 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 2.9 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> ^# && !r:/home; - -# 2.10 /home: nodev -[CIS - SLES11 - 2.10 - Partition /home without 'nodev' set {CIS: 2.10 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/home && !r:nodev; - -# 2.11 nodev on removable media partitions (not scored) -[CIS - SLES11 - 2.11 - Removable partition /media without 'nodev' set {CIS: 2.11 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nodev; - -# 2.12 noexec on removable media partitions (not scored) -[CIS - SLES11 - 2.12 - Removable partition /media without 'noexec' set {CIS: 2.12 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:noexec; - -# 2.13 nosuid on removable media partitions (not scored) -[CIS - SLES11 - 2.13 - Removable partition /media without 'nosuid' set {CIS: 2.13 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nosuid; - -# 2.14 /dev/shm: nodev -[CIS - SLES11 - 2.14 - /dev/shm without 'nodev' set {CIS: 2.14 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev; - -# 2.15 /dev/shm: nosuid -[CIS - SLES11 - 2.15 - /dev/shm without 'nosuid' set {CIS: 2.15 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid; - -# 2.16 /dev/shm: noexec -[CIS - SLES11 - 2.16 - /dev/shm without 'noexec' set {CIS: 2.16 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec; - -# 2.17 sticky bit on world writable directories (Scored) -# TODO - -# 2.18 disable cramfs (not scored) - -# 2.19 disable freevxfs (not scored) - -# 2.20 disable jffs2 (not scored) - -# 2.21 disable hfs (not scored) - -# 2.22 disable hfsplus (not scored) - -# 2.23 disable squashfs (not scored) - -# 2.24 disable udf (not scored) - -# 2.25 disable automounting (Scored) -# TODO - -############################################### -# 3 Secure Boot Settings -############################################### - -# 3.1 Set User/Group Owner on /etc/grub.conf -# TODO (no mode tests) -# stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0" - -# 3.2 Set Permissions on /etc/grub.conf (Scored) -# TODO (no mode tests) -# stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00" - -# 3.3 Set Boot Loader Password (Scored) -[CIS - SLES11 - 3.3 - GRUB Password not set {CIS: 3.3 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/boot/grub2/grub.cfg -> !r:^# && !r:password; - -# 3.4 Require Authentication for Single-User Mode (Scored) - -# 3.5 Disable Interactive Boot (Scored) - -############################################### -# 4 Additional Process Hardening -############################################### - -# 4.1 Restrict Core Dumps (Scored) -[CIS - SLES11 - 4.1 - Interactive Boot not disabled {CIS: 4.1 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0; - -# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored) -# TODO - -# 4.3 Enable Randomized Virtual Memory Region Placement (Scored) -[CIS - SLES11 - 4.3 - Randomized Virtual Memory Region Placement not enabled {CIS: 4.3 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/kernel/randomize_va_space -> 2; - -# 4.4 Disable Prelink (Scored) -# TODO - -# 4.5 Activate AppArmor (Scored) -# TODO - -############################################### -# 5 OS Services -############################################### - -############################################### -# 5.1 Remove Legacy Services -############################################### - -# 5.1.1 Remove NIS Server (Scored) -[CIS - SLES11 - 5.1.1 - Disable standard boot services - NIS (server) Enabled {CIS: 5.1.1 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dypserv$; - -# 5.1.2 Remove NIS Client (Scored) -[CIS - SLES11 - 5.1.2 - Disable standard boot services - NIS (client) Enabled {CIS: 51.2 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dypbind$; - -# 5.1.3 Remove rsh-server (Scored) -[CIS - SLES11 - 5.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 5.1.3 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no; -f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no; -f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no; - -# 5.1.4 Remove rsh client (Scored) -# TODO - -# 5.1.5 Remove talk-server (Scored) -[CIS - SLES11 - 5.1.5 - talk enabled on xinetd {CIS: 5.1.5 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no; - -# 5.1.6 Remove talk client (Scored) -# TODO - -# 5.1.7 Remove telnet-server (Scored) -# TODO: detect it is installed at all -[CIS - SLES11 - 5.1.7 - Telnet enabled on xinetd {CIS: 5.1.7 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no; - -# 5.1.8 Remove tftp-server (Scored) -[CIS - SLES11 - 5.1.8 - tftpd enabled on xinetd {CIS: 5.1.8 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no; - -# 5.1.9 Remove xinetd (Scored) -[CIS - SLES11 - 5.1.9 - xinetd detected {CIS: 5.1.9 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] - -# 5.2 Disable chargen-udp (Scored) -[CIS - SLES11 - 5.2 - chargen-udp enabled on xinetd {CIS: 5.2 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no; - -# 5.3 Disable chargen (Scored) -[CIS - SLES11 - 5.3 - chargen enabled on xinetd {CIS: 5.3 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no; - -# 5.4 Disable daytime-udp (Scored) -[CIS - SLES11 - 5.4 - daytime-udp enabled on xinetd {CIS: 5.4 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no; - -# 5.5 Disable daytime (Scored) -[CIS - SLES11 - 5.5 - daytime enabled on xinetd {CIS: 5.5 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no; - - -# 5.6 Disable echo-udp (Scored) -[CIS - SLES11 - 5.6 - echo-udp enabled on xinetd {CIS: 5.6 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no; - -# 5.7 Disable echo (Scored) -[CIS - SLES11 - 5.7 - echo enabled on xinetd {CIS: 5.7 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no; - -# 5.8 Disable discard-udp (Scored) -[CIS - SLES11 - 5.8 - discard-udp enabled on xinetd {CIS: 5.8 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no; - -# 5.9 Disable discard (Scored) -[CIS - SLES11 - 5.9 - discard enabled on xinetd {CIS: 5.9 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no; - -# 5.10 Disable time-udp (Scored) -[CIS - SLES11 - 5.10 - time-udp enabled on xinetd {CIS: 5.10 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no; - -# 5.11 Disable time (Scored) -[CIS - SLES11 - 5.11 - time enabled on xinetd {CIS: 5.11 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no; - -############################################### -# 6 Special Purpose Services -############################################### - -# 6.1 Remove X Windows (Scored) -[CIS - SLES11 - 6.1 - X11 not disabled {CIS: 6.1 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/inittab -> !r:^# && r:id:5; - -# 6.2 Disable Avahi Server (Scored) -[CIS - SLES11 - 6.2 - Avahi daemon not disabled {CIS: 6.2 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -p:avahi-daemon; - -# 6.3 Disable Print Server - CUPS (Not Scored) -#TODO - -# 6.4 Remove DHCP Server (Scored) -#[CIS - SLES11 - 6.4 - DHCPnot disabled {CIS: 6.4 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dhcpd$; -d:$rc_dirs -> ^S\d\dhcpd6$; - -# 6.5 Configure Network Time Protocol (NTP) (Scored) -#TODO Chrony -[CIS - SLES11 - 6.5 - NTPD not Configured {CIS: 6.5 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server; -f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"; - -# 6.6 Remove LDAP (Not Scored) -#TODO - -# 6.7 Disable NFS and RPC (Not Scored) -[CIS - SLES11 - 6.7 - Disable standard boot services - NFS Enabled {CIS: 6.7 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dnfs$; -d:$rc_dirs -> ^S\d\dnfslock$; - -# 6.8 Remove DNS Server (Not Scored) -# TODO - -# 6.9 Remove FTP Server (Not Scored) -[CIS - SLES11 - 6.9 - VSFTP enabled on xinetd {CIS: 6.9 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no; - -# 6.10 Remove HTTP Server (Not Scored) -[CIS - SLES11 - 6.10 - Disable standard boot services - Apache web server Enabled {CIS: 6.10 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dapache2$; - -# 6.11 Remove Dovecot (IMAP and POP3 services) (Not Scored) -[CIS - SLES11 - 6.11 - imap enabled on xinetd {CIS: 6.11 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no; - -[CIS - SLES11 - 6.11 - pop3 enabled on xinetd {CIS: 6.11 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no; - -# 6.12 Remove Samba (Not Scored) -[CIS - SLES11 - 6.12 - Disable standard boot services - Samba Enabled {CIS: 6.12 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dsamba$; -d:$rc_dirs -> ^S\d\dsmb$; - -# 6.13 Remove HTTP Proxy Server (Not Scored) -[CIS - SLES11 - 6.13 - Disable standard boot services - Squid Enabled {CIS: 6.13 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dsquid$; - -# 6.14 Remove SNMP Server (Not Scored) -[CIS - SLES11 - 6.14 - Disable standard boot services - SNMPD process Enabled {CIS: 6.14 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dsnmpd$; - -# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored) -# TODO - -# 6.16 Ensure rsync service is not enabled (Scored) -[CIS - SLES11 - 6.16 - Disable standard boot services - rsyncd process Enabled {CIS: 6.16 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\drsyncd$; - -# 6.17 Ensure Biosdevname is not enabled (Scored) -# TODO - -############################################### -# 7 Network Configuration and Firewalls -############################################### - -############################################### -# 7.1 Modify Network Parameters (Host Only) -############################################### - -# 7.1.1 Disable IP Forwarding (Scored) -[CIS - SLES11 - 7.1.1 - Network parameters - IP Forwarding enabled {CIS: 7.1.1 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/ip_forward -> 1; -f:/proc/sys/net/ipv6/ip_forward -> 1; - -# 7.1.2 Disable Send Packet Redirects (Scored) -[CIS - SLES11 - 7.1.2 - Network parameters - IP send redirects enabled {CIS: 7.1.2 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0; -f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0; - -############################################### -# 7.2 Modify Network Parameters (Host and Router) -############################################### - -# 7.2.1 Disable Source Routed Packet Acceptance (Scored) -[CIS - SLES11 - 7.2.1 - Network parameters - Source routing accepted {CIS: 7.2.1 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1; - -# 7.2.2 Disable ICMP Redirect Acceptance (Scored) -[CIS - SLES11 - 7.2.2 - Network parameters - ICMP redirects accepted {CIS: 7.2.2 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1; -f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1; - -# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored) -[CIS - SLES11 - 7.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 7.2.3 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1; -f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1; - -# 7.2.4 Log Suspicious Packets (Scored) -[CIS - SLES11 - 7.2.4 - Network parameters - martians not logged {CIS: 7.2.4 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/log_martians -> 0; - -# 7.2.5 Enable Ignore Broadcast Requests (Scored) -[CIS - SLES11 - 7.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 7.2.5 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0; - -# 7.2.6 Enable Bad Error Message Protection (Scored) -[CIS - SLES11 - 7.2.6 - Network parameters - Bad error message protection not enabled {CIS: 7.2.6 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0; - -# 7.2.7 Enable RFC-recommended Source Route Validation (Scored) -[CIS - SLES11 - 7.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 7.2.7 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0; -f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0; - -# 7.2.8 Enable TCP SYN Cookies (Scored) -[CIS - SLES11 - 7.2.8 - Network parameters - SYN Cookies not enabled {CIS: 7.2.8 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/proc/sys/net/ipv4/tcp_syncookies -> 0; - -############################################### -# 7.3 Configure IPv6 -############################################### - -# 7.3.1 Disable IPv6 Router Advertisements (Not Scored) - -# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored) - -# 7.3.3 Disable IPv6 (Not Scored) - -############################################### -# 7.4 Install TCP Wrappers -############################################### - -# 7.4.1 Install TCP Wrappers (Not Scored) - -# 7.4.2 Create /etc/hosts.allow (Not Scored) - -# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored) -# TODO - -# 7.4.4 Create /etc/hosts.deny (Not Scored) - -# 7.5.5 Verify Permissions on /etc/hosts.deny (Scored) -# TODO - -############################################### -# 7.5 Uncommon Network Protocols -############################################### - -# 7.5.1 Disable DCCP (Not Scored) - -# 7.5.2 Disable SCTP (Not Scored) - -# 7.5.3 Disable RDS (Not Scored) - -# 7.5.4 Disable TIPC (Not Scored) - -# 7.6 Deactivate Wireless Interfaces (Not Scored) - -# 7.7 Enable SuSEfirewall2 (Scored) - -# 7.8 Limit access to trusted networks (Not Scored) - -############################################### -# 8 Logging and Auditing -############################################### - -############################################### -# 8.1 Configure System Accounting (auditd) -############################################### - -############################################### -# 8.1.1 Configure Data Retention -############################################### - -# 8.1.1.1 Configure Audit Log Storage Size (Not Scored) - -# 8.1.1.2 Disable System on Audit Log Full (Not Scored) - -# 8.1.1.3 Keep All Auditing Information (Scored) - -# 8.1.2 Enable auditd Service (Scored) - -# 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored) - -# 8.1.4 Record Events That Modify Date and Time Information (Scored) - -# 8.1.5 Record Events That Modify User/Group Information (Scored) - -# 8.1.6 Record Events That Modify the System’s Network Environment (Scored) - -# 8.1.7 Record Events That Modify the System’s Mandatory Access Controls (Scored) - -# 8.1.8 Collect Login and Logout Events (Scored) - -# 8.1.9 Collect Session Initiation Information (Scored) - -# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored) - -# 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored) - -# 8.1.12 Collect Use of Privileged Commands (Scored) - -# 8.1.13 Collect Successful File System Mounts (Scored) - -# 8.1.14 Collect File Deletion Events by User (Scored) - -# 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored) - -# 8.1.16 Collect System Administrator Actions (sudolog) (Scored) - -# 8.1.17 Collect Kernel Module Loading and Unloading (Scored) - -# 8.1.18 Make the Audit Configuration Immutable (Scored) - -############################################### -# 8.2 Configure rsyslog -############################################### - -# 8.2.1 Install the rsyslog package (Scored) -# TODO - -# 8.2.2 Activate the rsyslog Service (Scored) -# TODO - -# 8.2.3 Configure /etc/rsyslog.conf (Not Scored) - -# 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored) - -# 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored) - -# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) - -############################################### -# 8.3 Advanced Intrusion Detection Environment (AIDE) -############################################### - -# 8.3.1 Install AIDE (Scored) - -# 8.3.2 Implement Periodic Execution of File Integrity (Scored) - -# 8.4 Configure logrotate (Not Scored) - -############################################### -# 9 System Access, Authentication and Authorization -############################################### - -############################################### -# 9.1 Configure cron and anacron -############################################### - -# 9.1.1 Enable cron Daemon (Scored) - -# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored) - -# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored) - -# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored) - -# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored) - -# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored) - -# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored) - -# 9.1.8 Restrict at/cron to Authorized Users (Scored) - -############################################### -# 9.2 Configure SSH -############################################### - -# 9.2.1 Set SSH Protocol to 2 (Scored) -[CIS - SLES11 - 9.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 9.2.1 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1; - -# 9.2.2 Set LogLevel to INFO (Scored) -[CIS - SLES11 - 9.2.1 - SSH Configuration - Loglevel not INFO {CIS: 9.2.1 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO; - -# 9.2.3 Set Permissions on /etc/ssh/sshd_config (Scored) -# TODO - -# 9.2.4 Disable SSH X11 Forwarding (Scored) -# TODO - -# 9.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) -[ CIS - SLES11 - 9.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less {CIS - SLES11 - 9.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:MaxAuthTries && !r:3\s*$; -f:/etc/ssh/sshd_config -> r:^#\s*MaxAuthTries; -f:/etc/ssh/sshd_config -> !r:MaxAuthTries; - -# 9.2.6 Set SSH IgnoreRhosts to Yes (Scored) -[CIS - SLES11 - 9.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 9.2.6 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no; - -# 9.2.7 Set SSH HostbasedAuthentication to No (Scored) -[CIS - SLES11 - 9.2.7 - SSH Configuration - Host based authentication enabled {CIS: 9.2.7 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes; - -# 9.2.8 Disable SSH Root Login (Scored) -[CIS - SLES11 - 9.2.8 - SSH Configuration - Root login allowed {CIS: 9.2.8 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes; -f:/etc/ssh/sshd_config -> r:^#\s*PermitRootLogin; - -# 9.2.9 Set SSH PermitEmptyPasswords to No (Scored) -[CIS - SLES11 - 9.2.9 - SSH Configuration - Empty passwords permitted {CIS: 9.2.9 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes; -f:/etc/ssh/sshd_config -> r:^#\s*PermitEmptyPasswords; - -# 9.2.10 Do Not Allow Users to Set Environment Options (Scored) - -# 9.2.11 Use Only Approved Ciphers in Counter Mode (Scored) - -# 9.2.12 Set Idle Timeout Interval for User Login (Not Scored) - -# 9.2.13 Limit Access via SSH (Scored) - -# 9.2.14 Set SSH Banner (Scored) - -############################################### -# 9.3 Configure PAM -############################################### - -# 9.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) - -# 9.3.2 Set Lockout for Failed Password Attempts (Not Scored) - -# 9.3.3 Limit Password Reuse (Scored) - -# 9.4 Restrict root Login to System Console (Not Scored) - -# 9.5 Restrict Access to the su Command (Scored) - -############################################### -# 10 User Accounts and Environment -############################################### - -############################################### -# 10.1 Set Shadow Password Suite Parameters (/etc/login.defs) -############################################### - -# 10.1.1 Set Password Expiration Days (Scored) - -# 10.1.2 Set Password Change Minimum Number of Days (Scored) - -# 10.1.3 Set Password Expiring Warning Days (Scored) - -# 10.2 Disable System Accounts (Scored) - -# 10.3 Set Default Group for root Account (Scored) - -# 10.4 Set Default umask for Users (Scored) - -# 10.5 Lock Inactive User Accounts (Scored) - - -############################################### -# 11 Warning Banners -############################################### - -# 11.1 Set Warning Banner for Standard Login Services (Scored) - -# 11.2 Remove OS Information from Login Warning Banners (Scored) - -# 11.3 Set Graphical Warning Banner (Not Scored) - -############################################### -# 12 Verify System File Permissions -############################################### - -# 12.1 Verify System File Permissions (Not Scored) - -# 12.2 Verify Permissions on /etc/passwd (Scored) - -# 12.3 Verify Permissions on /etc/shadow (Scored) - -# 12.4 Verify Permissions on /etc/group (Scored) - -# 12.5 Verify User/Group Ownership on /etc/passwd (Scored) - -# 12.6 Verify User/Group Ownership on /etc/shadow (Scored) - -# 12.7 Verify User/Group Ownership on /etc/group (Scored) - -# 12.8 Find World Writable Files (Not Scored) - -# 12.9 Find Un-owned Files and Directories (Scored) - -# 12.10 Find Un-grouped Files and Directories (Scored) - -# 12.11 Find SUID System Executables (Not Scored) - -# 12.12 Find SGID System Executables (Not Scored) - -############################################### -# 13 Review User and Group Settings -############################################### - -# 13.1 Ensure Password Fields are Not Empty (Scored) - -# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored) - -# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored) - -# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored) - -# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored) -[CIS - SLES11 - 13.5 - Non-root account with uid 0 {CIS: 13.5 SLES11} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:; - -# 13.6 Ensure root PATH Integrity (Scored) - -# 13.7 Check Permissions on User Home Directories (Scored) - -# 13.8 Check User Dot File Permissions (Scored) - -# 13.9 Check Permissions on User .netrc Files (Scored) - -# 13.10 Check for Presence of User .rhosts Files (Scored) - -# 13.11 Check Groups in /etc/passwd (Scored) - -# 13.12 Check That Users Are Assigned Valid Home Directories (Scored) - -# 13.13 Check User Home Directory Ownership (Scored) - -# 13.14 Check for Duplicate UIDs (Scored) - -# 13.15 Check for Duplicate GIDs (Scored) - -# 13.16 Check for Duplicate User Names (Scored) - -# 13.17 Check for Duplicate Group Names (Scored) - -# 13.18 Check for Presence of User .netrc Files (Scored) - -# 13.19 Check for Presence of User .forward Files (Scored) - -# 13.20 Ensure shadow group is empty (Scored) - - -# Other/Legacy Tests -[CIS - SLES11 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/shadow -> r:^\w+::; - -[CIS - SLES11 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -f:/etc/security/console.perms -> r:^ \d+ ; -f:/etc/security/console.perms -> r:^ \d+ ; - -[CIS - SLES11 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dkudzu$; - -[CIS - SLES11 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dpostgresql$; - -[CIS - SLES11 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dmysqld$; - -[CIS - SLES11 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dnamed$; - -[CIS - SLES11 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf] -d:$rc_dirs -> ^S\d\dnetfs$; diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_sles12_linux_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_sles12_linux_rcl.txt deleted file mode 100644 index 16ce63e..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_sles12_linux_rcl.txt +++ /dev/null @@ -1,734 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - - -# CIS Checks for SUSE SLES 12 -# Based on CIS Benchmark for SUSE Linux Enterprise Server 12 v1.0.0 - -# RC scripts location -$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; - - -[CIS - Testing against the CIS SUSE Linux Enterprise Server 12 Benchmark v1.0.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12"; -f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP1"; -f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP2"; -f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP3"; -f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP4"; - -# 2.1 /tmp: partition -[CIS - SLES12 - 2.1 - Build considerations - Robust partition scheme - /tmp is not on its own partition {CIS: 2.2 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:/tmp; - -# 2.2 /tmp: nodev -[CIS - SLES12 - 2.2 - Partition /tmp without 'nodev' set {CIS: 2.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev; - -# 2.3 /tmp: nosuid -[CIS - SLES12 - 2.3 - Partition /tmp without 'nosuid' set {CIS: 2.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid; - -# 2.4 /tmp: noexec -[CIS - SLES12 - 2.4 - Partition /tmp without 'noexec' set {CIS: 2.4 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev; - -# 2.5 Build considerations - Partition scheme. -[CIS - SLES12 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 2.5 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r^# && !r:/var; - -# 2.6 bind mount /var/tmp to /tmp -[CIS - SLES12 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 2.6 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind; - -# 2.7 /var/log: partition -[CIS - SLES12 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 2.7 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> ^# && !r:/var/log; - -# 2.8 /var/log/audit: partition -[CIS - SLES12 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 2.8 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> ^# && !r:/var/log/audit; - -# 2.9 /home: partition -[CIS - SLES12 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 2.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> ^# && !r:/home; - -# 2.10 /home: nodev -[CIS - SLES12 - 2.10 - Partition /home without 'nodev' set {CIS: 2.10 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:^# && r:/home && !r:nodev; - -# 2.11 nodev on removable media partitions (not scored) -[CIS - SLES12 - 2.11 - Removable partition /media without 'nodev' set {CIS: 2.11 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nodev; - -# 2.12 noexec on removable media partitions (not scored) -[CIS - SLES12 - 2.12 - Removable partition /media without 'noexec' set {CIS: 2.12 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:noexec; - -# 2.13 nosuid on removable media partitions (not scored) -[CIS - SLES12 - 2.13 - Removable partition /media without 'nosuid' set {CIS: 2.13 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:^# && r:/media && !r:nosuid; - -# 2.14 /dev/shm: nodev -[CIS - SLES12 - 2.14 - /dev/shm without 'nodev' set {CIS: 2.14 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev; - -# 2.15 /dev/shm: nosuid -[CIS - SLES12 - 2.15 - /dev/shm without 'nosuid' set {CIS: 2.15 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid; - -# 2.16 /dev/shm: noexec -[CIS - SLES12 - 2.16 - /dev/shm without 'noexec' set {CIS: 2.16 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec; - -# 2.17 sticky bit on world writable directories (Scored) -# TODO - -# 2.18 disable cramfs (not scored) - -# 2.19 disable freevxfs (not scored) - -# 2.20 disable jffs2 (not scored) - -# 2.21 disable hfs (not scored) - -# 2.22 disable hfsplus (not scored) - -# 2.23 disable squashfs (not scored) - -# 2.24 disable udf (not scored) - -# 2.25 disable automounting (Scored) -# TODO - -############################################### -# 3 Secure Boot Settings -############################################### - -# 3.1 Set User/Group Owner on /etc/grub.conf -# TODO (no mode tests) -# stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0" - -# 3.2 Set Permissions on /etc/grub.conf (Scored) -# TODO (no mode tests) -# stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00" - -# 3.3 Set Boot Loader Password (Scored) -[CIS - SLES12 - 3.3 - GRUB Password not set {CIS: 3.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/boot/grub2/grub.cfg -> !r:^# && !r:password; - -############################################### -# 4 Additional Process Hardening -############################################### - -# 4.1 Restrict Core Dumps (Scored) -[CIS - SLES12 - 4.1 - Interactive Boot not disabled {CIS: 4.1 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0; - -# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored) -# TODO - -# 4.3 Enable Randomized Virtual Memory Region Placement (Scored) -[CIS - SLES12 - 4.3 - Randomized Virtual Memory Region Placement not enabled {CIS: 4.3 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/kernel/randomize_va_space -> 2; - -# 4.4 Disable Prelink (Scored) -# TODO - -# 4.5 Activate AppArmor (Scored) -# TODO - -############################################### -# 5 OS Services -############################################### - -############################################### -# 5.1 Remove Legacy Services -############################################### - -# 5.1.1 Remove NIS Server (Scored) -[CIS - SLES12 - 5.1.1 - Disable standard boot services - NIS (server) Enabled {CIS: 5.1.1 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dypserv$; -f:/usr/lib/systemd/system/ypserv.service -> r:Exec; - -# 5.1.2 Remove NIS Client (Scored) -[CIS - SLES12 - 5.1.2 - Disable standard boot services - NIS (client) Enabled {CIS: 51.2 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dypbind$; -f:/usr/lib/systemd/system/ypbind.service -> r:Exec; - -# 5.1.3 Remove rsh-server (Scored) -[CIS - SLES12 - 5.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 5.1.3 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no; -f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no; -f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no; -# TODO (finish this) -f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart; -f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart; -f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart; - -# 5.1.4 Remove rsh client (Scored) -# TODO - -# 5.1.5 Remove talk-server (Scored) -[CIS - SLES12 - 5.1.5 - talk enabled on xinetd {CIS: 5.1.5 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no; -f:/usr/lib/systemd/system/ntalk.service -> r:Exec; - -# 5.1.6 Remove talk client (Scored) -# TODO - -# 5.1.7 Remove telnet-server (Scored) -# TODO: detect it is installed at all -[CIS - SLES12 - 5.1.7 - Telnet enabled on xinetd {CIS: 5.1.7 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no; -f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd; - -# 5.1.8 Remove tftp-server (Scored) -[CIS - SLES12 - 5.1.8 - tftpd enabled on xinetd {CIS: 5.1.8 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no; -f:/usr/lib/systemd/system/tftp.service -> r:Exec; - -# 5.1.9 Remove xinetd (Scored) -[CIS - SLES12 - 5.1.9 - xinetd detected {CIS: 5.1.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/usr/lib/systemd/system/xinetd.service -> r:Exec; - -# 5.2 Disable chargen-udp (Scored) -[CIS - SLES12 - 5.2 - chargen-udp enabled on xinetd {CIS: 5.2 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no; - -# 5.3 Disable chargen (Scored) -[CIS - SLES12 - 5.3 - chargen enabled on xinetd {CIS: 5.3 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no; - -# 5.4 Disable daytime-udp (Scored) -[CIS - SLES12 - 5.4 - daytime-udp enabled on xinetd {CIS: 5.4 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no; - -# 5.5 Disable daytime (Scored) -[CIS - SLES12 - 5.5 - daytime enabled on xinetd {CIS: 5.5 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no; - - -# 5.6 Disable echo-udp (Scored) -[CIS - SLES12 - 5.6 - echo-udp enabled on xinetd {CIS: 5.6 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no; - -# 5.7 Disable echo (Scored) -[CIS - SLES12 - 5.7 - echo enabled on xinetd {CIS: 5.7 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no; - -# 5.8 Disable discard-udp (Scored) -[CIS - SLES12 - 5.8 - discard-udp enabled on xinetd {CIS: 5.8 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no; - -# 5.9 Disable discard (Scored) -[CIS - SLES12 - 5.9 - discard enabled on xinetd {CIS: 5.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no; - -# 5.10 Disable time-udp (Scored) -[CIS - SLES12 - 5.10 - time-udp enabled on xinetd {CIS: 5.10 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no; - -# 5.11 Disable time (Scored) -[CIS - SLES12 - 5.11 - time enabled on xinetd {CIS: 5.11 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no; - -############################################### -# 6 Special Purpose Services -############################################### - -# 6.1 Remove X Windows (Scored) -[CIS - SLES12 - 6.1 - X11 not disabled {CIS: 6.1 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/usr/lib/systemd/system/default.target -> r:Graphical; -p:gdm-x-session; - -# 6.2 Disable Avahi Server (Scored) -[CIS - SLES12 - 6.2 - Avahi daemon not disabled {CIS: 6.2 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -p:avahi-daemon; - -# 6.3 Disable Print Server - CUPS (Not Scored) -#TODO - -# 6.4 Remove DHCP Server (Scored) -[CIS - SLES12 - 6.4 - DHCPnot disabled {CIS: 6.4 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/usr/lib/systemd/system/dhcpd.service -> r:Exec; - -# 6.5 Configure Network Time Protocol (NTP) (Scored) -#TODO Chrony -[CIS - SLES12 - 6.5 - NTPD not Configured {CIS: 6.5 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server; -f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"; - -# 6.6 Remove LDAP (Not Scored) -#TODO - -# 6.7 Disable NFS and RPC (Not Scored) -[CIS - SLES12 - 6.7 - Disable standard boot services - NFS Enabled {CIS: 6.7 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dnfs$; -d:$rc_dirs -> ^S\d\dnfslock$; - -# 6.8 Remove DNS Server (Not Scored) -# TODO - -# 6.9 Remove FTP Server (Not Scored) -[CIS - SLES12 - 6.9 - VSFTP enabled on xinetd {CIS: 6.9 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no; - -# 6.10 Remove HTTP Server (Not Scored) -[CIS - SLES12 - 6.10 - Disable standard boot services - Apache web server Enabled {CIS: 6.10 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dapache2$; - -# 6.11 Remove Dovecot (IMAP and POP3 services) (Not Scored) -[CIS - SLES12 - 6.11 - imap enabled on xinetd {CIS: 6.11 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no; - -[CIS - SLES12 - 6.11 - pop3 enabled on xinetd {CIS: 6.11 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no; - -# 6.12 Remove Samba (Not Scored) -[CIS - SLES12 - 6.12 - Disable standard boot services - Samba Enabled {CIS: 6.12 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dsamba$; -d:$rc_dirs -> ^S\d\dsmb$; - -# 6.13 Remove HTTP Proxy Server (Not Scored) -[CIS - SLES12 - 6.13 - Disable standard boot services - Squid Enabled {CIS: 6.13 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dsquid$; - -# 6.14 Remove SNMP Server (Not Scored) -[CIS - SLES12 - 6.14 - Disable standard boot services - SNMPD process Enabled {CIS: 6.14 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dsnmpd$; - -# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored) -# TODO - -# 6.16 Ensure rsync service is not enabled (Scored) -[CIS - SLES12 - 6.16 - Disable standard boot services - rsyncd process Enabled {CIS: 6.16 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\drsyncd$; - -# 6.17 Ensure Biosdevname is not enabled (Scored) -# TODO - -############################################### -# 7 Network Configuration and Firewalls -############################################### - -############################################### -# 7.1 Modify Network Parameters (Host Only) -############################################### - -# 7.1.1 Disable IP Forwarding (Scored) -[CIS - SLES12 - 7.1.1 - Network parameters - IP Forwarding enabled {CIS: 7.1.1 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/net/ipv4/ip_forward -> 1; -f:/proc/sys/net/ipv6/ip_forward -> 1; - -# 7.1.2 Disable Send Packet Redirects (Scored) -[CIS - SLES12 - 7.1.2 - Network parameters - IP send redirects enabled {CIS: 7.1.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0; -f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0; - -############################################### -# 7.2 Modify Network Parameters (Host and Router) -############################################### - -# 7.2.1 Disable Source Routed Packet Acceptance (Scored) -[CIS - SLES12 - 7.2.1 - Network parameters - Source routing accepted {CIS: 7.2.1 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1; - -# 7.2.2 Disable ICMP Redirect Acceptance (Scored) -[CIS - SLES12 - 7.2.2 - Network parameters - ICMP redirects accepted {CIS: 7.2.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1; -f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1; - -# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored) -[CIS - SLES12 - 7.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 7.2.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1; -f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1; - -# 7.2.4 Log Suspicious Packets (Scored) -[CIS - SLES12 - 7.2.4 - Network parameters - martians not logged {CIS: 7.2.4 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/net/ipv4/conf/all/log_martians -> 0; - -# 7.2.5 Enable Ignore Broadcast Requests (Scored) -[CIS - SLES12 - 7.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 7.2.5 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0; - -# 7.2.6 Enable Bad Error Message Protection (Scored) -[CIS - SLES12 - 7.2.6 - Network parameters - Bad error message protection not enabled {CIS: 7.2.6 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0; - -# 7.2.7 Enable RFC-recommended Source Route Validation (Scored) -[CIS - SLES12 - 7.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 7.2.7 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0; -f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0; - -# 7.2.8 Enable TCP SYN Cookies (Scored) -[CIS - SLES12 - 7.2.8 - Network parameters - SYN Cookies not enabled {CIS: 7.2.8 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/proc/sys/net/ipv4/tcp_syncookies -> 0; - -############################################### -# 7.3 Configure IPv6 -############################################### - -# 7.3.1 Disable IPv6 Router Advertisements (Not Scored) - -# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored) - -# 7.3.3 Disable IPv6 (Not Scored) - -############################################### -# 7.4 Install TCP Wrappers -############################################### - -# 7.4.1 Install TCP Wrappers (Not Scored) - -# 7.4.2 Create /etc/hosts.allow (Not Scored) - -# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored) -# TODO - -# 7.4.4 Create /etc/hosts.deny (Not Scored) - -# 7.5.5 Verify Permissions on /etc/hosts.deny (Scored) -# TODO - -############################################### -# 7.5 Uncommon Network Protocols -############################################### - -# 7.5.1 Disable DCCP (Not Scored) - -# 7.5.2 Disable SCTP (Not Scored) - -# 7.5.3 Disable RDS (Not Scored) - -# 7.5.4 Disable TIPC (Not Scored) - -# 7.6 Deactivate Wireless Interfaces (Not Scored) - -# 7.7 Enable SuSEfirewall2 (Scored) - -# 7.8 Limit access to trusted networks (Not Scored) - -############################################### -# 8 Logging and Auditing -############################################### - -############################################### -# 8.1 Configure System Accounting (auditd) -############################################### - -############################################### -# 8.1.1 Configure Data Retention -############################################### - -# 8.1.1.1 Configure Audit Log Storage Size (Not Scored) - -# 8.1.1.2 Disable System on Audit Log Full (Not Scored) - -# 8.1.1.3 Keep All Auditing Information (Scored) - -# 8.1.2 Enable auditd Service (Scored) - -# 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored) - -# 8.1.4 Record Events That Modify Date and Time Information (Scored) - -# 8.1.5 Record Events That Modify User/Group Information (Scored) - -# 8.1.6 Record Events That Modify the System’s Network Environment (Scored) - -# 8.1.7 Record Events That Modify the System’s Mandatory Access Controls (Scored) - -# 8.1.8 Collect Login and Logout Events (Scored) - -# 8.1.9 Collect Session Initiation Information (Scored) - -# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored) - -# 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored) - -# 8.1.12 Collect Use of Privileged Commands (Scored) - -# 8.1.13 Collect Successful File System Mounts (Scored) - -# 8.1.14 Collect File Deletion Events by User (Scored) - -# 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored) - -# 8.1.16 Collect System Administrator Actions (sudolog) (Scored) - -# 8.1.17 Collect Kernel Module Loading and Unloading (Scored) - -# 8.1.18 Make the Audit Configuration Immutable (Scored) - -############################################### -# 8.2 Configure rsyslog -############################################### - -# 8.2.1 Install the rsyslog package (Scored) -# TODO - -# 8.2.2 Activate the rsyslog Service (Scored) -# TODO - -# 8.2.3 Configure /etc/rsyslog.conf (Not Scored) - -# 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored) - -# 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored) - -# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) - -############################################### -# 8.3 Advanced Intrusion Detection Environment (AIDE) -############################################### - -# 8.3.1 Install AIDE (Scored) - -# 8.3.2 Implement Periodic Execution of File Integrity (Scored) - -# 8.4 Configure logrotate (Not Scored) - -############################################### -# 9 System Access, Authentication and Authorization -############################################### - -############################################### -# 9.1 Configure cron and anacron -############################################### - -# 9.1.1 Enable cron Daemon (Scored) - -# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored) - -# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored) - -# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored) - -# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored) - -# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored) - -# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored) - -# 9.1.8 Restrict at/cron to Authorized Users (Scored) - -############################################### -# 9.2 Configure SSH -############################################### - -# 9.2.1 Set SSH Protocol to 2 (Scored) -[CIS - SLES12 - 9.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 9.2.1 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1; - -# 9.2.2 Set LogLevel to INFO (Scored) -[CIS - SLES12 - 9.2.1 - SSH Configuration - Loglevel not INFO {CIS: 9.2.1 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO; - -# 9.2.3 Set Permissions on /etc/ssh/sshd_config (Scored) -# TODO - -# 9.2.4 Disable SSH X11 Forwarding (Scored) -# TODO - -# 9.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) -[ CIS - SLES12 - 9.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less {CIS - SLES12 - 9.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:MaxAuthTries && !r:3\s*$; -f:/etc/ssh/sshd_config -> r:^#\s*MaxAuthTries; -f:/etc/ssh/sshd_config -> !r:MaxAuthTries; - -# 9.2.6 Set SSH IgnoreRhosts to Yes (Scored) -[CIS - SLES12 - 9.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 9.2.6 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no; - -# 9.2.7 Set SSH HostbasedAuthentication to No (Scored) -[CIS - SLES12 - 9.2.7 - SSH Configuration - Host based authentication enabled {CIS: 9.2.7 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes; - -# 9.2.8 Disable SSH Root Login (Scored) -[CIS - SLES12 - 9.2.8 - SSH Configuration - Root login allowed {CIS: 9.2.8 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes; -f:/etc/ssh/sshd_config -> r:^#\s*PermitRootLogin; - -# 9.2.9 Set SSH PermitEmptyPasswords to No (Scored) -[CIS - SLES12 - 9.2.9 - SSH Configuration - Empty passwords permitted {CIS: 9.2.9 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes; -f:/etc/ssh/sshd_config -> r:^#\s*PermitEmptyPasswords; - -# 9.2.10 Do Not Allow Users to Set Environment Options (Scored) - -# 9.2.11 Use Only Approved Ciphers in Counter Mode (Scored) - -# 9.2.12 Set Idle Timeout Interval for User Login (Not Scored) - -# 9.2.13 Limit Access via SSH (Scored) - -# 9.2.14 Set SSH Banner (Scored) - -############################################### -# 9.3 Configure PAM -############################################### - -# 9.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) - -# 9.3.2 Set Lockout for Failed Password Attempts (Not Scored) - -# 9.3.3 Limit Password Reuse (Scored) - -# 9.4 Restrict root Login to System Console (Not Scored) - -# 9.5 Restrict Access to the su Command (Scored) - -############################################### -# 10 User Accounts and Environment -############################################### - -############################################### -# 10.1 Set Shadow Password Suite Parameters (/etc/login.defs) -############################################### - -# 10.1.1 Set Password Expiration Days (Scored) - -# 10.1.2 Set Password Change Minimum Number of Days (Scored) - -# 10.1.3 Set Password Expiring Warning Days (Scored) - -# 10.2 Disable System Accounts (Scored) - -# 10.3 Set Default Group for root Account (Scored) - -# 10.4 Set Default umask for Users (Scored) - -# 10.5 Lock Inactive User Accounts (Scored) - - -############################################### -# 11 Warning Banners -############################################### - -# 11.1 Set Warning Banner for Standard Login Services (Scored) - -# 11.2 Remove OS Information from Login Warning Banners (Scored) - -# 11.3 Set Graphical Warning Banner (Not Scored) - -############################################### -# 12 Verify System File Permissions -############################################### - -# 12.1 Verify System File Permissions (Not Scored) - -# 12.2 Verify Permissions on /etc/passwd (Scored) - -# 12.3 Verify Permissions on /etc/shadow (Scored) - -# 12.4 Verify Permissions on /etc/group (Scored) - -# 12.5 Verify User/Group Ownership on /etc/passwd (Scored) - -# 12.6 Verify User/Group Ownership on /etc/shadow (Scored) - -# 12.7 Verify User/Group Ownership on /etc/group (Scored) - -# 12.8 Find World Writable Files (Not Scored) - -# 12.9 Find Un-owned Files and Directories (Scored) - -# 12.10 Find Un-grouped Files and Directories (Scored) - -# 12.11 Find SUID System Executables (Not Scored) - -# 12.12 Find SGID System Executables (Not Scored) - -############################################### -# 13 Review User and Group Settings -############################################### - -# 13.1 Ensure Password Fields are Not Empty (Scored) - -# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored) - -# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored) - -# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored) - -# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored) -[CIS - SLES12 - 13.5 - Non-root account with uid 0 {CIS: 13.5 SLES12} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:; - -# 13.6 Ensure root PATH Integrity (Scored) - -# 13.7 Check Permissions on User Home Directories (Scored) - -# 13.8 Check User Dot File Permissions (Scored) - -# 13.9 Check Permissions on User .netrc Files (Scored) - -# 13.10 Check for Presence of User .rhosts Files (Scored) - -# 13.11 Check Groups in /etc/passwd (Scored) - -# 13.12 Check That Users Are Assigned Valid Home Directories (Scored) - -# 13.13 Check User Home Directory Ownership (Scored) - -# 13.14 Check for Duplicate UIDs (Scored) - -# 13.15 Check for Duplicate GIDs (Scored) - -# 13.16 Check for Duplicate User Names (Scored) - -# 13.17 Check for Duplicate Group Names (Scored) - -# 13.18 Check for Presence of User .netrc Files (Scored) - -# 13.19 Check for Presence of User .forward Files (Scored) - -# 13.20 Ensure shadow group is empty (Scored) - - -# Other/Legacy Tests -[CIS - SLES12 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/shadow -> r:^\w+::; - -[CIS - SLES12 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -f:/etc/security/console.perms -> r:^ \d+ ; -f:/etc/security/console.perms -> r:^ \d+ ; - -[CIS - SLES12 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dkudzu$; - -[CIS - SLES12 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dpostgresql$; - -[CIS - SLES12 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dmysqld$; - -[CIS - SLES12 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dnamed$; - -[CIS - SLES12 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf] -d:$rc_dirs -> ^S\d\dnetfs$; diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_solaris11_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_solaris11_rcl.txt deleted file mode 100644 index 278237c..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_solaris11_rcl.txt +++ /dev/null @@ -1,475 +0,0 @@ -# OSSEC Linux Audit - (C) 2017 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry , use "->" to look for a specific entry and another -# "->" to look for the value. -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Solaris 11 -# Based on Center for Internet Security Benchmark for Solaris 11 Benchmark v1.1.0 https://workbench.cisecurity.org/benchmarks/410 -# -$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/; -# -# -#2.1 Disable Local-only Graphical Login Environment -[CIS - Solaris 11 Configuration - 2.1 Disable Local-only Graphical Login Environment] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:gdm; -p:cde; -# -# -#2.2 Configure sendmail Service for Local-Only Mode -[CIS - Solaris 11 Configuration - 2.2 Configure sendmail Service for Local-Only Mode] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:!/etc/mail/local.cf; -# -# -#2.3 Disable RPC Encryption Key -[CIS - Solaris 11 Configuration - 2.3 Disable RPC Encryption Key] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:keyserv; -# -# -#2.4 Disable NIS Server Services -[CIS - Solaris 11 Configuration - 2.4 Disable NIS Server Services] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:ypserv; -p:ypbind; -p:ypxfr; -p:rpc.yppasswdd; -p:rpc.ypupdated; -f:/etc/init.d/nis; -# -# -#2.5 Disable NIS Client Services -[CIS - Solaris 11 Configuration - 2.5 Disable NIS Client Services] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:ypserv; -p:ypbind; -p:ypxfr; -p:rpc.yppasswdd; -p:rpc.ypupdated; -f:/etc/init.d/nis; -# -# -#2.6 Disable Kerberos TGT Expiration Warning -[CIS - Solaris 11 Configuration - 2.6 Disable Kerberos TGT Expiration Warning] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:ktkt_warnd; -# -# -#2.7 Disable Generic Security Services (GSS) -[CIS - Solaris 11 Configuration - 2.7 Disable Generic Security Services (GSS)] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:gssd; -# -# -#2.8 Disable Removable Volume Manager -[CIS - Solaris 11 Configuration - 2.8 Disable Removable Volume Manager] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:smserverd; -# -# -#2.9 Disable automount Service -[CIS - Solaris 11 Configuration - 2.9 Disable automount Service] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:automountd; -# -# -#2.10 Disable Apache Service -[CIS - Solaris 11 Configuration - 2.10 Disable Apache Service] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:apache; -p:httpd; -# -# -#2.11 Disable Local-only RPC Port Mapping Service -[CIS - Solaris 11 Configuration - 2.11 Disable Local-only RPC Port Mapping Service] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:rpcbind; -# -# -#2.12 Configure TCP Wrappers -[CIS - Solaris 11 Configuration - 2.12 Configure TCP Wrappers] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:!/etc/hosts.allow; -f:!/etc/hosts.deny; -# -# -#2.13 Disable Telnet Service -[CIS - Solaris 11 Configuration - 2.13 Disable Telnet Service] [any] [https://workbench.cisecurity.org/benchmarks/410] -p:telnetd; -# -# -#3.1 Restrict Core Dumps to Protected Directory -[CIS - Solaris 11 Configuration - 3.1 Restrict Core Dumps to Protected Directory] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/coreadm.conf -> !r:^COREADM_GLOB_PATTERN\p\.+; -f:/etc/coreadm.conf -> !r:^COREADM_GLOB_CONTENT\pdefault; -f:/etc/coreadm.conf -> !r:^COREADM_INIT_PATTERN\pcore; -f:/etc/coreadm.conf -> !r:^COREADM_INIT_CONTENT\pdefault; -f:/etc/coreadm.conf -> !r:^COREADM_GLOB_ENABLED\pyes|^COREADM_GLOB_ENABLED\pno; -f:/etc/coreadm.conf -> !r:^COREADM_PROC_ENABLED\pno; -f:/etc/coreadm.conf -> !r:^COREADM_GLOB_SETID_ENABLED\pyes|^COREADM_GLOB_SETID_ENABLED\pno; -f:/etc/coreadm.conf -> !r:^COREADM_PROC_SETID_ENABLED\pno; -f:/etc/coreadm.conf -> !r:^COREADM_GLOB_LOG_ENABLED\pyes; -# -# -#3.2 Enable Stack Protection -[CIS - Solaris 11 Configuration - 3.2 Enable Stack Protection] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:!/etc/system; -f:/etc/system -> !r:^\s*\t*noexec_user_stack\p1; -f:/etc/system -> !r:^# && r:\s*\t*noexec_user_stack\p0; -f:/etc/system -> !r:^\s*\t*noexec_user_stack_log\p1; -f:/etc/system -> !r:^# && r:\s*\t*noexec_user_stack_log\p0; -# -# -#3.3 Enable Strong TCP Sequence Number Generation -[CIS - Solaris 11 Configuration - 3.3 Enable Strong TCP Sequence Number Generation] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/default/inetinit -> !r:^TCP_STRONG_ISS\p2; -f:/etc/default/inetinit -> !r:^# && r:TCP_STRONG_ISS\p1; -# -# -#4.1 Create CIS Audit Class -[CIS - Solaris 11 Configuration - 4.1 Create CIS Audit Class] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/security/audit_class -> !r:0x\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d:cis:\.+; -# -# -#4.2 Enable Auditing of Incoming Network Connections -[CIS - Solaris 11 Configuration - 4.2 Enable Auditing of Incoming Network Connections] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/security/audit_event -> !r:^\d+:AUE_ACCEPT:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_CONNECT:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SOCKACCEPT:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SOCKCONNECT:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_inetd_connect:\.+cis\.*; -# -# -#4.3 Enable Auditing of File Metadata Modification Events -[CIS - Solaris 11 Configuration - 4.3 Enable Auditing of File Metadata Modification Events] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/security/audit_event -> !r:^\d+:AUE_CHMOD:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_CHOWN:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_FCHOWN:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_FCHMOD:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_LCHOWN:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_ACLSET:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_FACLSET:\.+cis\.*; -# -# -#4.4 Enable Auditing of Process and Privilege Events -[CIS - Solaris 11 Configuration - 4.4 Enable Auditing of Process and Privilege Events] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/security/audit_event -> !r:^\d+:AUE_CHROOT:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SETREUID:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SETREGID:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_FCHROOT:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_PFEXEC:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SETUID:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_NICE:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SETGID:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_PRIOCNTLSYS:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SETEGID:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SETEUID:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SETPRIV:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SETSID:\.+cis\.*; -f:/etc/security/audit_event -> !r:^\d+:AUE_SETPGID:\.+cis\.*; -# -# -#4.5 Configure Solaris Auditing -[CIS - Solaris 11 Configuration - 4.5 Configure Solaris Auditing] [any] [https://workbench.cisecurity.org/benchmarks/410] -d:/var/spool/cron/crontabs -> !r:/usr/sbin/audit -n; -# -# -#5.1 Default Service File Creation Mask -[CIS - Solaris 11 Configuration - 5.1 Default Service File Creation Mask] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/profile -> !r:^umask\s*\d\d\d; -# -# -#6.2 Disable "nobody" Access for RPC Encryption Key Storage Service -[CIS - Solaris 11 Configuration - 6.2 Disable "nobody" Access for RPC Encryption Key Storage Service] [any] [https://workbench.cisecurity.org/benchmarks/410] -f!:/etc/default/keyserv; -f:/etc/default/keyserv -> !r:^ENABLE\.NOBODY\.KEYS\pNO; -f:/etc/default/keyserv -> !r:^# && r:ENABLE\.NOBODY\.KEYS\pYES; -# -# -#6.3 Disable X11 Forwarding for SSH -[CIS - Solaris 11 Configuration - 6.3 Disable X11 Forwarding for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/ssh/sshd_config -> !r:^X11Forwarding\s*no; -f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s*yes; -# -# -#6.4 Limit Consecutive Login Attempts for SSH -[CIS - Solaris 11 Configuration - 6.4 Limit Consecutive Login Attempts for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/ssh/sshd_config -> !r:^MaxAuthTries\s*3; -f:/etc/ssh/sshd_config -> !r:^# && r:MaxAuthTries\s*3\d+; -# -# -#6.5 Disable Rhost-based Authentication for SSH -[CIS - Solaris 11 Configuration - 6.5 Disable Rhost-based Authentication for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/ssh/sshd_config -> !r:^IgnoreRhosts\s*yes; -f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s*no; -# -# -#6.6 Disable root login for SSH -[CIS - Solaris 11 Configuration - 6.6 Disable root login for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s*no; -f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s*yes; -# -# -#6.7 Blocking Authentication Using Empty/Null Passwords for SSH -[CIS - Solaris 11 Configuration - 6.7 Blocking Authentication Using Empty/Null Passwords for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/ssh/sshd_config -> !r:^PermitEmptyPasswords\s*no; -f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s*yes; -# -# -#6.8 Disable Host-based Authentication for Login-based Services -[CIS - Solaris 11 Configuration - 6.8 Disable Host-based Authentication for Login-based Services] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/pam.conf -> !r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1; -f:/etc/pam.conf -> !r:^rsh\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1; -# -# -#6.9 Restrict FTP Use -[CIS - Solaris 11 Configuration - 6.9 Restrict FTP Use] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/ftpd/ftpusers -> !r:^root; -f:/etc/ftpd/ftpusers -> !r:^daemon; -f:/etc/ftpd/ftpusers -> !r:^bin; -f:/etc/ftpd/ftpusers -> !r:^sys; -f:/etc/ftpd/ftpusers -> !r:^adm; -f:/etc/ftpd/ftpusers -> !r:^uucp; -f:/etc/ftpd/ftpusers -> !r:^nuucp; -f:/etc/ftpd/ftpusers -> !r:^smmsp; -f:/etc/ftpd/ftpusers -> !r:^listen; -f:/etc/ftpd/ftpusers -> !r:^gdm; -f:/etc/ftpd/ftpusers -> !r:^lp; -f:/etc/ftpd/ftpusers -> !r:^webservd; -f:/etc/ftpd/ftpusers -> !r:^postgres; -f:/etc/ftpd/ftpusers -> !r:^svctag; -f:/etc/ftpd/ftpusers -> !r:^openldap; -f:/etc/ftpd/ftpusers -> !r:^unknown; -f:/etc/ftpd/ftpusers -> !r:^aiuser; -f:/etc/ftpd/ftpusers -> !r:^nobody; -f:/etc/ftpd/ftpusers -> !r:^nobody4; -f:/etc/ftpd/ftpusers -> !r:^noaccess; -# -# -#6.10 Set Delay between Failed Login Attempts to 4 -[CIS - Solaris 11 Configuration - 6.10 Set Delay between Failed Login Attempts to 4] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/default/login -> !r:^SLEEPTIME\p4; -f:/etc/default/login -> !r:^# && r:SLEEPTIME\p4\d; -# -# -#6.11 Remove Autologin Capabilities from the GNOME desktop -[CIS - Solaris 11 Configuration - 6.11 Remove Autologin Capabilities from the GNOME desktop] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/pam.conf -> !r:^# && r:gdm-autologin; -# -# -#6.12 Set Default Screen Lock for GNOME Users -[CIS - Solaris 11 Configuration - 6.12 Set Default Screen Lock for GNOME Users] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*timeout:\s*\t*0:10:00; -f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*locktimeout:\s*\t*0:00:00; -f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*lock:\s*\t*true; -# -# -#6.13 Restrict at/cron to Authorized Users -[CIS - Solaris 11 Configuration - 6.13 Restrict at/cron to Authorized Users] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/cron.d/cron.deny; -f:/etc/cron.d/at.deny; -f:!/etc/cron.d/cron.allow; -f:/etc/cron.d/cron.allow -> !r:^root$; -f:!/etc/cron.d/at.allow; -f:/etc/cron.d/at.allow -> !r:^# && r:\w; -# -# -#6.14 Restrict root Login to System Console -[CIS - Solaris 11 Configuration - 6.14 Restrict root Login to System Console] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/default/login -> !r:^CONSOLE\p/dev/console; -# -# -#6.15 Set Retry Limit for Account Lockout -[CIS - Solaris 11 Configuration - 6.14 Restrict root Login to System Console] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/default/login -> !r:^RETRIES\p3; -f:/etc/default/login -> !r:^# && r:RETRIES\p3\d; -f:/etc/security/policy.conf -> !r:^LOCK_AFTER_RETRIES\pyes; -f:/etc/security/policy.conf -> !r:^# && r:LOCK_AFTER_RETRIES\pno; -# -# -#6.17 Secure the GRUB Menu (Intel) -[CIS - Solaris 11 Configuration - 6.17 Secure the GRUB Menu (Intel)] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/rpool/boot/grub/menu.lst -> !r:^password\s*--md5; -# -# -#7.1 Set Password Expiration Parameters on Active Accounts -[CIS - Solaris 11 Configuration - 7.1 Set Password Expiration Parameters on Active Accounts] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/default/passwd -> !r:^maxweeks\p13; -f:/etc/default/passwd -> !r:^# &&r:maxweeks\p13\d; -f:/etc/default/passwd -> !r:^minweeks\p1; -f:/etc/default/passwd -> !r:^# &&r:minweeks\p1\d; -f:/etc/default/passwd -> !r:^warnweeks\p4; -f:/etc/default/passwd -> !r:^# &&r:warnweeks\p4\d; -# -# -#7.2 Set Strong Password Creation Policies -[CIS - Solaris 11 Configuration - 7.2 Set Strong Password Creation Policies] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/default/passwd -> !r:^passlength\p8; -f:/etc/default/passwd -> !r:^# && r:passlength\p8\d; -f:/etc/default/passwd -> !r:^namecheck\pyes; -f:/etc/default/passwd -> !r:^# && r:namecheck\pno; -f:/etc/default/passwd -> !r:^history\p10; -f:/etc/default/passwd -> !r:^# && r:history\p10\d; -f:/etc/default/passwd -> !r:^mindiff\p3; -f:/etc/default/passwd -> !r:^# && r:mindiff\p3\d; -f:/etc/default/passwd -> !r:^minalpha\p2; -f:/etc/default/passwd -> !r:^# && r:minalpha\p2\d; -f:/etc/default/passwd -> !r:^minupper\p1; -f:/etc/default/passwd -> !r:^# && r:minupper\p1\d; -f:/etc/default/passwd -> !r:^minlower\p1; -f:/etc/default/passwd -> !r:^# && r:minlower\p1\d; -f:/etc/default/passwd -> !r:^minnonalpha\p1; -f:/etc/default/passwd -> !r:^# && r:minnonalpha\p1\d; -f:/etc/default/passwd -> !r:^maxrepeats\p0; -f:/etc/default/passwd -> !r:^# && r:maxrepeats\p0\d; -f:/etc/default/passwd -> !r:^whitespace\pyes; -f:/etc/default/passwd -> !r:^# && r:whitespace\pno; -f:/etc/default/passwd -> !r:^dictiondbdir\p/var/passwd; -f:/etc/default/passwd -> !r:^dictionlist\p/usr/share/lib/dict/words; -# -# -#7.3 Set Default umask for users -[CIS - Solaris 11 Configuration - 7.3 Set Default umask for users] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/default/login -> !r:^umask\p027|^umask\p077; -f:/etc/default/login -> !r:^# && r:umask\p026; -f:/etc/default/login -> !r:^# && r:umask\p022; -# -# -#7.4 Set Default File Creation Mask for FTP Users -[CIS - Solaris 11 Configuration - 7.4 Set Default File Creation Mask for FTP Users] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/proftpd.conf -> !r:^umask\s*027; -f:/etc/proftpd.conf -> !r:^# && r:umask\s*026; -f:/etc/proftpd.conf -> !r:^# && r:umask\s*022; -# -# -#7.5 Set "mesg n" as Default for All Users -[CIS - Solaris 11 Configuration - 7.5 Set "mesg n" as Default for All Users] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/.login -> !r:^mesg\s*n; -f:/etc/profile -> !r:^mesg\s*n; -# -# -#8.1 Create Warnings for Standard Login Services -[CIS - Solaris 11 Configuration - 8.1 Create Warnings for Standard Login Services] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/issue -> r:SunOS; -f:/etc/issue -> r:Oracle; -f:/etc/issue -> r:solaris; -f:/etc/issue -> !r:Authorized users only. All activity may be monitored and reported; -f:/etc/motd -> r:SunOS; -f:/etc/motd -> r:Oracle; -f:/etc/motd -> r:solaris; -f:/etc/motd -> !r:Authorized users only. All activity may be monitored and reported; -# -# -#8.2 Enable a Warning Banner for the SSH Service -[CIS - Solaris 11 Configuration - 8.2 Enable a Warning Banner for the SSH Service] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/ssh/sshd_config -> !r:^Banner\s*/etc/issue; -# -# -#8.3 Enable a Warning Banner for the GNOME Service -[CIS - Solaris 11 Configuration - 8.3 Enable a Warning Banner for the GNOME Service] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/gdm/Init/Default -> !r:^/usr/bin/zenity\s\.; -# -# -#8.4 Enable a Warning Banner for the FTP service -[CIS - Solaris 11 Configuration - 8.4 Enable a Warning Banner for the FTP service] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/proftpd.conf -> !r:^DisplayConnect\s+/etc/issue; -# -# -#8.5 Check that the Banner Setting for telnet is Null -[CIS - Solaris 11 Configuration - 8.5 Check that the Banner Setting for telnet is Null] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/default/telnetd -> !r:^# && r:BANNER=\.; -f:/etc/default/telnetd -> !r:BANNER=$; -# -# -#9.3 Verify System Account Default Passwords -[CIS - Solaris 11 Configuration - 9.3 Verify System Account Default Passwords] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/shadow -> r:daemon && !r::NL:|:NP:; -f:/etc/shadow -> r:lp && !r::NL:|:NP:; -f:/etc/shadow -> r:adm && !r::NL:|:NP:; -f:/etc/shadow -> r:bin && !r::NL:|:NP:; -f:/etc/shadow -> r:gdm && !r::\p*LK\p*:; -f:/etc/shadow -> r:noaccess && !r::\p*LK\p*:; -f:/etc/shadow -> r:nobody && !r::\p*LK\p*:; -f:/etc/shadow -> r:nobody4 && !r::\p*LK\p*:; -f:/etc/shadow -> r:openldap && !r::\p*LK\p*:; -f:/etc/shadow -> r:unknown && !r::\p*LK\p*:; -f:/etc/shadow -> r:webservd && !r::\p*LK\p*:; -f:/etc/shadow -> r:mysql && !r::NL:|:NP:; -f:/etc/shadow -> r:nuuc && !r::NL:|:NP:; -f:/etc/shadow -> r:postgres && !r::NL:|:NP:; -f:/etc/shadow -> r:smmsp && !r::NL:|:NP:; -f:/etc/shadow -> r:sys && !r::NL:|:NP:; -f:/etc/shadow -> r:uucp && !r::NL:|:NP:; -f:/etc/shadow -> r:aiuser && !r::\p*LK\p*:; -f:/etc/shadow -> r:dhcpserv && !r::\p*LK\p*:; -f:/etc/shadow -> r:dladm && !r::\p*LK\p*:; -f:/etc/shadow -> r:ftp && !r::\p*LK\p*:; -f:/etc/shadow -> r:netadm && !r::\p*LK\p*:; -f:/etc/shadow -> r:netcfg && !r::\p*LK\p*:; -f:/etc/shadow -> r:pkg5srv && !r::\p*LK\p*:; -f:/etc/shadow -> r:svctag && !r::\p*LK\p*:; -f:/etc/shadow -> r:xvm && !r::\p*LK\p*:; -f:/etc/shadow -> r:upnp && !r::NL:|:NP:; -f:/etc/shadow -> r:zfssnap && !r::NL:|:NP:; -# -# -#9.4 Ensure Password Fields are Not Empty -[CIS - Solaris 11 Configuration - 9.4 Ensure Password Fields are Not Empty] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/shadow -> r:\.+::\.+\w+\.*$; -# -# -#9.5 Verify No UID 0 Accounts Exist Other than root -[CIS - Solaris 11 Configuration - 9.5 Verify No UID 0 Accounts Exist Other than root] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/passwd -> !r:^root && r::\.:0:\.*; -# -# -#9.6 Ensure root PATH Integrity -[CIS - Solaris 11 Configuration - Ensure root PATH Integrity] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/profile -> r:.; -f:/etc/environment -> r:.; -f:/.profile -> r:.; -f:/.bash_profile -> r:.; -f:/.bashrc -> r:.; -f:/etc/profile -> r:::; -f:/etc/environment -> r:::; -f:/.profile -> r:::; -f:/.bash_profile -> r:::; -f:/.bashrc -> r:::; -f:/etc/profile -> r::$; -f:/etc/environment -> r::$; -f:/.profile -> r::$; -f:/.bash_profile -> r::$; -f:/.bashrc -> r::$; -# -# -#9.10 Check for Presence of User .rhosts Files -[CIS - Solaris 11 Configuration - 9.10 Check for Presence of User .rhosts Files] [any] [https://workbench.cisecurity.org/benchmarks/410] -d:$home_dirs -> ^.rhosts$; -# -# -#9.12 Check That Users Are Assigned Home Directories -[CIS - Solaris 11 Configuration - 9.12 Check That Users Are Assigned Home Directories] [any] [https://workbench.cisecurity.org/benchmarks/410] -f:/etc/passwd -> \w+:\.*:\d*:\d*:\.*:\S+:\.*; -# -# -#9.20 Check for Presence of User .netrc Files -[CIS - Solaris 11 Configuration - 9.20 Check for Presence of User .netrc Files] [any] [https://workbench.cisecurity.org/benchmarks/410] -d:$home_dirs -> ^.netrc$; -# -# -#9.21 Check for Presence of User .forward Files -[CIS - Solaris 11 Configuration - 9.21 Check for Presence of User .forward Files] [any] [https://workbench.cisecurity.org/benchmarks/410] -d:$home_dirs -> ^.forward$; -# -# -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_win10_enterprise_L1_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_win10_enterprise_L1_rcl.txt deleted file mode 100644 index e8ece81..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_win10_enterprise_L1_rcl.txt +++ /dev/null @@ -1,1548 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Windows 10 -# Based on Center for Internet Security Benchmark v1.4.0 for Microsoft Windows 10 Release 1709 (https://workbench.cisecurity.org/benchmarks/766) -# -# -#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' -[CIS - Microsoft Windows 10 - 2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser; -# -# -#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0; -# -# -#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1; -# -# -#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'[CIS - Microsoft Windows 10 - 2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2; -# -# -#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' -[CIS - Microsoft Windows 10 - 2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 2; -# -# -#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'[CIS - Microsoft Windows 10 - 2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0; -# -# -#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0; -# -# -#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0; -# -# -#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> !0; -# -# -#2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> !1; -# -# -#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> !1; -# -# -#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> !0; -# -# -#2.3.7.4 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'[CIS - Microsoft Windows 10 - 2.3.7.4 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs; -# -# -#2.3.7.8 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' -[CIS - Microsoft Windows 10 - 2.3.7.8 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+; -# -# -#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher -[CIS - Microsoft Windows 10 - 2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption; -# -# -#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature; -# -# -#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1; -# -# -#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0; -# -# -#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' -[CIS - Microsoft Windows 10 - 2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect; -# -# -#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature; -# -# -#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature; -# -# -#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1; -# -# -#2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher -[CIS - Microsoft Windows 10 - 2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> !SMBServerNameHardeningLevel; -# -# -#2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 0; -# -# -#2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> !1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> !RestrictAnonymous; -# -# -#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> !DisableDomainCreds; -# -# -#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2; -# -# -#2.3.10.6 Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' -[CIS - Microsoft Windows 10 - 2.3.10.6 Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes; -# -# -#2.3.10.7 Ensure 'Network access: Remotely accessible registry paths' -[CIS - Microsoft Windows 10 - 2.3.10.7 Ensure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> !Machine; -# -# -#2.3.10.8 Ensure 'Network access: Remotely accessible registry paths and sub-paths' -[CIS - Microsoft Windows 10 - 2.3.10.8 Ensure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> !Machine; -# -# -#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1; -# -# -#2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' -[CIS - Microsoft Windows 10 - 2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> !r:O:BAG:BAD:\(A;;RC;;;BA\); -# -# -#2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' -[CIS - Microsoft Windows 10 - 2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*; -# -# -#2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' -[CIS - Microsoft Windows 10 - 2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1; -# -# -#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId; -# -# -#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback; -# -# -#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0; -# -# -#2.3.11.4 Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' -[CIS - Microsoft Windows 10 - 2.3.11.4 Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> !SupportedEncryptionTypes; -# -# -#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0; -# -# -#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1; -# -# -#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' -[CIS - Microsoft Windows 10 - 2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel; -# -# -#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher -[CIS - Microsoft Windows 10 - 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1; -# -# -#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' -[CIS - Microsoft Windows 10 - 2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec; -# -# -#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' -[CIS - Microsoft Windows 10 - 2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec; -# -# -#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1; -# -# -#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1; -# -# -#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken; -# -# -#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1; -# -# -#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' -[CIS - Microsoft Windows 10 - 2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin; -# -# -#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' -[CIS - Microsoft Windows 10 - 2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser; -# -# -#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0; -r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection; -# -# -#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0; -# -# -#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0; -# -# -#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0; -# -# -#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0; -# -# -#5.3 Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' -[CIS - Microsoft Windows 10 - 5.3 Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser -> Start -> !4; -# -# -#5.6 Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.6 Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> !Start; -# -# -#5.7 Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.7 Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> !Start; -# -# -#5.8 Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' -[CIS - Microsoft Windows 10 - 5.8 Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start -> !4; -# -# -#5.9 Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.9 Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> !Start; -# -# -#5.10 Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.10 Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> !Start; -# -# -#5.12 Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' -[CIS - Microsoft Windows 10 - 5.12 Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start -> !4; -# -# -#5.13 Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' -[CIS - Microsoft Windows 10 - 5.13 Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start -> !4; -# -# -#5.24 Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.24 Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> !Start; -# -# -#5.26 Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.26 Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> !Start; -# -# -#5.28 Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' -[CIS - Microsoft Windows 10 - 5.28 Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start -> !4; -# -# -#5.30 Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.30 Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> !Start; -# -# -#5.31 Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.31 Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> !Start; -# -# -#5.32 Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' -[CIS - Microsoft Windows 10 - 5.32 Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start -> !4; -# -# -#5.35 Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' -[CIS - Microsoft Windows 10 - 5.35 Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> !4; -# -# -#5.36 Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.36 Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> !Start; -# -# -#5.41 Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' -[CIS - Microsoft Windows 10 - 5.41 Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start -> !4; -# -# -#5.42 Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.42 Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> !Start; -# -# -#5.43 Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.43 Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> !Start; -# -# -#5.44 Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.44 Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> !Start;# -# -#5.45 Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.45 Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> !Start; -# -# -#4.46 Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 4.46 Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> !Start; -# -# -#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' -[CIS - Microsoft Windows 10 - 9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0; -# -# -#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows 10 - 9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0; -# -# -#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows 10 - 9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1; -# -# -#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows 10 - 9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications; -# -# -#9.1.5 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows 10 - 9.1.5 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.1.6 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' -[CIS - Microsoft Windows 10 - 9.1.6 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows 10 - 9.1.7 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows 10 - 9.1.8 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' -[CIS - Microsoft Windows 10 - 9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0; -# -# -#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows 10 - 9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0; -# -# -#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows 10 - 9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1; -# -# -#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows 10 - 9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0; -# -# -#9.2.5 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows 10 - 9.2.5 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.2.6 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' -[CIS - Microsoft Windows 10 - 9.2.6 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.2.7 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows 10 - 9.2.7 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.2.8 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows 10 - 9.2.8 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' -[CIS - Microsoft Windows 10 - 9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0; -# -# -#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows 10 - 9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0; -# -# -#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows 10 - 9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1; -# -# -#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows 10 - 9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0; -# -# -#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' -[CIS - Microsoft Windows 10 - 9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' -[CIS - Microsoft Windows 10 - 9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.3.7 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows 10 - 9.3.7 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' -[CIS - Microsoft Windows 10 - 9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows 10 - 9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows 10 - 9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera; -# -# -#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow; -# -# -#18.1.2.2 Ensure 'Allow input personalization' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.1.2.2 Ensure 'Allow input personalization' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> !AllowInputPersonalization; -# -# -#18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed -[CIS - Microsoft Windows 10 - 18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> !DllName; -# -# -#18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PwdExpirationProtectionEnabled; -# -# -#18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !AdmPwdEnabled; -# -# -#18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' -[CIS - Microsoft Windows 10 - 18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> !4; -# -# -#18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' -[CIS - Microsoft Windows 10 - 18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:a; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:b; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:c; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:e; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PasswordLength; -# -# -#18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' -[CIS - Microsoft Windows 10 - 18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1F; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+; -# -# -#18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> !0; -# -# -#18.3.2 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' -[CIS - Microsoft Windows 10 - 18.3.2 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> !Start; -# -# -#18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> !SMB1; -# -# -#18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> !DisableExceptionChainValidation; -# -# -#18.3.5 Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.3.5 Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus -> 0; -# -# -#18.3.6 Ensure 'WDigest Authentication' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.3.6 Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0; -# -# -#18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0; -# -# -#18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' -[CIS - Microsoft Windows 10 - Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting; -# -# -#18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' -[CIS - Microsoft Windows 10 - 18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting; -# -# -#18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect; -# -# -#18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1; -# -# -#18.4.9 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.4.9 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0; -# -# -#18.4.10 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' -[CIS - Microsoft Windows 10 - 18.4.10 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+; -# -# -#18.4.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' -[CIS - Microsoft Windows 10 - 18.4.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel; -# -# -#18.5.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') -[CIS - Microsoft Windows 10 - 18.5.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> !2; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> !NodeType; -# -# -#18.5.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.5.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> !EnableMulticast; -# -# -#18.5.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.5.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> !AllowInsecureGuestAuth; -# -# -#18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA; -# -# -#18.5.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.5.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_ShowSharedAccessUI; -# -# -#18.5.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.5.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation; -# -# -#18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' -[CIS - Microsoft Windows 10 - 18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON -> !r:RequireMutualAuthentication=1, RequireIntegrity=1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL -> !r:RequireMutualAuthentication=1, RequireIntegrity=1; -# -# -#18.5.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.5.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1; -# -# -#18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> !fBlockNonDomain; -# -# -#18.5.23.2.1 Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.5.23.2.1 Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> !AutoConnectAllowedOEM; -# -# -#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0; -# -# -#18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> !AllowProtectedCreds; -# -# -#18.8.14.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' -[CIS - Microsoft Windows 10 - 18.8.14.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3; -# -# -#18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' -[CIS - Microsoft Windows 10 - 18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy; -# -# -#18.8.21.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' -[CIS - Microsoft Windows 10 - 18.8.21.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges; -# -# -#18.8.21.4 Ensure 'Continue experiences on this device' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.21.4 Ensure 'Continue experiences on this device' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableCdp; -# -# -#18.8.21.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.21.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0; -# -# -#18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload; -# -# -#18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices; -# -# -#18.8.22.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting; -# -# -#18.8.27.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.27.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !BlockUserFromShowingAccountDetailsOnSignin; -# -# -#18.8.27.2 Ensure 'Do not display network selection UI' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.27.2 Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI; -# -# -#18.8.27.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.27.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers; -# -# -#18.8.27.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.27.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0; -# -# -#18.8.27.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.27.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications; -# -# -#18.8.27.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.27.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !BlockDomainPicturePassword; -# -# -#18.8.27.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.27.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0; -# -# -#18.8.33.6.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.33.6.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !DCSettingIndex; -# -# -#18.8.33.6.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.33.6.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !ACSettingIndex; -# -# -#18.8.33.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.33.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1; -# -# -#18.8.33.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.33.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1; -# -# -#18.8.35.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.35.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0; -# -# -#18.8.35.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.35.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp; -# -# -#18.8.36.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.36.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !EnableAuthEpResolution; -# -# -#18.8.36.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' -[CIS - Microsoft Windows 10 - 18.8.36.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> !1; -# -# -#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional; -# -# -#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume; -# -# -#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' -[CIS - Microsoft Windows 10 - 18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun; -# -# -#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' -[CIS - Microsoft Windows 10 - 18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun; -# -# -#18.9.10.1.1 Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.10.1.1 Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> !EnhancedAntiSpoofing; -# -# -#18.9.13.1 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.13.1 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> !DisableWindowsConsumerFeatures; -# -# -#18.9.14.1 Ensure 'Require pin for pairing' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.14.1 Ensure 'Require pin for pairing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> !RequirePinForPairing; -# -# -#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal; -# -# -#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0; -# -# -#18.9.16.1 Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)' or 'Enabled: 1 - Basic' -[CIS - Microsoft Windows 10 - 18.9.16.1 Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)' or 'Enabled: 1 - Basic'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 3; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !AllowTelemetry; -# -# -#18.9.16.3 Ensure 'Disable pre-release features or settings' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.16.3 Ensure 'Disable pre-release features or settings' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !EnableConfigFlighting; -# -# -#18.9.16.4 Ensure 'Do not show feedback notifications' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.16.4 Ensure 'Do not show feedback notifications' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !DoNotShowFeedbackNotifications; -# -# -#18.9.16.5 Ensure 'Toggle user control over Insider builds' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.16.5 Ensure 'Toggle user control over Insider builds' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !AllowBuildPreview; -# -# -#18.9.17.1 Ensure 'Download Mode' is NOT set to 'Enabled: Internet' -[CIS - Microsoft Windows 10 - 18.9.17.1 Ensure 'Download Mode' is NOT set to 'Enabled: Internet'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> 3; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> !DODownloadMode; -# -# -#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 1; -# -# -#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows 10 - 18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize; -# -# -#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0; -# -# -#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' -[CIS - Microsoft Windows 10 - 18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize; -# -# -#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'[CIS - Microsoft Windows 10 - 18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0; -# -# -#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows 10 - 18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize; -# -# -#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0; -# -# -#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows 10 - 18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize; -# -# -#18.9.30.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.30.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0; -# -# -#18.9.30.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.30.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0; -# -# -#18.9.30.4 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.30.4 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0; -# -# -#18.9.35.1 Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.35.1 Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> !DisableHomeGroup; -# -# -#18.9.44.1 Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.44.1 Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> !DisableUserAuth; -# -# -#18.9.45.4 Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher -[CIS - Microsoft Windows 10 - 18.9.45.4 Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> 2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !Cookies; -# -# -#18.9.45.5 Ensure 'Configure Password Manager' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.45.5 Ensure 'Configure Password Manager' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> !no; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !FormSuggest Passwords; -# -# -#18.9.45.8 Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.45.8 Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> !1; -# -# -#18.9.52.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.52.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC; -# -# -#18.9.58.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.58.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving; -# -# -#18.9.58.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.58.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm; -# -# -#18.9.58.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.58.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword; -# -# -#18.9.58.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.58.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic; -# -# -#18.9.58.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' -[CIS - Microsoft Windows 10 - 18.9.58.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3; -# -# -#18.9.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.58.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1; -# -# -#18.9.58.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.58.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1; -# -# -#18.9.59.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.59.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload; -# -# -#18.9.60.3 Ensure 'Allow Cortana' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.60.3 Ensure 'Allow Cortana' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortana; -# -# -#18.9.60.4 Ensure 'Allow Cortana above lock screen' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.60.4 Ensure 'Allow Cortana above lock screen' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortanaAboveLock; -# -# -#18.9.60.5 Ensure 'Allow indexing of encrypted files' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.60.5 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0; -# -# -#18.9.60.6 Ensure 'Allow search and Cortana to use location' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.60.6 Ensure 'Allow search and Cortana to use location' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowSearchToUseLocation; -# -# -#18.9.68.2 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.68.2 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4; -# -# -#18.9.68.3 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.68.3 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade; -# -# -#18.9.76.3.1 Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.76.3.1 Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> !0; -# -# -#18.9.76.7.1 Ensure 'Turn on behavior monitoring' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.76.7.1 Ensure 'Turn on behavior monitoring' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> !1; -# -# -#18.9.76.10.1 Ensure 'Scan removable drives' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.76.10.1 Ensure 'Scan removable drives' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> !DisableRemovableDriveScanning; -# -# -#18.9.76.10.2 Ensure 'Turn on e-mail scanning' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.76.10.2 Ensure 'Turn on e-mail scanning' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> !DisableEmailScanning; -# -# -#18.9.76.13.1.1 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.76.13.1.1 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> !ExploitGuard_ASR_Rules; -# -# -#18.9.76.13.1.2 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured' -[CIS - Microsoft Windows 10 - 18.9.76.13.1.2 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D4F940AB-401B-4EFC-AADC-AD5F3C50688A; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !3B576869-A4EC-4529-8536-B80A7769E899; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D3E037E1-3EB8-44C8-A917-57927947596D; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !5BEB7EFE-FD9A-4556-801D-275E5FFC04CC; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> !1; -r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B; -# -# -#18.9.76.13.3.1 Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' -[CIS - Microsoft Windows 10 - 18.9.76.13.3.1 Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> !EnableNetworkProtection; -# -# -#18.9.76.14 Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.76.14 Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 1; -# -# -#18.9.79.1.1 Ensure 'Prevent users from modifying settings' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.79.1.1 Ensure 'Prevent users from modifying settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> !DisallowExploitProtectionOverride; -# -# -#18.9.80.1.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' -[CIS - Microsoft Windows 10 - 18.9.80.1.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> !Block; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !ShellSmartScreenLevel; -# -# -#18.9.80.2.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.80.2.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> !1; -# -# -#18.9.80.2.2 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.80.2.2 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverrideAppRepUnknown; -# -# -#18.9.80.2.3 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.80.2.3 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverride; -# -# -#18.9.82.1 Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.82.1 Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> !AllowGameDVR; -# -# -#18.9.84.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' -[CIS - Microsoft Windows 10 - 18.9.84.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowWindowsInkWorkspace; -# -# -#18.9.85.1 Ensure 'Allow user control over installs' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.85.1 Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0; -# -# -#18.9.85.2 Ensure 'Always install with elevated privileges' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.85.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0; -# -# -#18.9.86.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.86.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn; -# -# -#18.9.95.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.95.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging; -# -# -#18.9.95.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.95.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0; -# -# -#18.9.97.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.97.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0; -# -# -#18.9.97.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.97.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0; -# -# -#18.9.97.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.97.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest; -# -# -#18.9.97.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.97.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0; -# -# -#18.9.97.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.97.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0; -# -# -#18.9.97.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.97.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs; -# -# -#18.9.101.1.1 Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' -[CIS - Microsoft Windows 10 - 18.9.101.1.1 Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !ManagePreviewBuilds; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !ManagePreviewBuildsPolicyValue; -# -# -#18.9.101.1.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' -[CIS - Microsoft Windows 10 - 18.9.101.1.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferFeatureUpdates; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:10\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:11\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:12\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:13\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:14\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:15\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:16\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:17\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> !r:\d\d\d+; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferFeatureUpdatesPeriodInDays; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel -> !32; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !BranchReadinessLevel; -# -# -#18.9.101.1.13 Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' -[CIS - Microsoft Windows 10 - 18.9.101.1.13 Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferQualityUpdates; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferQualityUpdatesPeriodInDays; -# -# -#18.9.101.2 Ensure 'Configure Automatic Updates' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.101.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate; -# -# -#18.9.101.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' -[CIS - Microsoft Windows 10 - 18.9.101.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay; -# -# -#18.9.101.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.101.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0; -# -# -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_win10_enterprise_L2_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_win10_enterprise_L2_rcl.txt deleted file mode 100644 index 577f5fd..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_win10_enterprise_L2_rcl.txt +++ /dev/null @@ -1,591 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Windows 10 -# Based on Center for Internet Security Benchmark v1.4.0 for Microsoft Windows 10 Release 1709 (https://workbench.cisecurity.org/benchmarks/766) -# -# -#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> !AddPrinterDrivers; -# -# -#2.3.7.7 Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' -[CIS - Microsoft Windows 10 - 2.3.7.7 Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> !4; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !CachedLogonsCount; -# -# -#2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher -[CIS - Microsoft Windows 10 - 2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> !ForceKeyProtection; -# -# -#5.1 Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.1 Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> !Start; -# -# -#5.2 Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.2 Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> !Start; -# -# -#5.4 Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.4 Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> !Start; -# -# -#5.5 Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.5 Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> !Start; -# -# -#5.11 Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.11 Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> !Start; -# -# -#5.14 Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.14 Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> !Start; -# -# -#5.15 Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.15 Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> !Start; -# -# -#5.16 Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.16 Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> !Start; -# -# -#5.17 Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.17 Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> !Start; -# -# -#5.18 Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.18 Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> !Start; -# -# -#5.19 Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.19 Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> !Start; -# -# -#5.20 Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.20 Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> !Start; -# -# -#5.21 Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.21 Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> !Start; -# -# -#5.22 Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.22 Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> !Start; -# -# -#5.23 Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.23 Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> !Start; -# -# -#5.25 Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.25 Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> !Start; -# -# -#5.27 Ensure 'Server (LanmanServer)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.27 Ensure 'Server (LanmanServer)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> !Start; -# -# -#5.29 Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' -[CIS - Microsoft Windows 10 - 5.29 Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> !4; -# -# -#5.33 Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.33 Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> !Start; -# -# -#5.34 Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.34 Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> !Start; -# -# -#5.37 Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.37 Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> !Start; -# -# -#5.38 Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.38 Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> !Start; -# -# -#5.39 Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.39 Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> !Start; -# -# -#5.40 Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 5.40 Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start -> !4; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> !Start; -# -# -#18.1.3 Ensure 'Allow Online Tips' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.1.3 Ensure 'Allow Online Tips' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !AllowOnlineTips; -# -# -#18.4.4 Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.4.4 Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> !1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> !DisableSavePassword; -# -# -#18.4.6 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' -[CIS - Microsoft Windows 10 - 18.4.6 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime; -# -# -#18.4.8 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.4.8 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery; -# -# -#18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' -[CIS - Microsoft Windows 10 - 18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions; -# -# -#18.4.12 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' -[CIS - Microsoft Windows 10 - 18.4.12 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions; -# -# -#18.5.5.1 Ensure 'Enable Font Providers' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.5.5.1 Ensure 'Enable Font Providers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableFontProviders; -# -# -#18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0; -# -# -#18.5.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.5.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0; -# -# -#18.5.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.5.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled; -# -# -#18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') -[CIS - Microsoft Windows 10 - 18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents; -# -# -#18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar; -# -# -#18.5.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.5.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi; -# -# -#18.8.22.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith; -# -# -#18.8.22.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing; -# -# -#18.8.22.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports; -# -# -#18.8.22.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.22.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW; -# -# -#18.8.22.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1; -r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration; -# -# -#18.8.22.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates; -# -# -#18.8.22.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard; -# -# -#18.8.22.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard; -# -# -#18.8.22.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP; -# -# -#18.8.22.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable; -# -# -#18.8.22.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.22.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport; -# -# -#18.8.25.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' -[CIS - Microsoft Windows 10 - 18.8.25.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> !1; -# -# -#18.8.26.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.26.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn; -# -# -#18.8.44.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.44.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer; -# -# -#18.8.44.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.44.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled; -# -# -#18.8.46.1 Ensure 'Turn off the advertising ID' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.46.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy; -# -# -#18.8.49.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.8.49.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled; -# -# -#18.8.49.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.8.49.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> !0; -# -# -#18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> !0; -# -# -#18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !BlockHostedAppAccessWinRT; -# -# -#18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> !AllowCamera; -# -# -#18.9.16.2 Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' -[CIS - Microsoft Windows 10 - 18.9.16.2 Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !DisableEnterpriseAuthProxy; -# -# -#18.9.39.2 Ensure 'Turn off location' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.39.2 Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation; -# -# -#18.9.43.1 Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.43.1 Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> !AllowMessageSync; -# -# -#18.9.45.1 Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.45.1 Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> !ShowOneBox; -# -# -#18.9.45.2 Ensure 'Allow Adobe Flash' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.45.2 Ensure 'Allow Adobe Flash' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> !FlashPlayerEnabled; -# -# -#18.9.45.3 Ensure 'Allow InPrivate Browsing' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.45.3 Ensure 'Allow InPrivate Browsing' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !AllowInPrivate; -# -# -#18.9.45.6 Ensure 'Configure Pop-up Blocker' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.45.6 Ensure 'Configure Pop-up Blocker' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> !r:yes; -# -# -#18.9.45.7 Ensure 'Configure search suggestions in Address bar' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.45.7 Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> !ShowSearchSuggestionsGlobal; -# -# -#18.9.45.9 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.45.9 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !PreventAccessToAboutFlagsInMicrosoftEdge; -# -# -#18.9.45.10 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.45.10 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !HideLocalHostIP; -# -# -#18.9.57.1 Ensure 'Turn off Push To Install service' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.57.1 Ensure 'Turn off Push To Install service' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> !DisablePushToInstall; -# -# -#18.9.58.3.2.1 Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.58.3.2.1 Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> !1; -# -# -#18.9.58.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.58.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm; -# -# -#18.9.58.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.58.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT; -# -# -#18.9.58.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.58.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir; -# -# -#18.9.58.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' -[CIS - Microsoft Windows 10 - 18.9.58.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime; -# -# -#18.9.58.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' -[CIS - Microsoft Windows 10 - 18.9.58.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime; -# -# -#18.9.60.2 Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' -[CIS - Microsoft Windows 10 - 18.9.60.2 Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCloudSearch; -# -# -#18.9.65.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.65.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket; -# -# -#18.9.68.1 Ensure 'Disable all apps from Windows Store' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.68.1 Ensure 'Disable all apps from Windows Store' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableStoreApps; -# -# -#18.9.68.4 Ensure 'Turn off the Store application' is set to 'Enabled' -[CIS - Microsoft Windows 10 - 18.9.68.4 Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore; -# -# -#18.9.76.3.2 Ensure 'Join Microsoft MAPS' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.76.3.2 Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0; -# -# -#18.9.76.9.1 Ensure 'Configure Watson events' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.76.9.1 Ensure 'Configure Watson events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> !DisableGenericRePorts; -# -# -#18.9.84.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.84.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowSuggestedAppsInWindowsInkWorkspace; -# -# -#18.9.85.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.85.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0; -# -# -#18.9.97.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.97.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0; -# -# -#18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled' -[CIS - Microsoft Windows 10 - 18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/766] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess; -# -# -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt deleted file mode 100644 index f6c388f..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt +++ /dev/null @@ -1,1062 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Windows Server 2012 R2 Domain Controller L1 -# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288) -# -# -# -#1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' -[CIS - Microsoft Windows Server 2012 R2 - Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3E; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3F; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:4\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:5\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:6\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:7\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:8\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:9\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:A\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:B\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:C\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:D\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:E\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:F\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:\w\w\w+; -# -# -#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.2: Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser; -# -# -#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.4: Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0; -# -# -#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.1: Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1; -# -# -#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.2: Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2; -# -# -#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.1: Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 2; -# -# -#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.2: Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1; -# -# -#2.3.5.1 Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only) -[CIS - Microsoft Windows Server 2012 R2 - 2.3.5.1: Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl -> !0; - -# -# -#2.3.5.2 Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.5.2: Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> !2; -# -# -#2.3.5.3 Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.5.3: Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 1; -# -# -#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.1: Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0; -# -# -#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.2: Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0; -# -# -#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.3: Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0; -# -# -#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.4: Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 1; -# -# -#2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.6: Ensure 'Domain member: Require strong session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 0; -# -# -#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.1: Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DontDisplayLastUserName; -# -# -#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.2: Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableCAD; -# -# -#2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.3: Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs; -# -# -#2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.7: Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+; -# -# -#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption; -# -# -#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.1: Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature; -# -# -#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.2: Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1; -# -# -#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.3: Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0; -# -# -#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.1: Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect; -# -# -#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.2: Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature; -# -# -#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.3: Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature; -# -# -#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.4: Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1; -# -# -#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.5: Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2; -# -# -#2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.6: Configure 'Network access: Named Pipes that can be accessed anonymously'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> !r:lsarpc|netlogon|samr; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes; -# -# -#2.3.10.7 Configure 'Network access: Remotely accessible registry paths' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.7: Configure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion; -# -# -#2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.8: Configure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS; -# -# -#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.9: Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1; -# -# -#2.3.10.10 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.10: Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*; -# -# -#2.3.10.11 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.11: Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1; -# -# -#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.1: Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId; -# -# -#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.2: Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback; -# -# -#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.3: Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0; -# -# -#2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.4: Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644; -# -# -#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.5: Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0; -# -# -#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.6: Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1; -# -# -#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.7: Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel; -# -# -#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1; -# -# -#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.9: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption''] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec; -# -# -#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.10: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec; -# -# -#2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.13.1: Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1; -# -# -#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.1: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1; -# -# -#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.2: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1; -# -# -#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.1: Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken; -# -# -#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.2: Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1; -# -# -#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.3: Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin; -# -# -#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.4: Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser; -# -# -#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.5: Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0; -r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection; -# -# -#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.6: Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0; -# -# -#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.7: Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0; -# -# -#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.8: Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0; -# -# -#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.9: Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0; -# -# -#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.1: Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0; -# -# -#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.2: Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0; -# -# -#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.3: Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1; -# -# -#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.4: Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications; -# -# -#9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.5: Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.6: Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.7: Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.8: Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.9: Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.1: Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0; -# -# -#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.2: Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0; -# -# -#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.3: Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1; -# -# -#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.4: Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0; -# -# -#9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.5: Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.6: Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.8: Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.9: Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.2.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.1: Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0; -# -# -#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.2: Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0; -# -# -#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.3: Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1; -# -# -#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.4: Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0; -# -# -#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.5: Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.6: Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.8: Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.9: Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.10: Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.1: Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera; -# -# -#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.2: Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow; -# -# -#18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.1: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0; -# -# -#18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.2: Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting; -# -# -#18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.3: Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting; -# -# -#18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.4: Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect; -# -# -#18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.6: Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1; -# -# -#18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.8: Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0; -# -# -#18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.9: Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+; -# -# -#18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.12: Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel; -# -# -#18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.2: Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA; -# -# -#18.4.11.3 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.3: Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation; -# -# -#18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.21.1: Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1; -# -# -#18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.6.2: Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0; -# -# -#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.3.1: Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0; -# -# -#18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.12.1: Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3; -# -# -#18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.2: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy; -# -# -#18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.3: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges; -# -# -#18.8.19.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.4: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0; -# -# -#18.8.25.1 Ensure 'Do not display network selection UI' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.1: Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI; -# -# -#18.8.25.2 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.2: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers; -# -# -#18.8.25.3 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.3: Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0; -# -# -#18.8.25.4 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.4: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications; -# -# -#18.8.25.5 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.5: Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0; -# -# -#18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.1: Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0; -# -# -#18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.2: Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp; -# -# -#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.6.1: Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional; -# -# -#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.1: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume; -# -# -#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.2: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun; -# -# -#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.3: Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun; -# -# -#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.1: Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal; -# -# -#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.2: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0; -# -# -#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.1: Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> !0; -# -# -#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.2: Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize; -# -# -#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.1: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0; -# -# -#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.2: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize; -# -# -#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.1: Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0; -# -# -#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.2: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize; -# -# -#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.1: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0; -# -# -#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.2: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize; -# -# -#18.9.30.2 Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.2: Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen; -# -# -#18.9.30.3 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.3: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0; -# -# -#18.9.30.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.4: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0; -# -# -#18.9.30.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.5: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0; -# -# -#18.9.47.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.1: Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC; -# -# -#18.9.47.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.2: Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> !DisableFileSync; -# -# -#18.9.52.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.2.2: Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving; -# -# -#18.9.52.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.2: Ensure 'Do not allow drive redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm; -# -# -#18.9.52.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.1: Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword; -# -# -#18.9.52.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.2: Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic; -# -# -#18.9.52.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.3: Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3; -# -# -#18.9.52.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.1: Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1; -# -# -#18.9.52.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.2: Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1; -# -# -#18.9.53.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.53.1: Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload; -# -# -#18.9.54.2 Ensure 'Allow indexing of encrypted files' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.2: Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0; -# -# -#18.9.61.1 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.1: Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4; -# -# -#18.9.61.2 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.2: Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade; -# -# -#18.9.70.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.2.1: Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> !1; -# -# -#18.9.70.3 Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.3: Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !AutoApproveOSDumps; -# -# -#18.9.74.1 Ensure 'Allow user control over installs' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.1: Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0; -# -# -#18.9.74.2 Ensure 'Always install with elevated privileges' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.2: Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0; -# -# -#18.9.75.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.75.1: Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn; -# -# -#18.9.84.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.1: Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging; -# -# -#18.9.84.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.2: Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0; -# -# -#18.9.86.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0; -# -# -#18.9.86.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.2: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0; -# -# -#18.9.86.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.3: Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest; -# -# -#18.9.86.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0; -# -# -#18.9.86.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.3: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0; -# -# -#18.9.86.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.4: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs; -# -# -#18.9.90.2 Ensure 'Configure Automatic Updates' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.2: Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate; -# -# -#18.9.90.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.3: Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay; -# -# -#18.9.90.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.4: Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0; -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt deleted file mode 100644 index 4c922ca..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt +++ /dev/null @@ -1,340 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Windows Server 2012 R2 Domain Controller L2 -# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288) -# -# -#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.4: Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds; -# -# -#18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.5: Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime; -# -# -#18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.7: Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery; -# -# -#18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.10: Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions; -# -# -#18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.11: Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions; -# -# -#18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.1: Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0; -# -# -#18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.2: Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0; -# -# -#18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.10.2: Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled; -# -# -#18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') -[CIS - Microsoft Windows Server 2012 R2 - 18.4.19.2.1: Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents; -# -# -#18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.1: Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar; -# -# -#18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.2: Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi; -# -# -#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith; -# -# -#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload; -# -# -#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing; -# -# -#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports; -# -# -#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW; -# -# -#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices; -# -# -#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting; -# -# -#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1; -r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration; -# -# -#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates; -# -# -#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard; -# -# -#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard; -# -# -#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP; -# -# -#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable; -# -# -#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport; -# -# -#18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.24.1: Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn; -# -# -#18.8.29.5.1 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.1: Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1; -# -# -#18.8.29.5.2 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.2: Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1; -# -# -#18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.5.1: Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer; -# -# -#18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.11.1: Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled; -# -# -#18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.41.1: Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy; -# -# -#18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.44.1.1: Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled; -# -# -#18.9.37.1 Ensure 'Turn off location' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.37.1: Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation; -# -# -#18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.2.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser; -# -# -#18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm; -# -# -#18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.3: Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT; -# -# -#18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.4: Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir; -# -# -#18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.1: Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime; -# -# -#18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.2: Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime; -# -# -#18.9.54.3 Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.3: Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> !3; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !ConnectedSearchPrivacy; -# -# -#18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.59.1: Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket; -# -# -#18.9.61.3 Ensure 'Turn off the Store application' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.3: Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore; -# -# -#18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.69.3.1: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0; -# -# -#18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.3: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0; -# -# -#18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.2: Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0; -# -# -#18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.87.1: Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess; -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt deleted file mode 100644 index 133b289..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt +++ /dev/null @@ -1,1129 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Windows Server 2012 R2 Domain Controller L2 -# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288) -# -# -#1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' -[CIS - Microsoft Windows Server 2012 R2 - Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3E; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3F; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:4\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:5\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:6\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:7\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:8\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:9\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:A\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:B\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:C\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:D\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:E\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:F\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:\w\w\w+; -# -# -#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.2: Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser; -# -# -#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.4: Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0; -# -# -#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.1: Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1; -# -# -#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.2: Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2; -# -# -#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.1: Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 2; -# -# -#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.2: Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1; -# -# -#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.1: Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0; -# -# -#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.2: Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0; -# -# -#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.3: Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0; -# -# -#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.4: Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 1; -# -# -#2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.6: Ensure 'Domain member: Require strong session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 0; -# -# -#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.1: Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DontDisplayLastUserName; -# -# -#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.2: Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableCAD; -# -# -#2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.3: Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs; -# -# -#2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.7: Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+; -# -# -#2.3.7.8 Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.8: Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !ForceUnlockLogon; -# -# -#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher -[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption; -# -# -#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.1: Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature; -# -# -#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.2: Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1; -# -# -#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.3: Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0; -# -# -#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.1: Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect; -# -# -#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.2: Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature; -# -# -#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.3: Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature; -# -# -#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.4: Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1; -# -# -#2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher -[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.5: Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> !SMBServerNameHardeningLevel; -# -# -#2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.2: Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 0; -# -# -#2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.3: Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> !1; -# -# -#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.5: Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2; -# -# -#2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.6: Configure 'Network access: Named Pipes that can be accessed anonymously'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes; -# -# -#2.3.10.7 Configure 'Network access: Remotely accessible registry paths' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.7: Configure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion; -# -# -#2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.8: Configure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS; -# -# -#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.9: Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1; -# -# -#2.3.10.10 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.10: Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*; -# -# -#2.3.10.11 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.11: Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1; -# -# -#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.1: Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId; -# -# -#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.2: Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback; -# -# -#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.3: Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0; -# -# -#2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.4: Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644; -# -# -#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.5: Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0; -# -# -#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.6: Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1; -# -# -#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.7: Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel; -# -# -#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1; -# -# -#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.9: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption''] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec; -# -# -#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.10: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec; -# -# -#2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.13.1: Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1; -# -# -#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.1: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1; -# -# -#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.2: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1; -# -# -#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.1: Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken; -# -# -#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.2: Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1; -# -# -#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.3: Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin; -# -# -#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.4: Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser; -# -# -#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.5: Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0; -r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection; -# -# -#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.6: Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0; -# -# -#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.7: Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0; -# -# -#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.8: Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0; -# -# -#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.9: Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0; -# -# -#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.1: Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0; -# -# -#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.2: Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0; -# -# -#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.3: Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1; -# -# -#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.4: Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications; -# -# -#9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.5: Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.6: Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.7: Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.8: Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.9: Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.1.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.1: Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0; -# -# -#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.2: Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0; -# -# -#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.3: Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1; -# -# -#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.4: Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0; -# -# -#9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.5: Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.6: Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.8: Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.9: Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.2.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.2.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.1: Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0; -# -# -#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.2: Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0; -# -# -#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.3: Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1; -# -# -#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.4: Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0; -# -# -#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.5: Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.6: Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.8: Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.9: Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2012 R2 - 9.3.10: Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.1: Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera; -# -# -#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.2: Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow; -# -# -#18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed -[CIS - Microsoft Windows Server 2012 R2 - 18.2.1: Ensure LAPS AdmPwd GPO Extension / CSE is installed] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> !DllName; -# -# -#18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.2.2: Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PwdExpirationProtectionEnabled; -# -# -#18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.2.3: Ensure 'Enable Local Admin Password Management' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !AdmPwdEnabled; -# -# -#18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' -[CIS - Microsoft Windows Server 2012 R2 - 18.2.4: Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> !4; -# -# -#18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' -[CIS - Microsoft Windows Server 2012 R2 - 18.2.5: Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:a; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:b; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:c; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:e; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PasswordLength; -# -# -#18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' -[CIS - Microsoft Windows Server 2012 R2 - 18.2.6: Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1F; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+; -# -# -#18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.1: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0; -# -# -#18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.2: Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting; -# -# -#18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.3: Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting; -# -# -#18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.4: Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect; -# -# -#18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.6: Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1; -# -# -#18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.8: Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0; -# -# -#18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.9: Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+; -# -# -#18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.12: Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel; -# -# -#18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.2: Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA; -# -# -#18.4.11.3 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.3: Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation; -# -# -#18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.21.1: Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1; -# -# -#18.6.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.6.1: Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> !0; -# -# -#18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.6.2: Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0; -# -# -#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.3.1: Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0; -# -# -#18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.12.1: Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3; -# -# -#18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.2: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy; -# -# -#18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.3: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges; -# -# -#18.8.19.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.4: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0; -# -# -#18.8.25.1 Ensure 'Do not display network selection UI' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.1: Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI; -# -# -#18.8.25.2 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.2: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers; -# -# -#18.8.25.3 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.3: Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0; -# -# -#18.8.25.4 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.4: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications; -# -# -#18.8.25.5 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.5: Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0; -# -# -#18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.1: Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0; -# -# -#18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.2: Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp; -# -# -#18.8.32.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.32.1: Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !EnableAuthEpResolution; -# -# -#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.6.1: Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional; -# -# -#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.1: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume; -# -# -#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.2: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun; -# -# -#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.3: Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun; -# -# -#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.1: Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal; -# -# -#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.2: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0; -# -# -#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.1: Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> !0; -# -# -#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.2: Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize; -# -# -#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.1: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0; -# -# -#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.2: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize; -# -# -#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.1: Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0; -# -# -#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.2: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize; -# -# -#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.1: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0; -# -# -#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.2: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize; -# -# -#18.9.30.2 Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.2: Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen; -# -# -#18.9.30.3 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.3: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0; -# -# -#18.9.30.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.4: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0; -# -# -#18.9.30.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.5: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0; -# -# -#18.9.47.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.1: Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC; -# -# -#18.9.47.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.2: Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> !DisableFileSync; -# -# -#18.9.52.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.2.2: Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving; -# -# -#18.9.52.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.2: Ensure 'Do not allow drive redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm; -# -# -#18.9.52.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.1: Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword; -# -# -#18.9.52.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.2: Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic; -# -# -#18.9.52.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.3: Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3; -# -# -#18.9.52.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.1: Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1; -# -# -#18.9.52.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.2: Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1; -# -# -#18.9.53.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.53.1: Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload; -# -# -#18.9.54.2 Ensure 'Allow indexing of encrypted files' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.2: Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0; -# -# -#18.9.61.1 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.1: Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4; -# -# -#18.9.61.2 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.2: Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade; -# -# -#18.9.70.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.2.1: Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> !1; -# -# -#18.9.70.3 Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.3: Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !AutoApproveOSDumps; -# -# -#18.9.74.1 Ensure 'Allow user control over installs' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.1: Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0; -# -# -#18.9.74.2 Ensure 'Always install with elevated privileges' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.2: Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0; -# -# -#18.9.75.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.75.1: Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn; -# -# -#18.9.84.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.1: Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging; -# -# -#18.9.84.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.2: Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0; -# -# -#18.9.86.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0; -# -# -#18.9.86.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.2: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0; -# -# -#18.9.86.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.3: Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest; -# -# -#18.9.86.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0; -# -# -#18.9.86.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.3: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0; -# -# -#18.9.86.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.4: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs; -# -# -#18.9.90.2 Ensure 'Configure Automatic Updates' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.2: Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate; -# -# -#18.9.90.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.3: Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay; -# -# -#18.9.90.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.4: Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0; -# -# -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt deleted file mode 100644 index 1c24aaf..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt +++ /dev/null @@ -1,378 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Windows Server 2012 R2 Domain Controller L2 -# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288) -# -# -#2.3.7.6 Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' -[CIS - Microsoft Windows Server 2012 R2 - Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 5; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> a; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> b; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> c; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> e; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> f; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> \w\w+; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !CachedLogonsCount; -# -# -#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.4: Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds; -# -# -#18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.5: Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime; -# -# -#18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.7: Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery; -# -# -#18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.10: Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions; -# -# -#18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' -[CIS - Microsoft Windows Server 2012 R2 - 18.3.11: Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions; -# -# -#18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.1: Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0; -# -# -#18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.2: Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0; -# -# -#18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.10.2: Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled; -# -# -#18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') -[CIS - Microsoft Windows Server 2012 R2 - 18.4.19.2.1: Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents; -# -# -#18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.1: Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar; -# -# -#18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.2: Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi; -# -# -#18.4.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.4.21.2: Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> !fBlockNonDomain; -# -# -#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith; -# -# -#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload; -# -# -#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing; -# -# -#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports; -# -# -#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW; -# -# -#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices; -# -# -#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting; -# -# -#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1; -r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration; -# -# -#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates; -# -# -#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard; -# -# -#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard; -# -# -#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP; -# -# -#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable; -# -# -#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport; -# -# -#18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.24.1: Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn; -# -# -#18.8.29.5.1 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.1: Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> !DCSettingIndex; -# -# -#18.8.29.5.2 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.2: Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> !ACSettingIndex; -# -# -#18.8.32.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.32.2: Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !RestrictRemoteClients; -# -# -#18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.5.1: Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer; -# -# -#18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.11.1: Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled; -# -# -#18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.41.1: Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy; -# -# -#18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.44.1.1: Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled; -# -# -#18.8.44.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.8.44.1.2: Ensure 'Enable Windows NTP Server' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> !0; -# -# -#18.9.37.1 Ensure 'Turn off location' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.37.1: Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation; -# -# -#18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.2.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser; -# -# -#18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm; -# -# -#18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.3: Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT; -# -# -#18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.4: Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir; -# -# -#18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.1: Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime; -# -# -#18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.2: Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime; -# -# -#18.9.54.3 Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.3: Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> !3; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !ConnectedSearchPrivacy; -# -# -#18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.59.1: Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket; -# -# -#18.9.61.3 Ensure 'Turn off the Store application' is set to 'Enabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.3: Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore; -# -# -#18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.69.3.1: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0; -# -# -#18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.3: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0; -# -# -#18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.2: Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0; -# -# -#18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled' -[CIS - Microsoft Windows Server 2012 R2 - 18.9.87.1: Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess; -# - - diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_domainL1_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_domainL1_rcl.txt deleted file mode 100644 index 19dc329..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_domainL1_rcl.txt +++ /dev/null @@ -1,1144 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Windows Server 2016 Domain Controller L1 -# Based on Center for Internet Security Benchmark v1.0.0 for Microsoft Windows Server 2016 (https://workbench.cisecurity.org/benchmarks/515) -# -# -# -#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' -[CIS - Microsoft Windows Server 2016 - 2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser; -# -# -#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0; -# -# -#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1; -# -# -#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2; -# -# -#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' -[CIS - Microsoft Windows Server 2016 - 2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 2; -# -# -#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1; -# -# -#2.3.5.1 Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.5.1 Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl -> !0; -# -# -#2.3.5.2 Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' -[CIS - Microsoft Windows Server 2016 - 2.3.5.2 Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> !2; -# -# -#2.3.5.3 Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.5.3 Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 1; -# -# -#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0; -# -# -#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0; -# -# -#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0; -# -# -#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> !0; -# -# -#2.3.6.6 Ensure 'Domain member: Require strong session key' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.6.6 Ensure 'Domain member: Require strong session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> !1; -# -# -#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> !1; -# -# -#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> !0; -# -# -#2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' -[CIS - Microsoft Windows Server 2016 - 2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs; -# -# -#2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' -[CIS - Microsoft Windows Server 2016 - 2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+; -# -# -#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher -[CIS - Microsoft Windows Server 2016 - 2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption; -# -# -#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature; -# -# -#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1; -# -# -#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0; -# -# -#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' -[CIS - Microsoft Windows Server 2016 - 2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect; -# -# -#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature; -# -# -#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature; -# -# -#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1; -# -# -#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2; -# -# -#2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously' -[CIS - Microsoft Windows Server 2016 - 2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> !r:lsarpc|netlogon|samr; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes; -# -# -#2.3.10.7 Configure 'Network access: Remotely accessible registry paths' -[CIS - Microsoft Windows Server 2016 - 2.3.10.7 Configure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion; -# -# -#2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths' -[CIS - Microsoft Windows Server 2016 - 2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS; -# -# -#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1; -# -# -#2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' -[CIS - Microsoft Windows Server 2016 - 2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*; -# -# -#2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' -[CIS - Microsoft Windows Server 2016 - 2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1; -# -# -#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId; -# -# -#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback; -# -# -#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0; -# -# -#2.3.11.4 Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' -[CIS - Microsoft Windows Server 2016 - 2.3.11.4 Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644; -# -# -#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0; -# -# -#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1; -# -# -#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' -[CIS - Microsoft Windows Server 2016 - 2.3.11.7: Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel; -# -# -#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher -[CIS - Microsoft Windows Server 2016 - 2.3.11.8: Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1; -# -# -#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' -[CIS - Microsoft Windows Server 2016 - 2.3.11.9: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec; -# -# -#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' -[CIS - Microsoft Windows Server 2016 - 2.3.11.10: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec; -# -# -#2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.13.1: Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1; -# -# -#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.15.1: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1; -# -# -#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.15.2: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1; -# -# -#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.1: Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken; -# -# -#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.2: Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1; -# -# -#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' -[CIS - Microsoft Windows Server 2016 - 2.3.17.3: Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin; -# -# -#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' -[CIS - Microsoft Windows Server 2016 - 2.3.17.4: Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser; -# -# -#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.5: Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0; -r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection; -# -# -#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.6: Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0; -# -# -#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.7: Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0; -# -# -#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.8: Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0; -# -# -#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.9: Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0; -# -# -#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2016 - 9.1.1: Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0; -# -# -#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block' -[CIS - Microsoft Windows Server 2016 - 9.1.2: Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0; -# -# -#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow' -[CIS - Microsoft Windows Server 2016 - 9.1.3: Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1; -# -# -#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows Server 2016 - 9.1.4: Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications; -# -# -#9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.1.5: Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.1.6: Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows Server 2016 - 9.1.7: Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' -[CIS - Microsoft Windows Server 2016 - 9.1.8: Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.1.9: Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.1.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2016 - 9.2.1: Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0; -# -# -#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block' -[CIS - Microsoft Windows Server 2016 - 9.2.2: Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0; -# -# -#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2016 - 9.2.3: Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1; -# -# -#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows Server 2016 - 9.2.4: Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0; -# -# -#9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2016 - 9.2.5: Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2016 - 9.2.6: Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log' -[CIS - Microsoft Windows Server 2016 - 9.2.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' -[CIS - Microsoft Windows Server 2016 - 9.2.8: Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.2.9: Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.2.10 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.2.10: Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' -[CIS - Microsoft Windows Server 2016 - 9.3.1: Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0; -# -# -#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows Server 2016 - 9.3.2: Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0; -# -# -#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2016 - 9.3.3: Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1; -# -# -#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.3.4: Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0; -# -# -#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' -[CIS - Microsoft Windows Server 2016 - 9.3.5: Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' -[CIS - Microsoft Windows Server 2016 - 9.3.6: Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.3.7 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log' -[CIS - Microsoft Windows Server 2016 - 9.3.7: Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' -[CIS - Microsoft Windows Server 2016 - 9.3.8: Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.3.9: Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.3.10: Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.1.1.1: Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera; -# -# -#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.1.1.2: Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow; -# -# -#18.1.2.1 Ensure 'Allow Input Personalization' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.1.2.1: Ensure 'Allow Input Personalization' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> !AllowInputPersonalization; -# -# -#18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.3.1: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0; -# -# -#18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' -[CIS - Microsoft Windows Server 2016 - 18.3.2: Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting; -# -# -#18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' -[CIS - Microsoft Windows Server 2016 - 18.3.3: Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting; -# -# -#18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.3.4: Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect; -# -# -#18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.3.6: Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1; -# -# -#18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.3.8: Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0; -# -# -#18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' -[CIS - Microsoft Windows Server 2016 - 18.3.9: Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+; -# -# -#18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' -[CIS - Microsoft Windows Server 2016 - 18.3.12: Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel; -# -# -#18.4.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.4.8.1: Ensure 'Enable insecure guest logons' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> !AllowInsecureGuestAuth; -# -# -#18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.11.2: Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA; -# -# -#18.4.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.11.3: Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_ShowSharedAccessUI; -# -# -#18.4.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.11.4: Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation; -# -# -#18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.21.1: Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1; -# -# -#18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.6.2: Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0; -# -# -#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.3.1: Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0; -# -# -#18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' -[CIS - Microsoft Windows Server 2016 - 18.8.12.1: Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3; -# -# -#18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' -[CIS - Microsoft Windows Server 2016 - 18.8.19.2: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy; -# -# -#18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' -[CIS - Microsoft Windows Server 2016 - 18.8.19.3: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges; -# -# -#18.8.19.4 Ensure 'Continue experiences on this device' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.19.4: Ensure 'Continue experiences on this device' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableCdp; -# -# -#18.8.19.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.19.5: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0; -# -# -#18.8.25.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.1: Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> !1; -# -# -#18.8.25.2 Ensure 'Do not display network selection UI' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.2: Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI; -# -# -#18.8.25.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.3: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers; -# -# -#18.8.25.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.4: Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0; -# -# -#18.8.25.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.5: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications; -# -# -#18.8.25.6 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.6: Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0; -# -# -#18.8.26.1 Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events' -[CIS - Microsoft Windows Server 2016 - 18.8.26.1: Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions -> MitigationOptions_FontBocking -> !1000000000000; -# -# -#18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.31.1: Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0; -# -# -#18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.31.2: Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp; -# -# -#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.6.1: Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional; -# -# -#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.8.1: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume; -# -# -#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' -[CIS - Microsoft Windows Server 2016 - 18.9.8.2: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun; -# -# -#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' -[CIS - Microsoft Windows Server 2016 - 18.9.8.3: Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun; -# -# -#18.9.10.1.1 Ensure 'Use enhanced anti-spoofing when available' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.10.1.1: Ensure 'Use enhanced anti-spoofing when available' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> !1; -# -# -#18.9.13.1 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.13.1: Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> !DisableWindowsConsumerFeatures; -# -# -#18.9.14.1 Ensure 'Require pin for pairing' is set to 'Enabled' (Scored) -[CIS - Microsoft Windows Server 2016 - 18.9.14.1: Ensure 'Require pin for pairing' is set to 'Enabled' (Scored)] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> !RequirePinForPairing; -# -# -#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.15.1: Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal; -# -# -#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.15.2: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0; -# -# -#18.9.16.1 Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' -[CIS - Microsoft Windows Server 2016 - 18.9.16.1: Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !AllowTelemetry; -# -# -#18.9.16.2 Ensure 'Disable pre-release features or settings' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.16.2: Ensure 'Disable pre-release features or settings' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !EnableConfigFlighting; -# -# -#18.9.16.3 Ensure 'Do not show feedback notifications' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.16.3: Ensure 'Do not show feedback notifications' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !DoNotShowFeedbackNotifications; -# -# -#18.9.16.4 Ensure 'Toggle user control over Insider builds' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.16.4: Ensure 'Toggle user control over Insider builds' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !AllowBuildPreview; -# -# -#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.26.1.1: Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 1; -# -# -#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2016 - 18.9.26.1.2: Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize; -# -# -#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.26.2.1: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0; -# -# -#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' -[CIS - Microsoft Windows Server 2016 - 18.9.26.2.2: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize; -# -# -#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.26.3.1: Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0; -# -# -#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2016 - 18.9.26.3.2: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize; -# -# -#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.26.4.1: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0; -# -# -#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2016 - 18.9.26.4.2: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize; -# -# -#18.9.30.2 Ensure 'Configure Windows SmartScreen' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.30.2: Ensure 'Configure Windows SmartScreen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen; -# -# -#18.9.30.3 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.30.3: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0; -# -# -#18.9.30.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.30.4: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0; -# -# -#18.9.30.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.30.5: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0; -# -# -#18.9.41.3 Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher -[CIS - Microsoft Windows Server 2016 - 18.9.41.3: Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> 2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !Cookies; -# -# -#18.9.41.4 Ensure 'Configure Password Manager' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.4: Ensure 'Configure Password Manager' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> !no; -# -# -#18.9.41.6 Ensure 'Configure search suggestions in Address bar' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.6: Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> !ShowSearchSuggestionsGlobal; -# -# -#18.9.41.7 Ensure 'Configure SmartScreen Filter' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.7: Ensure 'Configure SmartScreen Filter' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> !1; -# -# -#18.9.47.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.47.1: Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC; -# -# -#18.9.52.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.2.2: Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving; -# -# -#18.9.52.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.2: Ensure 'Do not allow drive redirection' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm; -# -# -#18.9.52.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.1: Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword; -# -# -#18.9.52.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.2: Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic; -# -# -#18.9.52.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.3: Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3; -# -# -#18.9.52.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.11.1: Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1; -# -# -#18.9.52.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.11.2: Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1; -# -# -#18.9.53.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.53.1: Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload; -# -# -#18.9.54.2 Ensure 'Allow Cortana' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.54.2: Ensure 'Allow Cortana' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortana; -# -# -#18.9.54.3 Ensure 'Allow Cortana above lock screen' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.54.3: Ensure 'Allow Cortana above lock screen' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortanaAboveLock; -# -# -#18.9.54.4 Ensure 'Allow indexing of encrypted files' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.54.4: Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0; -# -# -#18.9.54.5 Ensure 'Allow search and Cortana to use location' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.54.5: Ensure 'Allow search and Cortana to use location' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowSearchToUseLocation; -# -# -#18.9.61.2 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.61.2: Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4; -# -# -#18.9.61.3 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.61.3: Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade; -# -# -#18.9.73.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' -[CIS - Microsoft Windows Server 2016 - 18.9.73.2: Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowWindowsInkWorkspace; -# -# -#18.9.74.1 Ensure 'Allow user control over installs' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.74.1: Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0; -# -# -#18.9.74.2 Ensure 'Always install with elevated privileges' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.74.2: Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0; -# -# -#18.9.75.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.75.1: Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn; -# -# -#18.9.84.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.84.1: Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging; -# -# -#18.9.84.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.84.2: Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0; -# -# -#18.9.86.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.1.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0; -# -# -#18.9.86.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.1.2: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0; -# -# -#18.9.86.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.1.3: Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest; -# -# -#18.9.86.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.2.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0; -# -# -#18.9.86.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.2.3: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0; -# -# -#18.9.86.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.2.4: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs; -# -# -#18.9.90.2 Ensure 'Configure Automatic Updates' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.90.2: Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate; -# -# -#18.9.90.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' -[CIS - Microsoft Windows Server 2016 - 18.9.90.3: Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay; -# -# -#18.9.90.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.90.4: Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0; -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_domainL2_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_domainL2_rcl.txt deleted file mode 100644 index 8a64af6..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_domainL2_rcl.txt +++ /dev/null @@ -1,468 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Windows Server 2016 Domain Controller L2 -# Based on Center for Internet Security Benchmark v1.0.0 for Microsoft Windows Server 2016 (https://workbench.cisecurity.org/benchmarks/515) -# -# -#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds; -# -# -#18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' -[CIS - Microsoft Windows Server 2016 - 18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime; -# -# -#18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery; -# -# -#18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' -[CIS - Microsoft Windows Server 2016 - 18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions; -# -# -#18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' -[CIS - Microsoft Windows Server 2016 - 18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions; -# -# -#18.4.5.1 Ensure 'Enable Font Providers' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.4.5.1 Ensure 'Enable Font Providers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableFontProviders; -# -# -#18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0; -# -# -#18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0; -# -# -#18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled; -# -# -#18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') -[CIS - Microsoft Windows Server 2016 - 18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents; -# -# -#18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar; -# -# -#18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi; -# -# -#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith; -# -# -#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload; -# -# -#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing; -# -# -#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports; -# -# -#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW; -# -# -#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices; -# -# -#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting; -# -# -#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1; -r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration; -# -# -#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates; -# -# -#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard; -# -# -#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard; -# -# -#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP; -# -# -#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable; -# -# -#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport; -# -# -#18.8.23.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' -[CIS - Microsoft Windows Server 2016 - 18.8.23.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> !1; -# -# -#18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn; -# -# -#18.8.29.5.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.29.5.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !DCSettingIndex; -# -# -#18.8.29.5.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.29.5.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !ACSettingIndex; -# -# -#18.8.29.5.3 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.29.5.3 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1; -# -# -#18.8.29.5.4 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.29.5.4 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1; -# -# -#18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer; -# -# -#18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled; -# -# -#18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy; -# -# -#18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled; -# -# -#18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> !0; -# -# -#18.9.5.1 Ensure 'Let Windows apps *' is set to 'Enabled: Force Deny' -[CIS - Microsoft Windows Server 2016 - 18.9.5.1 Ensure 'Let Windows apps *' is set to 'Enabled: Force Deny'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessAccountInfo -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessAccountInfo; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCallHistory -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCallHistory; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessContacts -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessContacts; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessEmail -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessEmail; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessLocation -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessLocation; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMessaging -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMessaging; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMotion -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMotion; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCalendar -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCalendar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCamera; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMicrophone -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMicrophone; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessTrustedDevices -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessTrustedDevices; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessRadios -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessRadios; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsSyncWithDevices -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsSyncWithDevices; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessPhone -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessPhone; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessNotifications -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessNotifications; -# -# -#18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !BlockHostedAppAccessWinRT; -# -# -#18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> !AllowCamera; -# -# -#18.9.37.2 Ensure 'Turn off location' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.37.2 Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation; -# -# -#18.9.41.1 Ensure 'Allow Extensions' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.1 Ensure 'Allow Extensions' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions -> ExtensionsEnabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions -> !ExtensionsEnabled; -# -# -#18.9.41.2 Ensure 'Allow InPrivate Browsing' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.2 Ensure 'Allow InPrivate Browsing' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !AllowInPrivate; -# -# -#18.9.41.5 Ensure 'Configure Pop-up Blocker' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.5 Ensure 'Configure Pop-up Blocker' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> !r:yes; -# -# -#18.9.41.8 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.8 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !PreventAccessToAboutFlagsInMicrosoftEdge; -# -# -#18.9.41.9 Ensure 'Prevent bypassing SmartScreen prompts for files' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.9 Ensure 'Prevent bypassing SmartScreen prompts for files' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverrideAppRepUnknown; -# -# -#18.9.41.10 Ensure 'Prevent bypassing SmartScreen prompts for sites' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.10 Ensure 'Prevent bypassing SmartScreen prompts for sites' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverride; -# -# -#18.9.41.11 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.11 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !HideLocalHostIP; -# -# -#18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser; -# -# -#18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm; -# -# -#18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT; -# -# -#18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir; -# -# -#18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime; -# -# -#18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime; -# -# -#18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket; -# -# -#18.9.61.1 Ensure 'Disable all apps from Windows Store' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.61.1 Ensure 'Disable all apps from Windows Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableStoreApps; -# -# -#18.9.61.4 Ensure 'Turn off the Store application' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.61.4 Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore; -# -# -#18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0; -# -# -#18.9.69.8 Ensure 'Configure Watson events' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.69.8 Ensure 'Configure Watson events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> !DisableGenericRePorts; -# -# -#18.9.73.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.73.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowSuggestedAppsInWindowsInkWorkspace; -# -# -#18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0; -# -# -#18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0; -# -# -#18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess; -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_memberL1_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_memberL1_rcl.txt deleted file mode 100644 index 9082700..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_memberL1_rcl.txt +++ /dev/null @@ -1,1226 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Windows Server 2016 Member Server L1 -# Based on Center for Internet Security Benchmark v1.0.0 for Microsoft Windows Server 2016 (https://workbench.cisecurity.org/benchmarks/515) -# -# -# -#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' -[CIS - Microsoft Windows Server 2016 - 2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser; -# -# -#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0; -# -# -#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1; -# -# -#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2; -# -# -#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' -[CIS - Microsoft Windows Server 2016 - 2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> !0; -# -# -#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1; -# -# -#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0; -# -# -#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0; -# -# -#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0; -# -# -#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 1; -# -# -#2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 0; -# -# -#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DontDisplayLastUserName; -# -# -#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableCAD; -# -# -#2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' -[CIS - Microsoft Windows Server 2016 - 2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs; -# -# -#2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' -[CIS - Microsoft Windows Server 2016 - 2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+; -# -# -#2.3.7.8 Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.7.8 Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !ForceUnlockLogon; -# -# -#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher -[CIS - Microsoft Windows Server 2016 - 2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption; -# -# -#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature; -# -# -#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1; -# -# -#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0; -# -# -#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' -[CIS - Microsoft Windows Server 2016 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect; -# -# -#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature; -# -# -#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature; -# -# -#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1; -# -# -#2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher -[CIS - Microsoft Windows Server 2016 - 2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> !SMBServerNameHardeningLevel; -# -# -#2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 0; -# -# -#2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> !1; -# -# -#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2; -# -# -#2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously' -[CIS - Microsoft Windows Server 2016 - 2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes; -# -# -#2.3.10.7 Configure 'Network access: Remotely accessible registry paths' -[CIS - Microsoft Windows Server 2016 - 2.3.10.7 Configure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion; -# -# -#2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths' -[CIS - Microsoft Windows Server 2016 - 2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS; -# -# -#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1; -# -# -#2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' -[CIS - Microsoft Windows Server 2016 - 2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> !r:O:BAG:BAD:\(A;;RC;;;BA\); -# -# -#2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' -[CIS - Microsoft Windows Server 2016 - 2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*; -# -# -#2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' -[CIS - Microsoft Windows Server 2016 - 2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1; -# -# -#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId; -# -# -#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback; -# -# -#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0; -# -# -#2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' -[CIS - Microsoft Windows Server 2016 - 2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644; -# -# -#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0; -# -# -#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1; -# -# -#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' -[CIS - Microsoft Windows Server 2016 - 2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel; -# -# -#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher -[CIS - Microsoft Windows Server 2016 - 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1; -# -# -#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' -[CIS - Microsoft Windows Server 2016 - 2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec; -# -# -#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' -[CIS - Microsoft Windows Server 2016 - 2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec; -# -# -#2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1; -# -# -#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1; -# -# -#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1; -# -# -#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken; -# -# -#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1; -# -# -#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' -[CIS - Microsoft Windows Server 2016 - 2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin; -# -# -#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' -[CIS - Microsoft Windows Server 2016 - 2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1; -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser; -# -# -#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0; -r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection; -# -# -#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0; -# -# -#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0; -# -# -#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0; -# -# -#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0; -# -# -#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2016 - 9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0; -# -# -#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows Server 2016 - 9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0; -# -# -#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2016 - 9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1; -# -# -#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows Server 2016 - 9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications; -# -# -#9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2016 - 9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2016 - 9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows Server 2016 - 9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater' -[CIS - Microsoft Windows Server 2016 - 9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2016 - 9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0; -# -# -#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows Server 2016 - 9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0; -# -# -#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2016 - 9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1; -# -# -#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' -[CIS - Microsoft Windows Server 2016 - 9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0; -# -# -#9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2016 - 9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)' -[CIS - Microsoft Windows Server 2016 - 9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows Server 2016 - 9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater' -[CIS - Microsoft Windows Server 2016 - 9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.2.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.2.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On' -[CIS - Microsoft Windows Server 2016 - 9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0; -# -# -#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' -[CIS - Microsoft Windows Server 2016 - 9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0; -# -# -#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' -[CIS - Microsoft Windows Server 2016 - 9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1; -# -# -#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0; -# -# -#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' -[CIS - Microsoft Windows Server 2016 - 9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0; -# -# -#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' -[CIS - Microsoft Windows Server 2016 - 9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0; -# -# -#9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log' -[CIS - Microsoft Windows Server 2016 - 9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; -# -# -#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater' -[CIS - Microsoft Windows Server 2016 - 9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w; -# -# -#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0; -# -# -#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' -[CIS - Microsoft Windows Server 2016 - 9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0; -# -# -#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera; -# -# -#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow; -# -# -#18.1.2.1 Ensure 'Allow Input Personalization' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.1.2.1 Ensure 'Allow Input Personalization' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> !AllowInputPersonalization; -# -# -#18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed -[CIS - Microsoft Windows Server 2016 - 18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> !DllName; -# -# -#18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PwdExpirationProtectionEnabled; -# -# -#18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !AdmPwdEnabled; -# -# -#18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' -[CIS - Microsoft Windows Server 2016 - 18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> !4; -# -# -#18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' -[CIS - Microsoft Windows Server 2016 - 18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:a; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:b; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:c; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:d; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:e; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PasswordLength; -# -# -#18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' -[CIS - Microsoft Windows Server 2016 - 18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1F; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+; -# -# -#18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0; -# -# -#18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' -[CIS - Microsoft Windows Server 2016 - 18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting; -# -# -#18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' -[CIS - Microsoft Windows Server 2016 - 18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting; -# -# -#18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect; -# -# -#18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1; -# -# -#18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0; -# -# -#18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' -[CIS - Microsoft Windows Server 2016 - 18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+; -# -# -#18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' -[CIS - Microsoft Windows Server 2016 - 18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel; -# -# -#18.4.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') -[CIS - Microsoft Windows Server 2016 - 18.4.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> !2; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> !NodeType; -# -# -#18.4.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> !EnableMulticast; -# -# -#18.4.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.4.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> !AllowInsecureGuestAuth; -# -# -#18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA; -# -# -#18.4.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_ShowSharedAccessUI; -# -# -#18.4.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation; -# -# -#18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1; -# -# -#18.6.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.6.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> !0; -# -# -#18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0; -# -# -#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0; -# -# -#18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' -[CIS - Microsoft Windows Server 2016 - 18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3; -# -# -#18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' -[CIS - Microsoft Windows Server 2016 - 18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy; -# -# -#18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' -[CIS - Microsoft Windows Server 2016 - 18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges; -# -# -#18.8.19.4 Ensure 'Continue experiences on this device' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.19.4 Ensure 'Continue experiences on this device' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableCdp; -# -# -#18.8.19.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.19.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0; -# -# -#18.8.25.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !BlockUserFromShowingAccountDetailsOnSignin; -# -# -#18.8.25.2 Ensure 'Do not display network selection UI' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.2 Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI; -# -# -#18.8.25.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers; -# -# -#18.8.25.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0; -# -# -#18.8.25.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications; -# -# -#18.8.25.6 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.25.6 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0; -# -# -#18.8.26.1 Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events' -[CIS - Microsoft Windows Server 2016 - 18.8.26.1 Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions -> MitigationOptions_FontBocking -> !1000000000000; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions -> !MitigationOptions_FontBocking; -# -# -#18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0; -# -# -#18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp; -# -# -#18.8.32.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.32.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !EnableAuthEpResolution; -# -# -#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional; -# -# -#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume; -# -# -#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' -[CIS - Microsoft Windows Server 2016 - 18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun; -# -# -#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' -[CIS - Microsoft Windows Server 2016 - 18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun; -# -# -#18.9.10.1.1 Ensure 'Use enhanced anti-spoofing when available' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.10.1.1 Ensure 'Use enhanced anti-spoofing when available' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> !EnhancedAntiSpoofing; -# -# -#18.9.13.1 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.13.1 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> !DisableWindowsConsumerFeatures; -# -# -#18.9.14.1 Ensure 'Require pin for pairing' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.14.1 Ensure 'Require pin for pairing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> !RequirePinForPairing; -# -# -#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal; -# -# -#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0; -# -# -#18.9.16.2 Ensure 'Disable pre-release features or settings' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.16.2 Ensure 'Disable pre-release features or settings' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !EnableConfigFlighting; -# -# -#18.9.16.3 Ensure 'Do not show feedback notifications' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.16.3: Ensure 'Do not show feedback notifications' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !DoNotShowFeedbackNotifications; -# -# -#18.9.16.4 Ensure 'Toggle user control over Insider builds' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.16.4: Ensure 'Toggle user control over Insider builds' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !AllowBuildPreview; -# -# -#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.26.1.1: Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 1; -# -# -#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2016 - 18.9.26.1.2: Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize; -# -# -#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.26.2.1: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0; -# -# -#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' -[CIS - Microsoft Windows Server 2016 - 18.9.26.2.2: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize; -# -# -#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.26.3.1: Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0; -# -# -#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2016 - 18.9.26.3.2: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize; -# -# -#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.26.4.1: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0; -# -# -#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' -[CIS - Microsoft Windows Server 2016 - 18.9.26.4.2: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize; -# -# -#18.9.30.2 Ensure 'Configure Windows SmartScreen' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.30.2: Ensure 'Configure Windows SmartScreen' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen; -# -# -#18.9.30.3 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.30.3: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0; -# -# -#18.9.30.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.30.4: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0; -# -# -#18.9.30.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.30.5: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0; -# -# -#18.9.41.3 Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher -[CIS - Microsoft Windows Server 2016 - 18.9.41.3: Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> 2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !Cookies; -# -# -#18.9.41.4 Ensure 'Configure Password Manager' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.4: Ensure 'Configure Password Manager' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> !no; -# -# -#18.9.41.6 Ensure 'Configure search suggestions in Address bar' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.6: Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> !ShowSearchSuggestionsGlobal; -# -# -#18.9.41.7 Ensure 'Configure SmartScreen Filter' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.7: Ensure 'Configure SmartScreen Filter' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> !1; -# -# -#18.9.47.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.47.1: Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC; -# -# -#18.9.52.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.2.2: Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving; -# -# -#18.9.52.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.2: Ensure 'Do not allow drive redirection' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm; -# -# -#18.9.52.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.1: Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword; -# -# -#18.9.52.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.2: Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic; -# -# -#18.9.52.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.9.3: Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3; -# -# -#18.9.52.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.11.1: Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1; -# -# -#18.9.52.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.11.2: Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1; -# -# -#18.9.53.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.53.1: Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload; -# -# -#18.9.54.2 Ensure 'Allow Cortana' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.54.2: Ensure 'Allow Cortana' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortana; -# -# -#18.9.54.3 Ensure 'Allow Cortana above lock screen' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.54.3: Ensure 'Allow Cortana above lock screen' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortanaAboveLock; -# -# -#18.9.54.4 Ensure 'Allow indexing of encrypted files' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.54.4: Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0; -# -# -#18.9.54.5 Ensure 'Allow search and Cortana to use location' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.54.5: Ensure 'Allow search and Cortana to use location' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowSearchToUseLocation; -# -# -#18.9.61.2 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.61.2: Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4; -# -# -#18.9.61.3 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.61.3: Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade; -# -# -#18.9.73.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' -[CIS - Microsoft Windows Server 2016 - 18.9.73.2: Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowWindowsInkWorkspace; -# -# -#18.9.74.1 Ensure 'Allow user control over installs' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.74.1: Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0; -# -# -#18.9.74.2 Ensure 'Always install with elevated privileges' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.74.2: Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0; -# -# -#18.9.75.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.75.1: Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn; -# -# -#18.9.84.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.84.1: Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging; -# -# -#18.9.84.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.84.2: Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0; -# -# -#18.9.86.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.1.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0; -# -# -#18.9.86.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.1.2: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0; -# -# -#18.9.86.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.1.3: Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest; -# -# -#18.9.86.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.2.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0; -# -# -#18.9.86.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.2.3: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0; -# -# -#18.9.86.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.2.4: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs; -# -# -#18.9.90.2 Ensure 'Configure Automatic Updates' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.90.2: Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate; -# -# -#18.9.90.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' -[CIS - Microsoft Windows Server 2016 - 18.9.90.3: Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay; -# -# -#18.9.90.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.90.4: Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0; -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_memberL2_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_memberL2_rcl.txt deleted file mode 100644 index 96f7ac5..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/cis_win2016_memberL2_rcl.txt +++ /dev/null @@ -1,492 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# CIS Checks for Windows Server 2016 Member Server L2 -# Based on Center for Internet Security Benchmark v1.0.0 for Microsoft Windows Server 2016 (https://workbench.cisecurity.org/benchmarks/515) -# -# -# -#2.3.7.6 Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' -[CIS - Microsoft Windows Server 2016 - 2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> !4; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !CachedLogonsCount; -# -# -#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds; -# -# -#18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' -[CIS - Microsoft Windows Server 2016 - 18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime; -# -# -#18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery; -# -# -#18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' -[CIS - Microsoft Windows Server 2016 - 18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions; -# -# -#18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' -[CIS - Microsoft Windows Server 2016 - 18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions; -# -# -#18.4.5.1 Ensure 'Enable Font Providers' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.4.5.1 Ensure 'Enable Font Providers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableFontProviders; -# -# -#18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0; -# -# -#18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0; -# -# -#18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled; -# -# -#18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') -[CIS - Microsoft Windows Server 2016 - 18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents; -# -# -#18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar; -# -# -#18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi; -# -# -#18.4.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.4.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> !fBlockNonDomain; -# -# -#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith; -# -# -#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload; -# -# -#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing; -# -# -#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports; -# -# -#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW; -# -# -#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices; -# -# -#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting; -# -# -#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1; -r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration; -# -# -#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates; -# -# -#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard; -# -# -#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard; -# -# -#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP; -# -# -#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable; -# -# -#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport; -# -# -#18.8.23.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' -[CIS - Microsoft Windows Server 2016 - 18.8.23.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> !1; -# -# -#18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn; -# -# -#18.8.29.5.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.29.5.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !DCSettingIndex; -# -# -#18.8.29.5.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.29.5.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !ACSettingIndex; -# -# -#18.8.29.5.3 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.29.5.3 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1; -# -# -#18.8.29.5.4 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.29.5.4 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1; -# -# -#18.8.32.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' -[CIS - Microsoft Windows Server 2016 - 18.8.32.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !RestrictRemoteClients; -# -# -#18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer; -# -# -#18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled; -# -# -#18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy; -# -# -#18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled; -# -# -#18.8.44.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.8.44.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> !0; -# -# -#18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> !0; -# -# -#18.9.5.1 Ensure 'Let Windows apps *' is set to 'Enabled: Force Deny' -[CIS - Microsoft Windows Server 2016 - 18.9.5.1 Ensure 'Let Windows apps *' is set to 'Enabled: Force Deny'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessAccountInfo -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessAccountInfo; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCallHistory -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCallHistory; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessContacts -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessContacts; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessEmail -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessEmail; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessLocation -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessLocation; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMessaging -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMessaging; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMotion -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMotion; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCalendar -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCalendar; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessCamera -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessCamera; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessMicrophone -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessMicrophone; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessTrustedDevices -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessTrustedDevices; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessRadios -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessRadios; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsSyncWithDevices -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsSyncWithDevices; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessPhone -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessPhone; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsAccessNotifications -> !2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> !LetAppsAccessNotifications; -# -# -#18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.6.2 Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !BlockHostedAppAccessWinRT; -# -# -#18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> !AllowCamera; -# -# -#18.9.37.2 Ensure 'Turn off location' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.37.2 Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation; -# -# -#18.9.41.1 Ensure 'Allow Extensions' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.1 Ensure 'Allow Extensions' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions -> ExtensionsEnabled -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions -> !ExtensionsEnabled; -# -# -#18.9.41.2 Ensure 'Allow InPrivate Browsing' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.2 Ensure 'Allow InPrivate Browsing' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !AllowInPrivate; -# -# -#18.9.41.5 Ensure 'Configure Pop-up Blocker' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.5 Ensure 'Configure Pop-up Blocker' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> !r:yes; -# -# -#18.9.41.8 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.8 Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !PreventAccessToAboutFlagsInMicrosoftEdge; -# -# -#18.9.41.9 Ensure 'Prevent bypassing SmartScreen prompts for files' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.9 Ensure 'Prevent bypassing SmartScreen prompts for files' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverrideAppRepUnknown; -# -# -#18.9.41.10 Ensure 'Prevent bypassing SmartScreen prompts for sites' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.10 Ensure 'Prevent bypassing SmartScreen prompts for sites' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverride; -# -# -#18.9.41.11 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.41.11 Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !HideLocalHostIP; -# -# -#18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser; -# -# -#18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm; -# -# -#18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT; -# -# -#18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir; -# -# -#18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime; -# -# -#18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' -[CIS - Microsoft Windows Server 2016 - 18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime; -# -# -#18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket; -# -# -#18.9.61.1 Ensure 'Disable all apps from Windows Store' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.61.1 Ensure 'Disable all apps from Windows Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableStoreApps; -# -# -#18.9.61.4 Ensure 'Turn off the Store application' is set to 'Enabled' -[CIS - Microsoft Windows Server 2016 - 18.9.61.4 Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore; -# -# -#18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0; -# -# -#18.9.69.8.1 Ensure 'Configure Watson events' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.69.8 Ensure 'Configure Watson events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> !1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> !DisableGenericRePorts; -# -# -#18.9.73.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.73.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowSuggestedAppsInWindowsInkWorkspace; -# -# -#18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0; -# -# -#18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0; -# -# -#18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled' -[CIS - Microsoft Windows Server 2016 - 18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/515] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess; -# diff --git a/debian/ossec-hids/var/ossec/etc/shared/rootkit_files.txt b/debian/ossec-hids/var/ossec/etc/shared/rootkit_files.txt deleted file mode 100644 index ae84c5b..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/rootkit_files.txt +++ /dev/null @@ -1,407 +0,0 @@ -# rootkit_files.txt, (C) 2018 OSSEC Project -# Imported from the rootcheck project. -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# Blank lines and lines starting with '#' are ignored. -# -# Each line must be in the following format: -# file_name ! Name ::Link to it -# -# Files that start with an '*' will be searched in the whole system. - -# Bash door -tmp/mcliZokhb ! Bash door ::/rootkits/bashdoor.php -tmp/mclzaKmfa ! Bash door ::/rootkits/bashdoor.php - -# adore Worm -dev/.shit/red.tgz ! Adore Worm ::/rootkits/adorew.php -usr/lib/libt ! Adore Worm ::/rootkits/adorew.php -usr/bin/adore ! Adore Worm ::/rootkits/adorew.php -*/klogd.o ! Adore Worm ::/rootkits/adorew.php -*/red.tar ! Adore Worm ::/rootkits/adorew.php - -# T.R.K rootkit -usr/bin/soucemask ! TRK rootkit ::/rootkits/trk.php -usr/bin/sourcemask ! TRK rootkit ::/rootkits/trk.php - -# 55.808.A Worm -tmp/.../a ! 55808.A Worm :: -tmp/.../r ! 55808.A Worm :: - -# Volc Rootkit -usr/lib/volc ! Volc Rootkit :: -usr/bin/volc ! Volc Rootkit :: - -# Illogic -lib/security/.config ! Illogic Rootkit ::rootkits/illogic.php -usr/bin/sia ! Illogic Rootkit ::rootkits/illogic.php -etc/ld.so.hash ! Illogic Rootkit ::rootkits/illogic.php -*/uconf.inv ! Illogic Rootkit ::rootkits/illogic.php - -# T0rnkit -usr/src/.puta ! t0rn Rootkit ::rootkits/torn.php -usr/info/.t0rn ! t0rn Rootkit ::rootkits/torn.php -lib/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php -etc/ttyhash ! t0rn Rootkit ::rootkits/torn.php -sbin/xlogin ! t0rn Rootkit ::rootkits/torn.php -*/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php -*/.t0rn ! t0rn Rootkit ::rootkits/torn.php -*/.puta ! t0rn Rootkit ::rootkits/torn.php - -# RK17 -bin/rtty ! RK17 :: -bin/squit ! RK17 :: -sbin/pback ! RK17 :: -proc/kset ! RK17 :: -usr/src/linux/modules/autod.o ! RK17 :: -usr/src/linux/modules/soundx.o ! RK17 :: - -# Ramen Worm -usr/lib/ldlibps.so ! Ramen Worm ::rootkits/ramen.php -usr/lib/ldlibns.so ! Ramen Worm ::rootkits/ramen.php -usr/lib/ldliblogin.so ! Ramen Worm ::rootkits/ramen.php -usr/src/.poop ! Ramen Worm ::rootkits/ramen.php -tmp/ramen.tgz ! Ramen Worm ::rootkits/ramen.php -etc/xinetd.d/asp ! Ramen Worm ::rootkits/ramen.php - -# Sadmind/IIS Worm -dev/cuc ! Sadmind/IIS Worm :: - -# Monkit -lib/defs ! Monkit :: -usr/lib/libpikapp.a ! Monkit found :: - -# RSHA -usr/bin/kr4p ! RSHA :: -usr/bin/n3tstat ! RSHA :: -usr/bin/chsh2 ! RSHA :: -usr/bin/slice2 ! RSHA :: -etc/rc.d/rsha ! RSHA :: - -# ShitC worm -bin/home ! ShitC :: -sbin/home ! ShitC :: -usr/sbin/in.slogind ! ShitC :: - -# Omega Worm -dev/chr ! Omega Worm :: - -# rh-sharpe -bin/.ps ! Rh-Sharpe :: -usr/bin/cleaner ! Rh-Sharpe :: -usr/bin/slice ! Rh-Sharpe :: -usr/bin/vadim ! Rh-Sharpe :: -usr/bin/.ps ! Rh-Sharpe :: -bin/.lpstree ! Rh-Sharpe :: -usr/bin/.lpstree ! Rh-Sharpe :: -usr/bin/lnetstat ! Rh-Sharpe :: -bin/lnetstat ! Rh-Sharpe :: -usr/bin/ldu ! Rh-Sharpe :: -bin/ldu ! Rh-Sharpe :: -usr/bin/lkillall ! Rh-Sharpe :: -bin/lkillall ! Rh-Sharpe :: -usr/include/rpcsvc/du ! Rh-Sharpe :: - -# Maniac RK -usr/bin/mailrc ! Maniac RK :: - -# Showtee / Romanian -usr/lib/.egcs ! Showtee :: -usr/lib/.wormie ! Showtee :: -usr/lib/.kinetic ! Showtee :: -usr/lib/liblog.o ! Showtee :: -usr/include/addr.h ! Showtee / Romanian rootkit :: -usr/include/cron.h ! Showtee :: -usr/include/file.h ! Showtee / Romanian rootkit :: -usr/include/syslogs.h ! Showtee / Romanian rootkit :: -usr/include/proc.h ! Showtee / Romanian rootkit :: -usr/include/chk.h ! Showtee :: -usr/sbin/initdl ! Romanian rootkit :: -usr/sbin/xntps ! Romanian rootkit :: - -# Optickit -usr/bin/xchk ! Optickit :: -usr/bin/xsf ! Optickit :: - -# LDP worm -dev/.kork ! LDP Worm :: -bin/.login ! LDP Worm :: -bin/.ps ! LDP Worm :: - -# Telekit -dev/hda06 ! TeLeKit trojan :: -usr/info/libc1.so ! TeleKit trojan :: - -# Tribe bot -dev/wd4 ! Tribe bot :: - -# LRK -dev/ida/.inet ! LRK rootkit ::rootkits/lrk.php -*/bindshell ! LRK rootkit ::rootkits/lrk.php - -# Adore Rootkit -etc/bin/ava ! Adore Rootkit :: -etc/sbin/ava ! Adore Rootkit :: - -# Slapper -tmp/.bugtraq ! Slapper installed :: -tmp/.bugtraq.c ! Slapper installed :: -tmp/.cinik ! Slapper installed :: -tmp/.b ! Slapper installed :: -tmp/httpd ! Slapper installed :: -tmp./update ! Slapper installed :: -tmp/.unlock ! Slapper installed :: -tmp/.font-unix/.cinik ! Slapper installed :: -tmp/.cinik ! Slapper installed :: - -# Scalper -tmp/.uua ! Scalper installed :: -tmp/.a ! Scalper installed :: - -# Knark -proc/knark ! Knark Installed ::rootkits/knark.php -dev/.pizda ! Knark Installed ::rootkits/knark.php -dev/.pula ! Knark Installed ::rootkits/knark.php -dev/.pula ! Knark Installed ::rootkits/knark.php -*/taskhack ! Knark Installed ::rootkits/knark.php -*/rootme ! Knark Installed ::rootkits/knark.php -*/nethide ! Knark Installed ::rootkits/knark.php -*/hidef ! Knark Installed ::rootkits/knark.php -*/ered ! Knark Installed ::rootkits/knark.php - -# Lion worm -dev/.lib ! Lion Worm ::rootkits/lion.php -dev/.lib/1iOn.sh ! Lion Worm ::rootkits/lion.php -bin/mjy ! Lion Worm ::rootkits/lion.php -bin/in.telnetd ! Lion Worm ::rootkits/lion.php -usr/info/torn ! Lion Worm ::rootkits/lion.php -*/1iOn\.sh ! Lion Worm ::rootkits/lion.php - -# Bobkit -usr/include/.../ ! Bobkit Rootkit ::rootkits/bobkit.php -usr/lib/.../ ! Bobkit Rootkit ::rootkits/bobkit.php -usr/sbin/.../ ! Bobkit Rootkit ::rootkits/bobkit.php -usr/bin/ntpsx ! Bobkit Rootkit ::rootkits/bobkit.php -tmp/.bkp ! Bobkit Rootkit ::rootkits/bobkit.php -usr/lib/.bkit- ! Bobkit Rootkit ::rootkits/bobkit.php -*/bkit- ! Bobkit Rootkit ::rootkits/bobkit.php - -# Hidrootkit -var/lib/games/.k ! Hidr00tkit :: - -# Ark -dev/ptyxx ! Ark rootkit :: - -# Mithra Rootkit -usr/lib/locale/uboot ! Mithra`s rootkit :: - -# Optickit -usr/bin/xsf ! OpticKit :: -usr/bin/xchk ! OpticKit :: - -# LOC rookit -tmp/xp ! LOC rookit :: -tmp/kidd0.c ! LOC rookit :: -tmp/kidd0 ! LOC rookit :: - -# TC2 worm -usr/info/.tc2k ! TC2 Worm :: -usr/bin/util ! TC2 Worm :: -usr/sbin/initcheck ! TC2 Worm :: -usr/sbin/ldb ! TC2 Worm :: - -# Anonoiyng rootkit -usr/sbin/mech ! Anonoiyng rootkit :: -usr/sbin/kswapd ! Anonoiyng rootkit :: - -# SuckIt -lib/.x ! SuckIt rootkit :: -*/hide.log ! Suckit rootkit :: -lib/sk ! SuckIT rootkit :: - -# Beastkit -usr/local/bin/bin ! Beastkit rootkit ::rootkits/beastkit.php -usr/man/.man10 ! Beastkit rootkit ::rootkits/beastkit.php -usr/sbin/arobia ! Beastkit rootkit ::rootkits/beastkit.php -usr/lib/elm/arobia ! Beastkit rootkit ::rootkits/beastkit.php -usr/local/bin/.../bktd ! Beastkit rootkit ::rootkits/beastkit.php - -# Tuxkit -dev/tux ! Tuxkit rootkit ::rootkits/Tuxkit.php -usr/bin/xsf ! Tuxkit rootkit ::rootkits/Tuxkit.php -usr/bin/xchk ! Tuxkit rootkit ::rootkits/Tuxkit.php -*/.file ! Tuxkit rootkit ::rootkits/Tuxkit.php -*/.addr ! Tuxkit rootkit ::rootkits/Tuxkit.php - -# Old rootkits -usr/include/rpc/ ../kit ! Old rootkits ::rootkits/Old.php -usr/include/rpc/ ../kit2 ! Old rootkits ::rootkits/Old.php -usr/doc/.sl ! Old rootkits ::rootkits/Old.php -usr/doc/.sp ! Old rootkits ::rootkits/Old.php -usr/doc/.statnet ! Old rootkits ::rootkits/Old.php -usr/doc/.logdsys ! Old rootkits ::rootkits/Old.php -usr/doc/.dpct ! Old rootkits ::rootkits/Old.php -usr/doc/.gifnocfi ! Old rootkits ::rootkits/Old.php -usr/doc/.dnif ! Old rootkits ::rootkits/Old.php -usr/doc/.nigol ! Old rootkits ::rootkits/Old.php - -# Kenga3 rootkit -usr/include/. . ! Kenga3 rootkit - -# ESRK rootkit -usr/lib/tcl5.3 ! ESRK rootkit - -# Fu rootkit -sbin/xc ! Fu rootkit -usr/include/ivtype.h ! Fu rootkit -bin/.lib ! Fu rootkit - -# ShKit rootkit -lib/security/.config ! ShKit rootkit -etc/ld.so.hash ! ShKit rootkit - -# AjaKit rootkit -lib/.ligh.gh ! AjaKit rootkit -lib/.libgh.gh ! AjaKit rootkit -lib/.libgh-gh ! AjaKit rootkit -dev/tux ! AjaKit rootkit -dev/tux/.proc ! AjaKit rootkit -dev/tux/.file ! AjaKit rootkit - -# zaRwT rootkit -bin/imin ! zaRwT rootkit -bin/imout ! zaRwT rootkit - -# Madalin rootkit -usr/include/icekey.h ! Madalin rootkit -usr/include/iceconf.h ! Madalin rootkit -usr/include/iceseed.h ! Madalin rootkit - -# shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup -lib/libsh.so ! shv5 rootkit -usr/lib/libsh ! shv5 rootkit - -# BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf) -etc/.bmbl ! BMBL rootkit -etc/.bmbl/sk ! BMBL rootkit - -# rootedoor rootkit -*/rootedoor ! Rootedoor rootkit - -# 0vason rootkit -*/ovas0n ! ovas0n rootkit ::/rootkits/ovason.php -*/ovason ! ovas0n rootkit ::/rootkits/ovason.php - -# Rpimp reverse telnet -*/rpimp ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php - -# Cback Linux worm -tmp/cback ! cback worm ::/rootkits/cback.php -tmp/derfiq ! cback worm ::/rootkits/cback.php - -# aPa Kit (from rkhunter) -usr/share/.aPa ! Apa Kit - -# enye-sec Rootkit -etc/.enyelkmHIDE^IT.ko ! enye-sec Rootkit ::/rootkits/enye-sec.php - -# Override Rootkit -dev/grid-hide-pid- ! Override rootkit ::/rootkits/override.php -dev/grid-unhide-pid- ! Override rootkit ::/rootkits/override.php -dev/grid-show-pids ! Override rootkit ::/rootkits/override.php -dev/grid-hide-port- ! Override rootkit ::/rootkits/override.php -dev/grid-unhide-port- ! Override rootkit ::/rootkits/override.php - -# PHALANX rootkit -usr/share/.home* ! PHALANX rootkit :: -usr/share/.home*/tty ! PHALANX rootkit :: -etc/host.ph1 ! PHALANX rootkit :: -bin/host.ph1 ! PHALANX rootkit :: - -# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf) -# and from chkrootkit -usr/share/.zk ! ZK rootkit :: -usr/share/.zk/zk ! ZK rootkit :: -etc/1ssue.net ! ZK rootkit :: -usr/X11R6/.zk ! ZK rootkit :: -usr/X11R6/.zk/xfs ! ZK rootkit :: -usr/X11R6/.zk/echo ! ZK rootkit :: -etc/sysconfig/console/load.zk ! ZK rootkit :: - -# Public sniffers -*/.linux-sniff ! Sniffer log :: -*/sniff-l0g ! Sniffer log :: -*/core_$ ! Sniffer log :: -*/tcp.log ! Sniffer log :: -*/chipsul ! Sniffer log :: -*/beshina ! Sniffer log :: -*/.owned$ | Sniffer log :: - -# Solaris worm - -# http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen -var/adm/.profile ! Solaris Worm :: -var/spool/lp/.profile ! Solaris Worm :: -var/adm/sa/.adm ! Solaris Worm :: -var/spool/lp/admins/.lp ! Solaris Worm :: - -# Suspicious files -etc/rc.d/init.d/rc.modules ! Suspicious file ::rootkits/Suspicious.php -lib/ldd.so ! Suspicious file ::rootkits/Suspicious.php -usr/man/muie ! Suspicious file ::rootkits/Suspicious.php -usr/X11R6/include/pain ! Suspicious file ::rootkits/Suspicious.php -usr/bin/sourcemask ! Suspicious file ::rootkits/Suspicious.php -usr/bin/ras2xm ! Suspicious file ::rootkits/Suspicious.php -usr/bin/ddc ! Suspicious file ::rootkits/Suspicious.php -usr/bin/jdc ! Suspicious file ::rootkits/Suspicious.php -usr/sbin/in.telnet ! Suspicious file ::rootkits/Suspicious.php -sbin/vobiscum ! Suspicious file ::rootkits/Suspicious.php -usr/sbin/jcd ! Suspicious file ::rootkits/Suspicious.php -usr/sbin/atd2 ! Suspicious file ::rootkits/Suspicious.php -usr/bin/ishit ! Suspicious file ::rootkits/Suspicious.php -usr/bin/.etc ! Suspicious file ::rootkits/Suspicious.php -usr/bin/xstat ! Suspicious file ::rootkits/Suspicious.php -var/run/.tmp ! Suspicious file ::rootkits/Suspicious.php -usr/man/man1/lib/.lib ! Suspicious file ::rootkits/Suspicious.php -usr/man/man2/.man8 ! Suspicious file ::rootkits/Suspicious.php -var/run/.pid ! Suspicious file ::rootkits/Suspicious.php -lib/.so ! Suspicious file ::rootkits/Suspicious.php -lib/.fx ! Suspicious file ::rootkits/Suspicious.php -lib/lblip.tk ! Suspicious file ::rootkits/Suspicious.php -usr/lib/.fx ! Suspicious file ::rootkits/Suspicious.php -var/local/.lpd ! Suspicious file ::rootkits/Suspicious.php -dev/rd/cdb ! Suspicious file ::rootkits/Suspicious.php -dev/.rd/ ! Suspicious file ::rootkits/Suspicious.php -usr/lib/pt07 ! Suspicious file ::rootkits/Suspicious.php -usr/bin/atm ! Suspicious file ::rootkits/Suspicious.php -tmp/.cheese ! Suspicious file ::rootkits/Suspicious.php -dev/.arctic ! Suspicious file ::rootkits/Suspicious.php -dev/.xman ! Suspicious file ::rootkits/Suspicious.php -dev/.golf ! Suspicious file ::rootkits/Suspicious.php -dev/srd0 ! Suspicious file ::rootkits/Suspicious.php -dev/ptyzx ! Suspicious file ::rootkits/Suspicious.php -dev/ptyzg ! Suspicious file ::rootkits/Suspicious.php -dev/xdf1 ! Suspicious file ::rootkits/Suspicious.php -dev/ttyop ! Suspicious file ::rootkits/Suspicious.php -dev/ttyof ! Suspicious file ::rootkits/Suspicious.php -dev/hd7 ! Suspicious file ::rootkits/Suspicious.php -dev/hdx1 ! Suspicious file ::rootkits/Suspicious.php -dev/hdx2 ! Suspicious file ::rootkits/Suspicious.php -dev/xdf2 ! Suspicious file ::rootkits/Suspicious.php -dev/ptyp ! Suspicious file ::rootkits/Suspicious.php -dev/ptyr ! Suspicious file ::rootkits/Suspicious.php -sbin/pback ! Suspicious file ::rootkits/Suspicious.php -usr/man/man3/psid ! Suspicious file ::rootkits/Suspicious.php -proc/kset ! Suspicious file ::rootkits/Suspicious.php -usr/bin/gib ! Suspicious file ::rootkits/Suspicious.php -usr/bin/snick ! Suspicious file ::rootkits/Suspicious.php -usr/bin/kfl ! Suspicious file ::rootkits/Suspicious.php -tmp/.dump ! Suspicious file ::rootkits/Suspicious.php -var/.x ! Suspicious file ::rootkits/Suspicious.php -var/.x/psotnic ! Suspicious file ::rootkits/Suspicious.php -*/.log ! Suspicious file ::rootkits/Suspicious.php -*/ecmf ! Suspicious file ::rootkits/Suspicious.php -*/mirkforce ! Suspicious file ::rootkits/Suspicious.php -*/mfclean ! Suspicious file ::rootkits/Suspicious.php diff --git a/debian/ossec-hids/var/ossec/etc/shared/rootkit_trojans.txt b/debian/ossec-hids/var/ossec/etc/shared/rootkit_trojans.txt deleted file mode 100644 index 669ef30..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/rootkit_trojans.txt +++ /dev/null @@ -1,107 +0,0 @@ -# rootkit_trojans.txt, (C) 2018 OSSEC Project -# Imported from the rootcheck project. -# Some entries taken from the chkrootkit project. -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# Blank lines and lines starting with '#' are ignored. -# -# Each line must be in the following format: -# file_name !string_to_search!Description - -# Common binaries and public trojan entries -ls !bash|^/bin/sh|dev/[^clu]|\.tmp/lsfile|duarawkz|/prof|/security|file\.h! -env !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh! -echo !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh! -chown !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh! -chmod !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh! -chgrp !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh! -cat !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh! -bash !proc\.h|/dev/[0-9]|/dev/[hijkz]! -sh !proc\.h|/dev/[0-9]|/dev/[hijkz]! -uname !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh! -date !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh! -du !w0rm|/prof|file\.h! -df !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh! -login !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk! -passwd !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]! -mingetty !bash|Dimensioni|pacchetto! -chfn !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]! -chsh !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]! -mail !bash|file\.h|proc\.h|/dev/[^nu]! -su !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv! -sudo !satori|vejeta|conf\.inv! -crond !/dev/[^nt]|bash! -gpm !bash|mingetty! -ifconfig !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]! -diff !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh! -md5sum !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh! -hdparm !bash|/dev/ida! -ldd !/dev/[^n]|proc\.h|libshow.so|libproc.a! - -# Trojan entries for troubleshooting binaries -grep !bash|givemer! -egrep !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh! -find !bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h! -lsof !/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp! -netstat !bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h! -top !/dev/[^npi3st%]|proc\.h|/prof/! -ps !/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh! -tcpdump !bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh! -pidof !bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh! -fuser !bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh! -w !uname -a|proc\.h|bash! - -# Trojan entries for common daemons -sendmail !bash|fuck! -named !bash|blah|/dev/[0-9]|^/bin/sh! -inetd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh! -apachectl !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh! -sshd !check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/! -syslogd !bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h! -xinetd !bash|file\.h|proc\.h! -in.telnetd !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/! -in.fingerd !bash|^/bin/sh|cterm100|/dev/! -identd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh! -init !bash|/dev/h -tcpd !bash|proc\.h|p1r0c4|hack|/dev/[^n]! -rlogin !p1r0c4|r00t|bash|/dev/[^nt]! - -# Kill trojan -killall !/dev/[^t%]|proc\.h|bash|tmp! -kill !/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp! - -# Rootkit entries -/etc/rc.d/rc.sysinit !enyelkmHIDE! enye-sec Rootkit - -# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf) -/etc/sysconfig/console/load.zk !/bin/sh! ZK rootkit -/etc/sysconfig/console/load.zk !usr/bin/run! ZK rootkit - -# Modified /etc/hosts entries -# Idea taken from: -# http://blog.tenablesecurity.com/2006/12/detecting_compr.html -# http://www.sophos.com/security/analyses/trojbagledll.html -# http://www.f-secure.com/v-descs/fantibag_b.shtml -/etc/hosts !^[^#]*avp.ch!Anti-virus site on the hosts file -/etc/hosts !^[^#]*avp.ru!Anti-virus site on the hosts file -/etc/hosts !^[^#]*awaps.net! Anti-virus site on the hosts file -/etc/hosts !^[^#]*ca.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*mcafee.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*microsoft.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*f-secure.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*sophos.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*symantec.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*my-etrust.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*nai.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*networkassociates.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*viruslist.ru! Anti-virus site on the hosts file -/etc/hosts !^[^#]*kaspersky! Anti-virus site on the hosts file -/etc/hosts !^[^#]*symantecliveupdate.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*grisoft.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*clamav.net! Anti-virus site on the hosts file -/etc/hosts !^[^#]*bitdefender.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*antivirus.com! Anti-virus site on the hosts file -/etc/hosts !^[^#]*sans.org! Security site on the hosts file diff --git a/debian/ossec-hids/var/ossec/etc/shared/system_audit_pw.txt b/debian/ossec-hids/var/ossec/etc/shared/system_audit_pw.txt deleted file mode 100644 index 77679c2..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/system_audit_pw.txt +++ /dev/null @@ -1,103 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry , use "->" to look for a specific entry and another -# "->" to look for the value. -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceeded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). -# -# Checks for Password Security on Linux Systems -# -#1 Set Default Algorithm for Password Encryption to SHA256 or SHA 512 -[Password Hardening - 1: Set Default Algorithm for Password Encryption to SHA256 or SHA 512] [any] [https://security.stackexchange.com/questions/77349/how-can-i-find-out-the-password-hashing-schemes-used-by-the-specific-unix-accoun, https://docs.oracle.com/cd/E26505_01/html/E27224/secsystask-42.html] -f:/etc/security/policy.conf -> !r:^# && r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__; -f:/etc/security/policy.conf -> !r:^CRYPT_DEFAULT=\d; -f:/etc/login.defs -> !r:^# && r:^ENCRYPT_METHOD\s+MD5|^ENCRYPT_METHOD\s+DES; -f:/etc/login.defs -> !r:^ENCRYPT_METHOD\s+SHA512|^ENCRYPT_METHOD\s+SHA256; -f:/etc/pam.d/common-password -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des; -f:/etc/pam.d/common-password -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256; -f:/etc/pam.d/password-auth -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des; -f:/etc/pam.d/password-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256; -f:/etc/pam.d/system-auth -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des; -f:/etc/pam.d/system-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256; -f:/etc/pam.d/system-auth-ac -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des; -f:/etc/pam.d/system-auth-ac -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256; -# -# -#2 Passwords in /etc/shadow not hashed with SHA-256 or SHA-512 -[Password Hardening - 2: Not all Passwords in /etc/shadow are hashed with SHA-256 or SHA-512] [any] [https://linux-audit.com/password-security-with-linux-etc-shadow-file/, https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html] -f:/etc/shadow -> !r:^# && !r:^\w+:NP:\d+:\d*:\d*:\d*:\d*:\d*:\d*$ && r:^\w+:\w\.*:\d+:\d*:\d*:\d*:\d*:\d*:\d*$; -f:/etc/shadow -> !r:^# && r:\w+:\$1\$\.+; -f:/etc/shadow -> !r:^# && r:\w+:\$2\$\.+; -f:/etc/shadow -> !r:^# && r:\w+:\$2a\$\.+; -f:/etc/shadow -> !r:^# && r:\w+:\$2x\$\.+; -f:/etc/shadow -> !r:^# && r:\w+:\$2y\$\.+; -f:/etc/shadow -> !r:^# && r:\w+:\$md5\$\.+; -f:/etc/shadow -> !r:^# && r:\w+:\$__unix__\$\.+; -# -# -#3 Set Password Creation Requirement Parameters -[Password Hardening - 3: Set Password Creation Requirement Parameters] [any] [https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/, https://workbench.cisecurity.org] -f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass; -f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+; -f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass; -f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+; -f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass; -f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+; -f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass; -f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+; -f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass|^@include\s+common-password; -f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+|^@include\s+common-password; -f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:minlen=\d\d+; -f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:minlen=\d\d+; -f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:minlen=\d\d+; -f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:minlen=\d\d+; -f:/etc/security/pwquality.conf -> !r:^minlen=\d\d+; -f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:dcredit=\p*\d+; -f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:dcredit=\p*\d+; -f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:dcredit=\p*\d+; -f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:dcredit=\p*\d+; -f:/etc/security/pwquality.conf -> !r:^dcredit=\p*\d+; -f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:lcredit=\p*\d+; -f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:lcredit=\p*\d+; -f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:lcredit=\p*\d+; -f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:lcredit=\p*\d+; -f:/etc/security/pwquality.conf -> !r:^lcredit=\p*\d+; -f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:ocredit=\p*\d+; -f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:ocredit=\p*\d+; -f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:ocredit=\p*\d+; -f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:ocredit=\p*\d+; -f:/etc/security/pwquality.conf -> !r:^ocredit=\p*\d+; -f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:ucredit=\p*\d+; -f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:ucredit=\p*\d+; -f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:ucredit=\p*\d+; -f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:ucredit=\p*\d+; -f:/etc/security/pwquality.conf -> !r:^ucredit=\p*\d+; -# -# -#4 Set default password expiration / aging parameters -[Password Hardening - 4: Set password expiration / aging parameters] [any] [https://www.thegeekdiary.com/understanding-etclogin-defs-file, https://workbench.cisecurity.org/sections/26024/recommendations/63001] -f:/etc/default/passwd -> !r:^MAXWEEKS=\d\d$; -f:/etc/default/passwd -> !r:^MINWEEKS=\d; -f:/etc/default/passwd -> !r:^WARNWEEKS=\d; -f:/etc/login.defs -> !r:^PASS_MAX_DAYS\s*\t*\d\d$; -f:/etc/login.defs -> !r:^PASS_MIN_DAYS\s*\t*\d; -f:/etc/login.defs -> !r:^PASS_WARN_AGE\s*\t*\d; diff --git a/debian/ossec-hids/var/ossec/etc/shared/system_audit_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/system_audit_rcl.txt deleted file mode 100644 index 56cd4cd..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/system_audit_rcl.txt +++ /dev/null @@ -1,95 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - p (process running) -# - d (any file inside the directory) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini,/usr/local/etc/php.ini; -$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www; - -# PHP checks -[PHP - Register globals are enabled] [any] [] -f:$php.ini -> r:^register_globals = On; - -# PHP checks -[PHP - Expose PHP is enabled] [any] [] -f:$php.ini -> r:^expose_php = On; - -# PHP checks -[PHP - Allow URL fopen is enabled] [any] [] -f:$php.ini -> r:^allow_url_fopen = On; - -# PHP checks -[PHP - Displaying of errors is enabled] [any] [] -f:$php.ini -> r:^display_errors = On; - -# PHP checks - consider open_basedir && disable_functions - - -## Looking for common web exploits (might indicate that you are owned). -## Using http://dcid.me/blog/logsamples/webattacks_links as a reference. -#[Web exploits - Possible compromise] [any] [] -#d:$web_dirs -> .txt$ -> r:^ ^.yop$; - -[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] -d:$web_dirs -> ^id$; - -[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] -d:$web_dirs -> ^.ssh$; - -[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] -d:$web_dirs -> ^...$; - -[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] -d:$web_dirs -> ^.shell$; - -## Looking for outdated Web applications -## Taken from http://sucuri.net/latest-versions -[Web vulnerability - Outdated WordPress installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions] -d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:$wp_version = '4.4.2'; - -[Web vulnerability - Outdated Joomla installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions] -d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:'3.4.8'; - -[Web vulnerability - Outdated osCommerce (v2.2) installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions] -d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-; - -## Looking for known backdoors -[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] -d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo; - -[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] -d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST; - -[Web vulnerability - .htaccess file compromised {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html] -d:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google; - -[Web vulnerability - .htaccess file compromised - auto append {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html] -d:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file; diff --git a/debian/ossec-hids/var/ossec/etc/shared/system_audit_ssh.txt b/debian/ossec-hids/var/ossec/etc/shared/system_audit_ssh.txt deleted file mode 100644 index a4d8e42..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/system_audit_ssh.txt +++ /dev/null @@ -1,81 +0,0 @@ -# SSH Rootcheck -# -# v1.0 2016/01/20 -# Created by Wazuh, Inc. . -# jesus@wazuh.com -# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2 -# - - -$sshd_file=/etc/ssh/sshd_config; - - -# Listen PORT != 22 -# The option Port specifies on which port number ssh daemon listens for incoming connections. -# Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port. -[SSH Hardening - 1: Port 22 {PCI_DSS: 2.2.4}] [any] [1] -f:$sshd_file -> !r:^# && r:Port\.+22; - - -# Protocol 2 -# The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. -# Version 1 of the SSH protocol has weaknesses. -[SSH Hardening - 2: Protocol 1 {PCI_DSS: 2.2.4}] [any] [2] -f:$sshd_file -> !r:^# && r:Protocol\.+1; - - -# PermitRootLogin no -# The option PermitRootLogin specifies whether root can log in using ssh. -# If you want log in as root, you should use the option "Match" and restrict it to a few IP addresses. -[SSH Hardening - 3: Root can log in] [any] [3] -f:$sshd_file -> !r:^# && r:PermitRootLogin\.+yes; -f:$sshd_file -> r:^#\s*PermitRootLogin; - - -# PubkeyAuthentication yes -# Access only by public key -# Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password. -[SSH Hardening - 4: No Public Key autentication {PCI_DSS: 2.2.4}] [any] [4] -f:$sshd_file -> !r:^# && r:PubkeyAuthentication\.+no; -f:$sshd_file -> r:^#\s*PubkeyAuthentication; - - -# PasswordAuthentication no -# The option PasswordAuthentication specifies whether we should use password-based authentication. -# Use public key authentication instead of passwords -[SSH Hardening - 5: Password Authentication {PCI_DSS: 2.2.4}] [any] [5] -f:$sshd_file -> !r:^# && r:PasswordAuthentication\.+yes; -f:$sshd_file -> r:^#\s*PasswordAuthentication; - - -# PermitEmptyPasswords no -# The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password -# Accounts with null passwords are a bad practice. -[SSH Hardening - 6: Empty passwords allowed {PCI_DSS: 2.2.4}] [any] [6] -f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\.+yes; -f:$sshd_file -> r:^#\s*PermitEmptyPasswords; - - -# IgnoreRhosts yes -# The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. -# For security reasons it is recommended to no use rhosts or shosts files for authentication. -[SSH Hardening - 7: Rhost or shost used for authentication {PCI_DSS: 2.2.4}] [any] [7] -f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no; -f:$sshd_file -> r:^#\s*IgnoreRhosts; - - -# LoginGraceTime 30 -# The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. -# 30 seconds is the recommended time for avoiding open connections without authenticate -[SSH Hardening - 8: Wrong Grace Time {PCI_DSS: 2.2.4}] [any] [8] -f:$sshd_file -> !r:^# && r:LoginGraceTime && !r:30\s*$; -f:$sshd_file -> r:^#\s*LoginGraceTime; - - -# MaxAuthTries 3 -# The MaxAuthTries parameter specifices the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. -# This should be set to 3. -[SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}] [any] [9] -f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$; -f:$sshd_file -> r:^#\s*MaxAuthTries; -f:$sshd_file -> !r:MaxAuthTries; diff --git a/debian/ossec-hids/var/ossec/etc/shared/win_applications_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/win_applications_rcl.txt deleted file mode 100644 index 2bdb985..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/win_applications_rcl.txt +++ /dev/null @@ -1,126 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -[Chat/IM/VoIP - Skype {PCI_DSS: 10.6.1}] [any] [] -f:\Program Files\Skype\Phone; -f:\Documents and Settings\All Users\Documents\My Skype Pictures; -f:\Documents and Settings\Skype; -f:\Documents and Settings\All Users\Start Menu\Programs\Skype; -r:HKLM\SOFTWARE\Skype; -r:HKEY_LOCAL_MACHINE\Software\Policies\Skype; -p:r:Skype.exe; - -[Chat/IM - Yahoo {PCI_DSS: 10.6.1}] [any] [] -f:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Messenger; -r:HKLM\SOFTWARE\Yahoo; - -[Chat/IM - ICQ {PCI_DSS: 10.6.1}] [any] [] -r:HKEY_CURRENT_USER\Software\Mirabilis\ICQ; - -[Chat/IM - AOL {PCI_DSS: 10.6.1}] [any] [http://www.aol.com] -r:HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger; -r:HKEY_CLASSES_ROOT\aim\shell\open\command; -r:HKEY_CLASSES_ROOT\AIM.Protocol; -r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-aim; -f:\Program Files\AIM95; -p:r:aim.exe; - -[Chat/IM - MSN {PCI_DSS: 10.6.1}] [any] [http://www.msn.com] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger; -r:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger; -f:\Program Files\MSN Messenger; -f:\Program Files\Messenger; -p:r:msnmsgr.exe; - -[Chat/IM - ICQ {PCI_DSS: 10.6.1}] [any] [http://www.icq.com] -r:HKLM\SOFTWARE\Mirabilis\ICQ; - -[P2P - UTorrent {PCI_DSS: 10.6.1}] [any] [] -p:r:utorrent.exe; - -[P2P - LimeWire {PCI_DSS: 11.4}] [any] [] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Limewire; -r:HKLM\software\microsoft\windows\currentversion\run -> limeshop; -f:\Program Files\limewire; -f:\Program Files\limeshop; - -[P2P/Adware - Kazaa {PCI_DSS: 11.4}] [any] [] -f:\Program Files\kazaa; -f:\Documents and Settings\All Users\Start Menu\Programs\kazaa; -f:\Documents and Settings\All Users\DESKTOP\Kazaa Media Desktop.lnk; -f:\Documents and Settings\All Users\DESKTOP\Kazaa Promotions.lnk; -f:%WINDIR%\System32\Cd_clint.dll; -r:HKEY_LOCAL_MACHINE\SOFTWARE\KAZAA; -r:HKEY_CURRENT_USER\SOFTWARE\KAZAA; -r:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\KAZAA; - -# http://vil.nai.com/vil/content/v_135023.htm -[Adware - RxToolBar {PCI_DSS: 11.4}] [any] [http://vil.nai.com/vil/content/v_135023.htm] -r:HKEY_CURRENT_USER\Software\Infotechnics; -r:HKEY_CURRENT_USER\Software\Infotechnics\RX Toolbar; -r:HKEY_CURRENT_USER\Software\RX Toolbar; -r:HKEY_CLASSES_ROOT\BarInfoUrl.TBInfo; -r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RX Toolbar; -f:\Program Files\RXToolBar; - -# http://btfaq.com/serve/cache/18.html -[P2P - BitTorrent {PCI_DSS: 10.6.1}] [any] [http://btfaq.com/serve/cache/18.html] -f:\Program Files\BitTorrent; -r:HKEY_CLASSES_ROOT\.torrent; -r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-bittorrent; -r:HKEY_CLASSES_ROOT\bittorrent; -r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent; - -# http://www.gotomypc.com -[Remote Access - GoToMyPC {PCI_DSS: 10.6.1}] [any] [] -f:\Program Files\Citrix\GoToMyPC; -f:\Program Files\Citrix\GoToMyPC\g2svc.exe; -f:\Program Files\Citrix\GoToMyPC\g2comm.exe; -f:\Program Files\expertcity\GoToMyPC; -r:HKLM\software\microsoft\windows\currentversion\run -> gotomypc; -r:HKEY_LOCAL_MACHINE\software\citrix\gotomypc; -r:HKEY_LOCAL_MACHINE\system\currentcontrolset\services\gotomypc; -p:r:g2svc.exe; -p:r:g2pre.exe; - -[Spyware - Twain Tec Spyware {PCI_DSS: 11.4}] [any] [] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1; -r:HKEY_LOCAL_MACHINE\SOFTWARE\twaintech; -f:%WINDIR%\twaintec.dll; - -# http://www.symantec.com/security_response/writeup.jsp?docid=2004-062611-4548-99&tabid=2 -[Spyware - SpyBuddy {PCI_DSS: 11.4}] [any] [] -f:\Program Files\ExploreAnywhere\SpyBuddy\sb32mon.exe; -f:\Program Files\ExploreAnywhere\SpyBuddy; -f:\Program Files\ExploreAnywhere; -f:%WINDIR%\System32\sysicept.dll; -r:HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software\SpyBuddy; - -[Spyware - InternetOptimizer {PCI_DSS: 11.4}] [any] [] -r:HKLM\SOFTWARE\Avenue Media; -r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho.1; -r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho; diff --git a/debian/ossec-hids/var/ossec/etc/shared/win_audit_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/win_audit_rcl.txt deleted file mode 100644 index 34d8516..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/win_audit_rcl.txt +++ /dev/null @@ -1,74 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# http://technet2.microsoft.com/windowsserver/en/library/486896ba-dfa1-4850-9875-13764f749bba1033.mspx?mfr=true -[Disabled Registry tools set {PCI_DSS: 10.6.1}] [any] [] -r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; -r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; - -# http://support.microsoft.com/kb/825750 -[DCOM disabled {PCI_DSS: 10.6.1}] [any] [] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N; - -# http://web.mit.edu/is/topics/windows/server/winmitedu/security.html -[LM authentication allowed (weak passwords) {PCI_DSS: 10.6.1, 11.4}] [any] [] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1; - -# http://research.eeye.com/html/alerts/AL20060813.html -# Disabled by some Malwares (sometimes by McAfee and Symantec -# security center too). -[Firewall/Anti Virus notification disabled {PCI_DSS: 10.6.1}] [any] [] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0; - -# Checking for the microsoft firewall. -[Microsoft Firewall disabled {PCI_DSS: 10.6.1, 1.4}] [all] [] -r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0; -r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0; - -#http://web.mit.edu/is/topics/windows/server/winmitedu/security.html -[Null sessions allowed {PCI_DSS: 11.4}] [any] [] -r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0; - -[Error reporting disabled {PCI_DSS: 10.6.1}] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0; - -# http://support.microsoft.com/default.aspx?scid=315231 -[Automatic Logon enabled {PCI_DSS: 10.6.1}] [any] [http://support.microsoft.com/default.aspx?scid=315231] -r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> DefaultPassword; -r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1; - -[Winpcap packet filter driver found {PCI_DSS: 10.6.1}] [any] [] -f:%WINDIR%\System32\drivers\npf.sys; diff --git a/debian/ossec-hids/var/ossec/etc/shared/win_malware_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/win_malware_rcl.txt deleted file mode 100644 index 03ed594..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/win_malware_rcl.txt +++ /dev/null @@ -1,122 +0,0 @@ -# OSSEC Windows Malware list - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Malware name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# # Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# http://www.iss.net/threats/ginwui.html -[Ginwui Backdoor {PCI_DSS: 11.4}] [any] [http://www.iss.net/threats/ginwui.html] -f:%WINDIR%\System32\zsyhide.dll; -f:%WINDIR%\System32\zsydll.dll; -r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll; -r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> AppInit_DLLs -> r:zsyhide.dll; - -# http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99&tabid=2 -[Wargbot Backdoor {PCI_DSS: 11.4}] [any] [] -f:%WINDIR%\System32\wgareg.exe; -r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg; - -# http://www.f-prot.com/virusinfo/descriptions/sober_j.html -[Sober Worm {PCI_DSS: 11.4}] [any] [] -f:%WINDIR%\System32\nonzipsr.noz; -f:%WINDIR%\System32\clonzips.ssc; -f:%WINDIR%\System32\clsobern.isc; -f:%WINDIR%\System32\sb2run.dii; -f:%WINDIR%\System32\winsend32.dal; -f:%WINDIR%\System32\winroot64.dal; -f:%WINDIR%\System32\zippedsr.piz; -f:%WINDIR%\System32\winexerun.dal; -f:%WINDIR%\System32\winmprot.dal; -f:%WINDIR%\System32\dgssxy.yoi; -f:%WINDIR%\System32\cvqaikxt.apk; -f:%WINDIR%\System32\sysmms32.lla; -f:%WINDIR%\System32\Odin-Anon.Ger; - -# http://www.symantec.com/security_response/writeup.jsp?docid=2005-042611-0148-99&tabid=2 -[Hotword Trojan {PCI_DSS: 11.4}] [any] [] -f:%WINDIR%\System32\_; -f:%WINDIR%\System32\explore.exe; -f:%WINDIR%\System32\ svchost.exe; -f:%WINDIR%\System32\mmsystem.dlx; -f:%WINDIR%\System32\WINDLL-ObjectsWin*.DLX; -f:%WINDIR%\System32\CFXP.DRV; -f:%WINDIR%\System32\CHJO.DRV; -f:%WINDIR%\System32\MMSYSTEM.DLX; -f:%WINDIR%\System32\OLECLI.DL; - -[Beagle worm {PCI_DSS: 11.4}] [any] [] -f:%WINDIR%\System32\winxp.exe; -f:%WINDIR%\System32\winxp.exeopen; -f:%WINDIR%\System32\winxp.exeopenopen; -f:%WINDIR%\System32\winxp.exeopenopenopen; -f:%WINDIR%\System32\winxp.exeopenopenopenopen; - -# http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99 -[Gpcoder Trojan {PCI_DSS: 11.4}] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99] -f:%WINDIR%\System32\ntos.exe; -f:%WINDIR%\System32\wsnpoem; -f:%WINDIR%\System32\wsnpoem\audio.dll; -f:%WINDIR%\System32\wsnpoem\video.dll; -r:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -> userinit -> r:ntos.exe; - -# [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2 -[Looked.BK Worm {PCI_DSS: 11.4}] [any] [] -f:%WINDIR%\uninstall\rundl132.exe; -f:%WINDIR%\Logo1_.exe; -f:%Windir%\RichDll.dll; -r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> load -> r:rundl132.exe; - -[Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] [] -p:r:svchost.exe && !%WINDIR%\System32\svchost.exe; -f:!%WINDIR%\SysWOW64; - -[Possible Malware - Inetinfo running outside system32\inetsrv {PCI_DSS: 11.4}] [all] [] -p:r:inetinfo.exe && !%WINDIR%\System32\inetsrv\inetinfo.exe; -f:!%WINDIR%\SysWOW64; - -[Possible Malware - Rbot/Sdbot detected {PCI_DSS: 11.4}] [any] [] -f:%Windir%\System32\rdriv.sys; -f:%Windir%\lsass.exe; - -[Possible Malware File {PCI_DSS: 11.4}] [any] [] -f:%WINDIR%\utorrent.exe; -f:%WINDIR%\System32\utorrent.exe; -f:%WINDIR%\System32\Files32.vxd; - -# Modified /etc/hosts entries -# Idea taken from: -# http://blog.tenablesecurity.com/2006/12/detecting_compr.html -# http://www.sophos.com/security/analyses/trojbagledll.html -# http://www.f-secure.com/v-descs/fantibag_b.shtml -[Anti-virus site on the hosts file] [any] [] -f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avp.ch|avp.ru|nai.com; -f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:awaps.net|ca.com|mcafee.com; -f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:microsoft.com|f-secure.com; -f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:sophos.com|symantec.com; -f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:my-etrust.com|viruslist.ru; -f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:networkassociates.com; -f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com; -f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:symantecliveupdate.com; -f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com; -f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:antivirus.com|sans.org; diff --git a/debian/ossec-hids/var/ossec/rules/apache_rules.xml b/debian/ossec-hids/var/ossec/rules/apache_rules.xml deleted file mode 100644 index 5bb6a7d..0000000 --- a/debian/ossec-hids/var/ossec/rules/apache_rules.xml +++ /dev/null @@ -1,325 +0,0 @@ - - - - - - apache-errorlog - Apache messages grouped. - - - - 30100 - ^[error] - Apache error messages grouped. - - - - 30100 - ^[warn] - Apache warn messages grouped. - - - - 30100 - ^[notice] - Apache notice messages grouped. - - - - 30103 - exit signal Segmentation Fault - Apache segmentation fault. - http://www.securityfocus.com/infocus/1633 - service_availability, - - - - 30101 - denied by server configuration - Attempt to access forbidden file or directory. - access_denied, - - - - 30101 - Directory index forbidden by rule - Attempt to access forbidden directory index. - access_denied, - - - - 30101 - Client sent malformed Host header - Code Red attack. - http://www.cert.org/advisories/CA-2001-19.html - CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL - automatic_attack, - - - - 30102 - authentication failed - User authentication failed. - authentication_failed, - - - - 30101 - user \S+ not found|user \S+ in realm \.* not found - Attempt to login using a non-existent user. - invalid_login, - - - - 30101 - authentication failure - User authentication failed. - authentication_failed, - - - - 30101 - File does not exist: | - failed to open stream: No such file or directory| - Failed opening - Attempt to access an non-existent file (those are reported on the access.log). - unknown_resource, - - - - - 30101 - Invalid URI in request - Invalid URI (bad client request). - invalid_request, - - - - 30115 - - Multiple Invalid URI requests from - same source. - invalid_request, - - - - 30101 - File name too long|request failed: URI too long - Invalid URI, file name too long. - invalid_request, - - - - - 30101 - mod_security: Access denied|ModSecurity: Access denied - Access attempt blocked by Mod Security. - access_denied, - - - - 30118 - - Multiple attempts blocked by Mod Security. - access_denied, - - - - 30101 - Resource temporarily unavailable: - Apache without resources to run. - service_availability, - - - - ^mod_security-message: - Modsecurity alert. - - - - 30200 - ^mod_security-message: Access denied - Modsecurity access denied. - access_denied, - - - - 30201 - Multiple attempts blocked by Mod Security. - access_denied, - - - - - 30100 - [\S*:error] - Apache error messages grouped. - - - - 30100 - [\S+:warn] - Apache warn messages grouped. - - - - 30100 - [\S+:notice] - Apache notice messages grouped. - - - - 30303 - exit signal Segmentation Fault - Apache segmentation fault. - http://www.securityfocus.com/infocus/1633 - service_availability, - - - - 30301 - AH01630 - Attempt to access forbidden file or directory. - access_denied, - - - - 30301 - AH01276 - Attempt to access forbidden directory index. - access_denied, - - - - 30301 - AH00550 - Client sent malformed Host header. Possible Code Red attack. - http://www.cert.org/advisories/CA-2001-19.html - CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL - automatic_attack, - - - - 30301 - AH01617|AH01807|AH01694|AH01695|AH02009|AH02010 - User authentication failed. - authentication_failed, - - - - 30301 - AH01618|AH01808|AH01790 - Attempt to login using a non-existent user. - invalid_login, - - - - 30309 - - Multiple authentication failures with invalid user. - authentication_failures, - - - - 30301 - File does not exist: | - failed to open stream: No such file or directory| - Failed opening - Attempt to access an non-existent file (those are reported on the access.log). - unknown_resource, - - - - 30301 - AH00126 - Invalid URI (bad client request). - invalid_request, - - - - 30315 - - Multiple Invalid URI requests from - same source. - invalid_request, - - - - 30301 - AH00565 - Invalid URI, file name too long. - invalid_request, - - - - 30301 - PHP Notice: - PHP Notice in Apache log - - - - 30301 - AH00036 - File name too long: - File name too long. - - - - 30301 - Permission denied: | client denied by server configuration: - Permission denied. - - - - 30301 - AH02811 - script not found - A script cannot be accessed. - - - - - 30301 - ModSecurity: Warning - ModSecurity Warning messages grouped - - - - 30301 - ModSecurity: Access denied - ModSecurity Access denied messages grouped - - - - 30301 - ModSecurity: Audit log: - ModSecurity Audit log messages grouped - - - - 30402 - with code 403 - ModSecurity rejected a query - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/apparmor_rules.xml b/debian/ossec-hids/var/ossec/rules/apparmor_rules.xml deleted file mode 100644 index a2b5846..0000000 --- a/debian/ossec-hids/var/ossec/rules/apparmor_rules.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - - - - - - - - iptables - apparmor= - Apparmor grouping - - - - 52000 - ALLOWED|STATUS - Ignore ALLOWED or STATUS - - - - 52000 - DENIED - apparmor= - Apparmor DENIED - - - - 52002 - exec - Apparmor DENIED exec operation. - - - - 52002 - mknod - Apparmor DENIED mknod operation. - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/arpwatch_rules.xml b/debian/ossec-hids/var/ossec/rules/arpwatch_rules.xml deleted file mode 100644 index f059f8b..0000000 --- a/debian/ossec-hids/var/ossec/rules/arpwatch_rules.xml +++ /dev/null @@ -1,89 +0,0 @@ - - - - - - arpwatch - Grouping of the arpwatch rules. - - - - 7200 - alert_by_email - - Arpwatch new host detected. - new_host, - - - - 7200 - flip flop - Arpwatch "flip flop" message. - IP address/MAC relation changing too often. - ip_spoof, - - - - 7200 - reaper: pid - Arpwatch exiting. - service_availability, - - - - 7200 - changed ethernet address - Changed network interface for ip address. - ip_spoof, - - - - 7200 - bad interface eth0|exiting|Running as - Arpwatch startup/exiting messages. - - - - 7200 - sent bad addr len - Arpwatch detected bad address len (ignored). - - - - 7200 - /dev/bpf0: Permission denied - arpwatch probably run with wrong permissions - - - - 7200 - reused old ethernet address - An IP has reverted to an old ethernet address. - - - - 7200 - ethernet mismatch - Possible arpspoofing attempt. - ip_spoof, - - - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/asterisk_rules.xml b/debian/ossec-hids/var/ossec/rules/asterisk_rules.xml deleted file mode 100644 index 9ad9715..0000000 --- a/debian/ossec-hids/var/ossec/rules/asterisk_rules.xml +++ /dev/null @@ -1,129 +0,0 @@ - - - - - - - asterisk - Asterisk messages grouped. - - - - 6200 - ^NOTICE - Asterisk notice messages grouped. - - - - 6200 - ^WARN - Asterisk warning message. - - - - 6200 - ^ERROR - Asterisk error message. - - - - 6201 - Wrong password - Login session failed. - authentication_failed, - - - - 6201 - Username/auth name mismatch - Login session failed (invalid user). - invalid_login, - - - - 6201 - No matching peer found - Login session failed (invalid extension). - invalid_login, - - - - 6211 - - Multiple failed logins (user enumeration in process). - - - - 6210 - - Multiple failed logins. - - - - 6212 - - Extension enumeration. - - - - - - 6201 - No registration for peer - Login session failed (invalid iax user). - invalid_login, - - - - - 6253 - - Extension IAX Enumeration. - - - - - 6202 - Don't know how to respond via - Possible Registration Hijacking. - invalid_login, - - - - - 6201 - failed MD5 authentication - IAX peer Wrong Password. - invalid_login, - - - - - 6256 - - Multiple failed logins. - - - - 6201 - No matching peer found|extension not found in context - Login session failed (invalid extension). - invalid_login, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/attack_rules.xml b/debian/ossec-hids/var/ossec/rules/attack_rules.xml deleted file mode 100644 index 5cdfeda..0000000 --- a/debian/ossec-hids/var/ossec/rules/attack_rules.xml +++ /dev/null @@ -1,122 +0,0 @@ - - - - -^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$ - - - - - - authentication_success - $SYS_USERS - System user successfully logged to the system. - invalid_login, - - - - ^rpc.statd[\d+]: gethostbyname error for \W+ - Buffer overflow attack on rpc.statd - exploit_attempt, - - - - ftpd[\d+]: \S+ FTP LOGIN FROM \.+ 0bin0sh - Buffer overflow on WU-FTPD versions prior to 2.6 - exploit_attempt, - - - - ????????????????????? - Possible buffer overflow attempt. - exploit_attempt, - - - - changed by \(\(null\) - "Null" user changed some information. - exploit_attempt, - - - - @@@@@@@@@@@@@@@@@@@@@@@@@ - Buffer overflow attempt (probably on yppasswd). - exploit_attempt, - - - - cachefsd: Segmentation Fault - core dumped - Heap overflow in the Solaris cachefsd service. - 2002-0033 - exploit_attempt, - - - - attempt to execute code on stack by - Stack overflow attempt or program exiting - with SEGV (Solaris). - http://snap.nlc.dcccd.edu/reference/sysadmin/julian/ch18/389-392.html - exploit_attempt, - - - - authentication_failed - Multiple authentication failures. - authentication_failures, - - - - authentication_success - authentication_failures - - Multiple authentication failures followed - by a success. - - - - virus - Multiple viruses detected - Possible outbreak. - virus, - - - - - - - - - - adduser - attacks - Attacks followed by the addition - of an user. - - - - - - - - - connection_attempt - Network scan from same source ip. - - http://project.honeynet.org/papers/enemy2/ - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/cimserver_rules.xml b/debian/ossec-hids/var/ossec/rules/cimserver_rules.xml deleted file mode 100644 index 0516c8c..0000000 --- a/debian/ossec-hids/var/ossec/rules/cimserver_rules.xml +++ /dev/null @@ -1,36 +0,0 @@ - - - - - cimserver - cimserver messages grouped. - - - - 9600 - Authentication failed - Compaq Insight Manager authentication failure. - authentication_failed, - - - - 9600 - Server stopped - Compaq Insight Manager stopped. - service_availability, - - - - diff --git a/debian/ossec-hids/var/ossec/rules/cisco-ios_rules.xml b/debian/ossec-hids/var/ossec/rules/cisco-ios_rules.xml deleted file mode 100644 index 41dc2eb..0000000 --- a/debian/ossec-hids/var/ossec/rules/cisco-ios_rules.xml +++ /dev/null @@ -1,96 +0,0 @@ - - - - - - cisco-ios - Grouping of Cisco IOS rules. - - - - 4700 - -0- - Cisco IOS emergency message. - - - - - 4700 - -1- - Cisco IOS alert message. - - - - 4700 - -2- - Cisco IOS critical message. - - - - 4700 - -3- - Cisco IOS error message. - - - - 4700 - -4- - Cisco IOS warning message. - - - - 4700 - -5- - Cisco IOS notification message. - - - - 4700 - -6- - Cisco IOS informational message. - - - - 4700 - -7- - Cisco IOS debug message. - - - - 4715 - ^%SYS-5-CONFIG - Cisco IOS router configuration changed. - config_changed, - - - - 4715 - ^%SEC_LOGIN-5-LOGIN_SUCCESS - Successful login to the router. - authentication_success, - - - - 4714 - ^%SEC_LOGIN-4-LOGIN_FAILED - Failed login to the router. - authentication_failed, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/clam_av_rules.xml b/debian/ossec-hids/var/ossec/rules/clam_av_rules.xml deleted file mode 100644 index 505bd78..0000000 --- a/debian/ossec-hids/var/ossec/rules/clam_av_rules.xml +++ /dev/null @@ -1,69 +0,0 @@ - - - - - clamd - Grouping of the clamd rules. - - - - freshclam - ClamAV database update - - - - 52500 - FOUND - Virus detected - virus - - - - 52500 - ^ERROR: - Clamd error - virus - - - - 52500 - ^WARNING: - Clamd warning - virus - - - - 52500 - clamd daemon - Clamd restarted - virus - - - - 52500 - Database modification detected - Clamd database updated - virus - - - - 52501 - ClamAV update process started - ClamAV database update - virus - - - - 52501 - Database updated - ClamAV database updated - virus - - - - 52501 - Incremental update failed|Error while reading database from|Update failed. - Could not download the incremental virus definition updates. - - - diff --git a/debian/ossec-hids/var/ossec/rules/courier_rules.xml b/debian/ossec-hids/var/ossec/rules/courier_rules.xml deleted file mode 100644 index 2212d32..0000000 --- a/debian/ossec-hids/var/ossec/rules/courier_rules.xml +++ /dev/null @@ -1,67 +0,0 @@ - - - - - - - courier - Grouping for the courier rules. - - - - 3900 - ^Connection, - New courier (imap/pop3) connection. - connection_attempt, - - - - 3900 - ^LOGIN FAILED,| FAILED: - Courier (imap/pop3) authentication failed. - authentication_failed, - - - - 3900 - ^LOGOUT,|^DISCONNECTED - Courier logout/timeout. - - - - 3900 - ^LOGIN, - Courier (imap/pop3) authentication success. - authentication_success, - - - - 3902 - Courier brute force (multiple failed logins). - authentication_failures, - - - - - 3901 - - Multiple connection attempts from same source. - recon, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/dnsmasq_rules.xml b/debian/ossec-hids/var/ossec/rules/dnsmasq_rules.xml deleted file mode 100644 index cf94195..0000000 --- a/debian/ossec-hids/var/ossec/rules/dnsmasq_rules.xml +++ /dev/null @@ -1,12 +0,0 @@ - - - - dnsmasq - dnsmasq grouping rule. - - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/dovecot_rules.xml b/debian/ossec-hids/var/ossec/rules/dovecot_rules.xml deleted file mode 100644 index cd49bf6..0000000 --- a/debian/ossec-hids/var/ossec/rules/dovecot_rules.xml +++ /dev/null @@ -1,91 +0,0 @@ - - - - - - dovecot - Dovecot Messages Grouped. - - - - 9700 - login: Login: - Dovecot Authentication Success. - authentication_success, - - - - 9700 - Password mismatch$ - Dovecot Authentication Failed. - authentication_failed, - - - - 9700 - starting up - Dovecot is Starting Up. - - - - 9700 - ^Fatal: - alert_by_email - Dovecot Fatal Failure. - - - - 9700 - user not found|User not known|unknown user|auth failed - Dovecot Invalid User Login Attempt. - invalid_login,authentication_failed, - - - - 9700 - : Disconnected: - Dovecot Session Disconnected. - - - - 9700 - : Aborted login - Dovecot Aborted Login. - invalid_login, - - - - - - 9702 - - Dovecot Multiple Authentication Failures. - authentication_failures, - - - - 9705 - - Dovecot brute force attack (multiple auth failures). - authentication_failures, - - - - dovecot-info - dovecot-info grouping. - - - - 9770 - user not found|User not known|unknown user|auth failed - Dovecot Invalid User Login Attempt. - invalid_login,authentication_failed, - - - - diff --git a/debian/ossec-hids/var/ossec/rules/dropbear_rules.xml b/debian/ossec-hids/var/ossec/rules/dropbear_rules.xml deleted file mode 100644 index 813dfd0..0000000 --- a/debian/ossec-hids/var/ossec/rules/dropbear_rules.xml +++ /dev/null @@ -1,107 +0,0 @@ - - - - - - - - - - dropbear - Grouping for dropbear rules. - - - - 51000 - Failed to get kex value - Failed to get key exchange value - - - - 51000 - Premature kexdh_init message received - Premature kexdh_init message - - - - 51000 - bad password attempt for - Bad password attempt. - authentication_failed, - - - - 51000 - attempt for nonexistent user - Bad password attempt for non existent user. - authentication_failed, - - - - authentication_failed - - dropbear brute force attempt. - authentication_failures, - - - - 51000 - exit after auth \(\S+\): Disconnect received - User disconnected. - - - - 51000 - exit before auth - Client exited before authentication. - recon, - - - - 51000 - - dropbear brute force attempt. - authentication_failures, - - - - - 51000 - Incompatible remote version - Incompatible remote version. - recon, - - - - 51000 - password auth succeeded for - User successfully logged in using a password. - authentication_success, - - - - 51000 - Pubkey auth succeeded - User successfully logged in using a public key. - authentication_success, - - - - dropbear - 1002 - Error listening: Address already in use - Dropbear cannot listen on port. - - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/exim_rules.xml b/debian/ossec-hids/var/ossec/rules/exim_rules.xml deleted file mode 100644 index f6147df..0000000 --- a/debian/ossec-hids/var/ossec/rules/exim_rules.xml +++ /dev/null @@ -1,55 +0,0 @@ - - - - - windows-date-format - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d SMTP - Exim SMTP Messages Grouped. - - - - windows-date-format - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d dovecot - dovecot messages grouped. - - - - 13001 - authenticator failed - Exim Auth failed - invalid_login,authentication_failed, - - - - 13006 - - Exim brute force attack (multiple auth failures). - authentication_failures, - - - - 13000 - connection count = - Exim connection - - - - 13000 - lost$ - Exim connection lost - - - - 13000 - dropped: too many syntax or protocol errors - Exim syntax or protocol errors - - - diff --git a/debian/ossec-hids/var/ossec/rules/firewall_rules.xml b/debian/ossec-hids/var/ossec/rules/firewall_rules.xml deleted file mode 100644 index d4bb435..0000000 --- a/debian/ossec-hids/var/ossec/rules/firewall_rules.xml +++ /dev/null @@ -1,40 +0,0 @@ - - - - - - firewall - Firewall rules grouped. - - - - - 4100 - DROP - no_log - Firewall drop event. - firewall_drop, - - - - 4101 - - Multiple Firewall drop events from same source. - multiple_drops, - - diff --git a/debian/ossec-hids/var/ossec/rules/firewalld_rules.xml b/debian/ossec-hids/var/ossec/rules/firewalld_rules.xml deleted file mode 100644 index f60b1ed..0000000 --- a/debian/ossec-hids/var/ossec/rules/firewalld_rules.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - ^firewalld - firewalld grouping - - - - 40900 - ERROR: - firewalld error - - - - 40901 - No chain/target/match by that name.$ - Incorrect chain/target/match. - - - - 40901 - ZONE_ALREADY_SET$ - firewalld: zone already set. - - - diff --git a/debian/ossec-hids/var/ossec/rules/ftpd_rules.xml b/debian/ossec-hids/var/ossec/rules/ftpd_rules.xml deleted file mode 100644 index 4172a36..0000000 --- a/debian/ossec-hids/var/ossec/rules/ftpd_rules.xml +++ /dev/null @@ -1,103 +0,0 @@ - - - - - - ftpd - Grouping for the ftpd rules. - - - - 11100 - FTP LOGIN REFUSED - FTP connection refused. - authentication_failed,access_denied, - - - - 11100 - created - File created via FTP - - - - 11100 - deleted - File deleted via FTP - - - - 11100 - FTPD: IMPORT file - User uploaded a file to server. - - - - 11100 - FTPD: EXPORT file - User downloaded a file to server. - - - - 11100 - FTP LOGIN FROM|connection from|connect from - connection_attempt - Remote host connected to FTP server. - - - - 11100 - refused connect from - access_denied, - Connection blocked by Tcp Wrappers. - - - - 11100 - warning: can't verify hostname: |gethostbyaddr: - Reverse lookup error (bad ISP config). - client_misconfig, - - - - 11100 - repeated login failures - Multiple FTP failed login attempts. - authentication_failures, - - - - 11100 - timed out after - User disconnected due to time out. - - - - 11100 - PAM_ERROR_MSG: Account is disabled - Attempt to login with disabled account. - authentication_failed, - - - - 11100 - ^Failed authentication from - FTP authentication failure. - authentication_failed, - - - - 11100 - ^login \S+ from \S+ failed - FTP authentication failure. - authentication_failed, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/hordeimp_rules.xml b/debian/ossec-hids/var/ossec/rules/hordeimp_rules.xml deleted file mode 100644 index db1330d..0000000 --- a/debian/ossec-hids/var/ossec/rules/hordeimp_rules.xml +++ /dev/null @@ -1,78 +0,0 @@ - - - - - - horde_imp - Grouping for the Horde imp rules. - - - - 9300 - ^[info] - Horde IMP informational message. - - - - 9300 - ^[notice] - Horde IMP notice message. - - - - 9300 - ^[error] - Horde IMP error message. - - - - 9300 - ^[emergency] - Horde IMP emergency message. - service_availability, - - - - 9302 - Login success for - Horde IMP successful login. - authentication_success, - - - - 9303 - FAILED LOGIN - Horde IMP Failed login. - authentication_failed, - - - - 9306 - - Horde brute force (multiple failed logins). - authentication_failures, - - - - 9304 - Multiple Horde emergency messages. - service_availability, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/ids_rules.xml b/debian/ossec-hids/var/ossec/rules/ids_rules.xml deleted file mode 100644 index 7fe4993..0000000 --- a/debian/ossec-hids/var/ossec/rules/ids_rules.xml +++ /dev/null @@ -1,104 +0,0 @@ - - - -8 - - - - ids - - First time this IDS alert is generated. - fts, - - - - ids - srcip, id - IDS event. - - - - - 20100, 20101 - snort - - ^1:1852:|^1:368:|^1:384:|^1:366:|^1:402:|^1:408:|^1:1365:| - ^1:480:|^1:399:|^1:2925: - Ignored snort ids. - - - - - 20100, 20101 - dragon-nids - - ^EOL$|^SOF$|^HEARTBEAT$|^DYNAMIC-TCP$|^DYNAMIC-UDP$ - Ignored snort ids. - - - - 20101 - - id - Multiple IDS alerts for same id. - - - - 20101 - - srcip, id - Multiple IDS events from same source ip. - - - - - - 20151 - - - srcip, id - Multiple IDS events from same source ip - (ignoring now this srcip and id). - - - - 20152 - - id - Multiple IDS alerts for same id - (ignoring now this id). - - diff --git a/debian/ossec-hids/var/ossec/rules/imapd_rules.xml b/debian/ossec-hids/var/ossec/rules/imapd_rules.xml deleted file mode 100644 index 9bbc228..0000000 --- a/debian/ossec-hids/var/ossec/rules/imapd_rules.xml +++ /dev/null @@ -1,52 +0,0 @@ - - - -6 - - - - imapd - Grouping of the imapd rules. - - - - 3600 - Login failed user=|AUTHENTICATE LOGIN failure - Imapd user login failed. - authentication_failed, - - - - 3600 - Authenticated user= - Imapd user login. - authentication_success, - - - - 3600 - Logout user= - Imapd user logout. - - - - 3601 - - Multiple failed logins from same source ip. - authentication_failures, - - - diff --git a/debian/ossec-hids/var/ossec/rules/kesl_rules.xml b/debian/ossec-hids/var/ossec/rules/kesl_rules.xml deleted file mode 100644 index c4633f9..0000000 --- a/debian/ossec-hids/var/ossec/rules/kesl_rules.xml +++ /dev/null @@ -1,122 +0,0 @@ - - - - - kesl - kesl messages grouped - - - - 53801 - UpdateError - An error occurred during an Update Task. - - - - 53801 - AVBasesAreOutOfDate - AVBasesAreOutOfDate (kesl Task: update) - - - - 53801 - AVBasesAreTotallyOutOfDate - AVBasesAreTotallyOutOfDate (kesl Task: update) - - - - 53801 - TaskStateChanged - Started|Stopped - ^Rollback - An Update Rollback Task has been started / stopped - - - - 53801 - AVBasesRollbackError - An error occurred during AVBases Update Rollback Task - - - - 53801 - TaskStateChanged - Started|Stopped - ^Retranslate - An update distribution (Retranslate) Task has been started / stopped - - - - 53801 - RetranslationError - An error occurred during an update distribution (Retranslate) Task - - - - 53801 - TaskStateChanged - Started - A kesl Task has been started. - - - - 53801 - TaskStateChanged - Suspended - A kesl Task has been suspended. - - - - 53801 - TaskStateChanged - Stopped - ^Backup|^License|^OAS - A kesl Task has been stopped. - - - - 53801 - TaskStateChanged - Stopped - ^ODS|^BootScan|^MemoryScan|^Update - A kesl Task has been stopped. - - - - 53801 - ThreatDetected - Kesl detected a Threat (kesl Task: File_Monitoring) - - - - 53801 - ObjectSavedToBackup - Threat Object was saved to Backup (kesl Task: File_Monitoring) - - - - 53801 - ObjectNotDisinfected - Threat Object could not be disinfected (kesl Task: File_Monitoring) - - - - 53801 - ObjectDeleted - Threat Object was deleted (kesl Task: File_Monitoring) - - - - 53801 - ObjectProcessingError - An error occurred during kesl scan - - - diff --git a/debian/ossec-hids/var/ossec/rules/last_rootlogin_rules.xml b/debian/ossec-hids/var/ossec/rules/last_rootlogin_rules.xml deleted file mode 100644 index f9358ae..0000000 --- a/debian/ossec-hids/var/ossec/rules/last_rootlogin_rules.xml +++ /dev/null @@ -1,13 +0,0 @@ - - - - - - - - 535 - root|reboot|admin|superuser|administrator|supervisor|toor - sensitive login detected - - - diff --git a/debian/ossec-hids/var/ossec/rules/linux_usbdetect_rules.xml b/debian/ossec-hids/var/ossec/rules/linux_usbdetect_rules.xml deleted file mode 100644 index 07577fc..0000000 --- a/debian/ossec-hids/var/ossec/rules/linux_usbdetect_rules.xml +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - kernel - usb - Linux USB detection messages grouped - - - - - 53600 - New USB device found - A new USB device was found by the system - linux, - - - - - 53600 - new low-speed USB device - New Low-Speed USB Device was connected. - linux, - - - - - 53600 - new high-speed USB device - New High-Speed USB Device was connected - linux, - - - - - 53600 - USB disconnect - USB device was disconnected - linux, - - - diff --git a/debian/ossec-hids/var/ossec/rules/local_rules.xml b/debian/ossec-hids/var/ossec/rules/local_rules.xml deleted file mode 100644 index ed7b594..0000000 --- a/debian/ossec-hids/var/ossec/rules/local_rules.xml +++ /dev/null @@ -1,57 +0,0 @@ - - - - - - - - - - 5711 - 192.0.2.1 - Example of rule that will ignore sshd - failed logins from IP 1.1.1.1. - - - - - - - - - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/101 b/debian/ossec-hids/var/ossec/rules/log-entries/101 deleted file mode 100644 index b383a58..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/101 +++ /dev/null @@ -1,6 +0,0 @@ -#unknown system -Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty -Jan 26 21:01:23 test100 PAM-securetty[284]: Couldn't open /etc/securetty -#Red hat -Nov 7 21:01:17 enigma PAM-securetty[975]: Couldn't open /etc/securetty -Apr 19 17:06:03 ecos2 PAM-securetty[1203]: Couldn't open /etc/securetty diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1101 b/debian/ossec-hids/var/ossec/rules/log-entries/1101 deleted file mode 100644 index c1b8447..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1101 +++ /dev/null @@ -1,18 +0,0 @@ -su[2921936]: succeeded: ttyq4 changing from root to ldap -su[2921936]: failed: ttyq4 changing from root to ldap -su: failed: ttyq# changing from to root -su[234]: BAD SU ger to fwmaster on /dev/ttyp0 -Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0 -Sep 12 18:40:02 bogus.com su: BAD su rachel on /dev/ttyp1 - -Feb 14 17:20:27 niban su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit -May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root -May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test - -Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342) -Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342) -#Slack: -Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root -Jul 5 12:13:15 lili su[2614]: Authentication failed for root -Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root - diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1301_1302_1303 b/debian/ossec-hids/var/ossec/rules/log-entries/1301_1302_1303 deleted file mode 100644 index a6e936f..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1301_1302_1303 +++ /dev/null @@ -1,34 +0,0 @@ -May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006 -May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000 -Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001 -Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002 -Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002 -Aug 5 08:57:10 niban groupadd[30279]: new group: name=osaudit, gid=12002 -Aug 5 09:44:53 niban groupadd[32676]: new group: name=osaudit, gid=12002 -Aug 5 09:47:52 niban groupadd[642]: new group: name=osaudit, gid=12002 -Feb 4 14:21:45 niban adduser[26287]: new group: name=test123, gid=12003 -Apr 5 16:06:49 niban adduser[16143]: new group: name=port, gid=12003 -Apr 5 16:20:28 niban groupadd[16193]: new group: name=port1, gid=12004 -Apr 5 16:20:29 niban groupadd[16194]: new group: name=port2, gid=12005 - -May 28 10:48:29 niban useradd[32421]: new user: name=logr, uid=12000, gid=12000, home=/home/logr, shell=/bin/bash -Jun 16 09:53:44 niban useradd[5721]: new user: name=test2, uid=12001, gid=12001, home=/home/test2, shell=/bin/bash -Aug 5 09:33:06 niban useradd[32213]: new user: name=osaudit, uid=12002, gid=12002, home=/var/osaudit, shell=/sbin/nologin -Aug 5 09:47:52 niban useradd[643]: new user: name=osaudit, uid=12002, gid=12002, home=/var/osaudit, shell=/sbin/nologin -Feb 4 14:21:45 niban adduser[26287]: new user: name=test123, uid=12003, gid=12003, home=/home/test123, shell=/bin/bash -Apr 5 16:06:49 niban adduser[16143]: new user: name=port, uid=12003, gid=12003, home=/home/port, shell=/bin/bash -Apr 5 16:17:35 niban adduser[16164]: new user: name=port2, uid=12004, gid=0, home=/home/port2, shell=/bin/bash -Apr 5 16:18:25 niban adduser[16166]: new user: name=port3, uid=12005, gid=1336, home=/home/port3, shell=/bin/bash -Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash - -May 28 10:48:07 niban userdel[32416]: delete user `logr' -Aug 5 09:43:27 niban userdel[32657]: delete user `osaudit' -Feb 4 14:27:13 niban userdel[26300]: delete user `test123' - -May 28 10:48:13 niban groupdel[32417]: remove group `logr' -Aug 4 15:13:08 niban groupdel[26461]: remove group `osaudit' -Aug 4 15:15:31 niban groupdel[26821]: remove group `osaudit' -Aug 5 09:43:27 niban userdel[32657]: remove group `osaudit' -Aug 5 09:47:08 niban groupdel[631]: remove group `osaudit' -Feb 4 14:27:13 niban userdel[26300]: remove group `test123' - diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1401 b/debian/ossec-hids/var/ossec/rules/log-entries/1401 deleted file mode 100644 index d8f33ed..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1401 +++ /dev/null @@ -1,6 +0,0 @@ -#Red Hat box -Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls -#OpenBSD -Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls -May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls - diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1402 b/debian/ossec-hids/var/ossec/rules/log-entries/1402 deleted file mode 100644 index b9b348f..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1402 +++ /dev/null @@ -1,8 +0,0 @@ -#Red Hat -Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls -Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1 -Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin -#OpenBSD -May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure -#Slackware -May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1602 b/debian/ossec-hids/var/ossec/rules/log-entries/1602 deleted file mode 100644 index 98e24d4..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1602 +++ /dev/null @@ -1,24 +0,0 @@ -# From incidents mailing list -Oct 26 18:07:45 ccs rpc.statd[189]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 - -Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for -^X^X^Y^Y^Z^Z -^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x -%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 -20\220\220\220\220\220\220 -Jul 9 01:21:11 blue -^F/binF^D/shA0\210F^G\211v^L\215V^P\215N^L\211^K -\200^A\200\177 - -May 16 19:38:33 server rpc.statd[353]: gethostbyname error for ^Y...^Y...^[??[ diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1603 b/debian/ossec-hids/var/ossec/rules/log-entries/1603 deleted file mode 100644 index 99e5033..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1603 +++ /dev/null @@ -1,3 +0,0 @@ -May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com -[192.168.3.236], 1.1.1.F.1.1.C.A.?..k^1.1.^^AF^Df..^A.'.1.^^A.=.1.1.^^HC^B1...1 -.^^H.^L...u.1.F^I^^H.=..^N.0..F^D1.F^Gv^HF^L.N^HV^L.^K.1.1.^A.....0bin0sh1..11 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1607 b/debian/ossec-hids/var/ossec/rules/log-entries/1607 deleted file mode 100644 index 5b5c2b9..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1607 +++ /dev/null @@ -1,11 +0,0 @@ -# From log analysis web site -May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped -May 16 22:46:21 victim-host last message repeated 7 times -May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped -May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped -May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped -May 16 22:46:59 victim-host last message repeated 1 time -May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped -May 16 22:47:07 victim-host last message repeated 3 times -May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup -May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1609 b/debian/ossec-hids/var/ossec/rules/log-entries/1609 deleted file mode 100644 index 4614f3d..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1609 +++ /dev/null @@ -1,7 +0,0 @@ -a.out[347] attempt to execute code on stack by uid 555 -Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]: _Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting... -Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped -Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to execute code on stack by uid 0 -Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped -Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to execute code on stack by uid 0 -Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1901 b/debian/ossec-hids/var/ossec/rules/log-entries/1901 deleted file mode 100644 index 9f57e9d..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1901 +++ /dev/null @@ -1,9 +0,0 @@ -Apr 17 22:20:21 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0 -Apr 17 22:20:21 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0 -Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0 -Jan 6 13:39:19 drew named[128838]: dropping source port zero packet from [216.161.67.226].0 -Jan 6 13:39:23 drew named[128838]: dropping source port zero packet from [63.224.229.252].0 -Jan 6 13:39:25 drew named[128838]: dropping source port zero packet from [63.227.214.187].0 -named[3430]: dropping source port zero packet from [209.191.188.93].0 -named[3534]: dropping source port zero packet from [63.226.179.7].0 -named[20627]: dropping source port zero packet from [206.252.159.146].0 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1902 b/debian/ossec-hids/var/ossec/rules/log-entries/1902 deleted file mode 100644 index 51929ce..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1902 +++ /dev/null @@ -1,3 +0,0 @@ -Apr 20 09:14:45 hostname named[98]: denied AXFR from [1.2.3.4].1329 for -"xxxxx.com" (not master/slave) -Mar 1 13:52:03 arcane named[15025]: denied AXFR from [205.166.226.38].1421 for "atfantasy.com" (acl) diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1903 b/debian/ossec-hids/var/ossec/rules/log-entries/1903 deleted file mode 100644 index d064bde..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1903 +++ /dev/null @@ -1,4 +0,0 @@ -Jan 6 13:40:28 drew named[128838]: denied update from [24.64.63.195].41151 for in-addr.arpa -Jan 6 13:40:47 drew named[128838]: denied update from [24.64.63.195].41858 for in-addr.arpa -unapproved update from [132.174.25.169].1848 for 174.132.in-addr.arpa -Dec 31 00:01:31 valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/1905 b/debian/ossec-hids/var/ossec/rules/log-entries/1905 deleted file mode 100644 index 8405803..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/1905 +++ /dev/null @@ -1,3 +0,0 @@ -named[8020]: unexpected RCODE (REFUSED) resolving 'inteligentes.cjb.net/AAAA/IN': 200.206.159.96#53 - -named[8020]: unexpected RCODE (REFUSED) resolving 'inteligentes.cjb.net/A/IN': 200.206.159.96#53 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/201 b/debian/ossec-hids/var/ossec/rules/log-entries/201 deleted file mode 100644 index d05692d..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/201 +++ /dev/null @@ -1,4 +0,0 @@ -#Unknown -May 26 12:53:57 atlas kernel: svc: unknown program 100227 (me 100003) -Feb 28 07:46:15 bs11 kernel: svc: unknown program 100227 (me 100003) -Jun 28 09:58:14 poseidon kernel: svc: unknown program 100227 (me 100003) diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/202 b/debian/ossec-hids/var/ossec/rules/log-entries/202 deleted file mode 100644 index ec3425c..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/202 +++ /dev/null @@ -1,6 +0,0 @@ -Mar 30 12:01:25 compute-0-0.local automount[6447]: mount(nfs): nfs: mount failure cares.local:/export/home/jfiske on /home/jfiske -Mar 30 12:01:25 compute-0-0.local automount[6449]: mount(nfs): nfs: mount failure cares.local:/export/home/jfiske on /home/jfiske -Aug 4 12:35:30 localhost automount[7203]: mount(nfs): nfs: mount failure 192.168.1.100:/compile/nfs/107 on /test/107 -Jul 2 22:37:52 gkar automount[2344]: mount(nfs): nfs: mount failure sunray:/exp -Aug 4 12:31:56 localhost automount[5252]: mount(nfs): nfs: mount -failure 192.168.1.100:/compile/nfs/16 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/204 b/debian/ossec-hids/var/ossec/rules/log-entries/204 deleted file mode 100644 index 0cba4c0..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/204 +++ /dev/null @@ -1,4 +0,0 @@ -rpc.mountd: refused mount request from 10.0.0.12 for /home2/files (/): no export entry -Jan 12 08:20:00 gateway rpc.mountd: refused mount request from test.bscnet.com for /mnt (/): no export entry -Jul 5 12:00:53 lili rpc.mountd: refused mount request from enigma for /bin (/): no export entry -Jul 5 12:01:03 lili rpc.mountd: refused mount request from enigma for /etc (/): no export entry diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/2501 b/debian/ossec-hids/var/ossec/rules/log-entries/2501 deleted file mode 100644 index 397dfd5..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/2501 +++ /dev/null @@ -1,28 +0,0 @@ -Nov 9 05:00:07 ensim -proftpd[21141]: ensim.domain.com -(p50832E46.dip.t-dialin.net[80.131 -.46.70]) - FTP session opened. -Nov 9 05:00:09 ensim -proftpd[21141]: ensim.domain.com -(p50832E46.dip.t-dialin.net[80.131 -.46.70]) - no such user -'anonymous' -Nov 9 05:00:14 ensim -proftpd[21141]: ensim.domain.com -(p50832E46.dip.t-dialin.net[80.131 -.46.70]) - FTP session closed. -Nov 9 06:12:41 ensim -proftpd[24994]: ensim.domain.com -(ool-18bba13b.dyn.optonline.net[24 -.187.161.59]) - FTP session -opened. -Nov 9 06:12:41 ensim -proftpd[24994]: ensim.domain.com -(ool-18bba13b.dyn.optonline.net[24 -.187.161.59]) - no such user -'vgodz' -Nov 9 06:12:41 ensim -proftpd[24994]: ensim.domain.com -(ool-18bba13b.dyn.optonline.net[24 -.187.161.59]) - FTP session -closed. diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/2601 b/debian/ossec-hids/var/ossec/rules/log-entries/2601 deleted file mode 100644 index 12c5ba4..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/2601 +++ /dev/null @@ -1,4 +0,0 @@ -pptpd[7282]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available -pptpd[7293]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available -pptpd[7510]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available -pptpd[8916]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/301 b/debian/ossec-hids/var/ossec/rules/log-entries/301 deleted file mode 100644 index 58f0941..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/301 +++ /dev/null @@ -1,2 +0,0 @@ -Jan 25 21:05:40 horus xinetd[4479]: Deactivating service ftp due to excessive incoming connections. Restarting in 30 seconds. -Feb 20 14:54:32 localhost xinetd[717]: Deactivating service nsca due to excessive incoming connections. Restarting in 30 seconds. diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/401 b/debian/ossec-hids/var/ossec/rules/log-entries/401 deleted file mode 100644 index c35122a..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/401 +++ /dev/null @@ -1,10 +0,0 @@ -# freebsd invalid physical login -login: 1 LOGIN FAILURE ON ttyv0 -login: 1 LOGIN FAILURE ON ttyv0, root - -# saslauthd -saslauthd[113]: do_auth : auth failure: [user=SERVERWEB\Administrador] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] - -# Strange sshd logs -sshd[7386]: error: Bad prime description in line 73 -sshd[8143]: error: Bad prime description in line 73 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/403 b/debian/ossec-hids/var/ossec/rules/log-entries/403 deleted file mode 100644 index 9c3b5fc..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/403 +++ /dev/null @@ -1,29 +0,0 @@ -Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from unknown -Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from unknown -Jan 22 10:37:41 frontend-0 ypserv[832]: refused connect from -127.0.0.1:868 -Feb 21 15:14:29 my_ftp_host in.ftpd[32374]: refused connect from -XX.XX.XX.67 -Feb 21 15:14:36 my_ftp_host in.ftpd[32375]: refused connect from -XX.XX.XX.67 -Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11) - -Jan 14 18:29:26 elrond sshd[26895]: refused connect from pD952714D.dip.t-dialin.net (217.82.113.77) - -Jan 18 21:46:26 elrond sshd[9370]: refused connect from root@cops2.inf.ethz.ch (129.132.134.179) - -Jan 19 19:34:06 elrond sshd[12580]: refused connect from r88m211.cybercable.tm.fr (195.132.88.211) - -Jan 23 13:13:49 elrond sshd[25980]: refused connect from pD9527D56.dip.t-dialin.net (217.82.125.86) - -Jan 24 19:26:26 elrond sshd[30479]: refused connect from pD95279BD.dip.t-dialin.net (217.82.121.189) - -Jan 27 07:33:48 elrond sshd[7899]: refused connect from root@194.213.255.84 (194.213.255.84) - -Jan 31 20:48:07 elrond sshd[26946]: refused connect from wwwstud.hsk.no (158.36.81.145) - -Feb 1 01:30:49 elrond sshd[27872]: refused connect from co101359-a.olden1.ov.nl.home.com (213.51.84.16) - -Feb 4 07:06:59 elrond sshd[7766]: refused connect from moosrose.onlineunit.de (195.254.38.131) - -Feb 10 22:22:49 elrond sshd[2592]: refused connect from root@62.138.38.142 (62.138.38.142) diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/408 b/debian/ossec-hids/var/ossec/rules/log-entries/408 deleted file mode 100644 index d11f1a7..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/408 +++ /dev/null @@ -1,2 +0,0 @@ -#Red Hat -Feb 4 16:54:28 niban login[1074]: FAILED LOGIN 1 FROM (null) FOR dcid, Authentication failure diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/409 b/debian/ossec-hids/var/ossec/rules/log-entries/409 deleted file mode 100644 index 753d169..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/409 +++ /dev/null @@ -1,7 +0,0 @@ -#FreeBSD -Feb 15 14:32:20 freebsd-1 sshd[1374]: Illegal user dcid from 192.168.1.2 -Feb 15 16:11:56 freebsd-1 sshd[2690]: Illegal user dcid from 192.168.10.153 -Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 -Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 -Aug 1 15:44:11 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 -Aug 1 15:44:11 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/access-control b/debian/ossec-hids/var/ossec/rules/log-entries/access-control deleted file mode 100644 index a3cef58..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/access-control +++ /dev/null @@ -1,13 +0,0 @@ -# Terminal failure -Apr 27 17:27:19 niban login(pam_unix)[1059]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=root -Apr 27 17:27:21 niban login[1059]: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure -# ssh (pam) failure -Apr 27 17:33:59 niban sshd(pam_unix)[9420]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=niban.sfeng.sourcefire.com user=dcid -Apr 27 17:34:04 niban sshd(pam_unix)[9420]: 1 more authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=niban.sfeng.sourcefire.com user=dcid -# ssh failure root -Apr 27 17:34:26 niban sshd(pam_unix)[9425]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=niban.sfeng.sourcefire.com user=root - -# SSHD failed password -Apr 27 17:34:04 niban sshd[9420]: Failed password for dcid from 10.4.12.26 port 40137 ssh2 -Apr 27 17:34:28 niban sshd[9425]: Failed password for root from 10.4.12.26 port 40138 ssh2 - diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/apache-error.logs b/debian/ossec-hids/var/ossec/rules/log-entries/apache-error.logs deleted file mode 100644 index 79db714..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/apache-error.logs +++ /dev/null @@ -1,39 +0,0 @@ -[Thu Dec 15 23:49:07 2005] [error] [client 85.107.239.37] client denied by server configuration: /home/myuser/wwwhome/.htm, referer: http://www.example.com/~user7/laodikeiaproject.htm?pswd=hhh -[Mon Dec 19 18:04:14 2005] [error] [client 85.107.239.37] client denied by server configuration: /home/johndoe/wwwhome/index2.html, referer: http://www.server.com/~refuser/gatekeep.html -[Mon Dec 19 18:46:05 2005] [error] [client 81.213.203.103] client denied by server configuration: /apache/web-data/htdocs/home/wwwrd/rcilo/announce/, referer: http://webmail.academia.edu/0/_top - - -[Fri Dec 16 01:46:23 2005] [error] [client 80.230.208.105] Directory index forbidden by rule: /home/inst1/wwwhome/courses/es301/ -[Fri Dec 16 01:54:34 2005] [error] [client 131.193.170.106] Directory index forbidden by rule: /apache/web-data/hteng/home/ker/16imfiles/photos/1999cn/ -[Fri Dec 16 02:05:46 2005] [error] [client 195.229.242.53] Directory index forbidden by rule: /apache/web-data/htdocs/home/tuniv/assets/damascus3/ -[Fri Dec 16 11:02:09 2005] [error] [client 139.177.32.34] Directory index forbidden by rule: /apache/web-data/htdocs/home/maiam/research/groups, referer: http://www.akademi.edu.tr/research/groups/index.html - - -[Fri Dec 16 02:25:55 2005] [error] [client 64.94.163.159] Client sent malformed Host header -[Fri Dec 16 03:10:11 2005] [error] [client 64.94.163.159] Client sent malformed Host header -[Fri Dec 16 04:04:36 2005] [error] [client 64.94.163.159] Client sent malformed Host header -[Fri Dec 16 05:26:09 2005] [error] [client 64.94.163.137] Client sent malformed Host header - - -[Mon Dec 19 19:29:17 2005] [warn] [client 85.98.37.115] [315546] auth_ldap authenticate: user administrator authentication failed; URI /exam/inter/Announce.htm [User not found][No such object], referer: http://www.akademi.edu.tr/ -[Mon Dec 19 20:35:25 2005] [warn] [client 213.139.197.178] [307420] auth_ldap authenticate: user user7 authentication failed; URI /exam/inter/Announce.htm [User not found][No such object], referer: http://www.akademi.edu.tr/ -[Mon Dec 19 22:06:34 2005] [warn] [client 85.101.143.252] [360448] auth_ldap authenticate: user user9 authentication failed; URI /files/pg/app_web/index.php [User not found][No such object], referer: http://www.example.com/index.php?sub=list - - -[Mon Dec 19 23:01:11 2005] [error] [client 85.105.120.139] user qwerty not found: /~oahmet/gunce/ss.txt -[Mon Dec 19 23:01:13 2005] [error] [client 85.105.120.139] user qwerty not found: /~oahmet/gunce/ss.txt -[Mon Dec 19 23:01:14 2005] [error] [client 85.105.120.139] user qwerty not found: /~oahmet/gunce/ss.txt - - -[Mon Dec 19 23:02:01 2005] [error] [client 85.105.120.139] user oahmet: authentication failure for "/~oahmet/gunce/ss.txt": Password Mismatch -[Mon Dec 19 23:02:05 2005] [error] [client 85.105.120.139] user oahmet: authentication failure for "/~oahmet/gunce/ss.txt": Password Mismatch - - -Sun Aug 5 16:23:04 2001] [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida -[Sun Aug 5 16:26:02 2001] [error] [client 66.31.68.147] File does not exist: /var/www/html/default.ida -[Sun Aug 5 16:32:01 2001] [error] [client 66.31.101.12] File does not exist: /var/www/html/default.ida - -[Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190) -[Tue Sep 12 10:39:38 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190) -[Tue Sep 12 10:40:17 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190) -[Mon Sep 11 16:55:08 2006] [error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/cisco-ios-ids b/debian/ossec-hids/var/ossec/rules/log-entries/cisco-ios-ids deleted file mode 100644 index 7e109ff..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/cisco-ios-ids +++ /dev/null @@ -1,25 +0,0 @@ -Sep 1 10:24:59 10.10.10.1 %SYS-5-CONFIG_I: Configured from console by console -Sep 1 10:25:18 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:49871 -> 10.10.10.10:80] -Sep 1 10:25:18 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:59591 -> 10.10.10.10:80] -Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:51654 -> 10.10.10.10:4444] -Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80] -Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:2 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:60797 -> 10.10.10.10:80] -Sep 1 10:25:30 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:59816 -> 10.10.10.10:4444] -Sep 1 10:26:52 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1232 -> 192.168.100.1:443] -Sep 1 10:29:24 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1233 -> 192.168.100.1:443] -Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443] -Sep 1 10:29:37 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1235 -> 192.168.100.1:443] -Sep 1 10:30:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1236 -> 192.168.100.1:443] -Sep 1 10:31:44 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1237 -> 192.168.100.1:443] -Sep 1 10:31:55 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1238 -> 192.168.100.1:443] -Sep 1 10:33:30 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1239 -> 192.168.100.1:443] -Sep 1 10:34:27 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1240 -> 192.168.100.1:443] -Sep 1 10:36:09 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1241 -> 192.168.100.1:443] -Sep 1 10:36:12 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1242 -> 192.168.100.1:443] -Sep 1 10:36:14 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1243 -> 192.168.100.1:443] -Sep 1 10:37:28 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1244 -> 192.168.100.1:443] -Sep 1 10:38:08 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1245 -> 192.168.100.1:443] -Sep 1 10:38:36 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:0 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:59633 -> 10.10.10.10:80] -%IPS-4-SIGNATURE: Sig:5769 Subsig:0 Sev:4 Malformed HTTP Request [192.168.100.11:59633 -> 10.10.10.10:80] -%IPS-4-SIGNATURE: Sig:5123 Subsig:0 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:59633 -> 10.10.10.10:80] -%IPS-4-SIGNATURE: Sig:5769 Subsig:0 Sev:4 Malformed HTTP Request [192.168.100.11:59633 -> 10.10.10.10:80] diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/ciscoios b/debian/ossec-hids/var/ossec/rules/log-entries/ciscoios deleted file mode 100644 index ce1bd35..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/ciscoios +++ /dev/null @@ -1,9 +0,0 @@ -Jul 10 16:07:14 cisco2621 %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet -%SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.40.16(3059) -> 10.0.4.101(1060), 2 packets -%SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.16.16(2179) -> 10.0.4.101(1060), 1 packet -%SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.32.16(4206) -> 10.0.4.101(1060), 2 packets -%SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet -Jul 10 16:07:14 1.2.3.4 %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1469) -> 10.0.127.12(445), 1 packet -%SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1496) -> 10.0.127.39(445), 1 packet -%SEC-6-IPACCESSLOGP: list 100 denied udp 200.174.153.126(1028) -> 66.81.85.65(137), 1 packet -Jul 10 16:07:14 myhost1 %SEC-6-IPACCESSLOGP: list 100 denied udp 195.23.72.148(1026) -> 66.81.85.65(137), 1 packet diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/ftpd b/debian/ossec-hids/var/ossec/rules/log-entries/ftpd deleted file mode 100644 index 757eb3a..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/ftpd +++ /dev/null @@ -1,15 +0,0 @@ -May 28 19:38:24 valhalla ftpd[24474]: FTPD: IMPORT file local /mnt/1//ide9/s09099/public_html/tasarim_files/akis.bmp, remote -Jun 1 22:50:26 valhalla ftpd[22898]: FTPD: IMPORT file local oledata.mso, remote -May 28 15:14:02 valhalla ftpd[28616]: FTPD: EXPORT file local , remote Analiz.html -May 28 21:40:31 valhalla ftpd[28432]: FTPD: EXPORT file local , remote arrows_up.gif -May 28 15:50:36 valhalla ftpd[28370]: connection from dsl.static8596180144.ttnet.net.tr at Sun May 28 15:50:36 2006 -May 28 15:50:36 valhalla ftpd[28370]: FTP LOGIN FROM dsl.static8596180144.ttnet.net.tr, user12 -May 29 11:04:16 queen ftpd[417946]: connect from vlh102.tncc.mu.edu -Jun 3 02:32:37 queen ftpd[418042]: refused connect from y-oper.labs.mu.edu -Jun 3 13:37:10 queen ftpd[327802]: refused connect from 85.99.150.230 -Jun 3 11:38:08 queen ftpd[491744]: warning: can't verify hostname: gethostbyname(dsl85-102-24474.ttnet.net.tr) failed -Jun 3 07:46:16 arguvan in.ftpd[18561]: [ID 484914 daemon.notice] gethostbyaddr: nameservices.net. != 216.117.134.168 -Jun 1 16:16:26 valhalla ftpd[39056]: repeated login failures from dsl.dynamic859622181.ttnet.net.tr -Jun 2 16:44:05 valhalla ftpd[28662]: repeated login failures from 192.168.4.5 -May 28 15:52:51 valhalla ftpd[27654]: User oahmet timed out after 900 seconds at Sun May 28 15:52:51 2006 -May 30 00:06:23 valhalla ftpd[11452]: User redsp timed out after 900 seconds at Tue May 30 00:06:23 2006 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/iis6 b/debian/ossec-hids/var/ossec/rules/log-entries/iis6 deleted file mode 100644 index e5a3207..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/iis6 +++ /dev/null @@ -1,4 +0,0 @@ -2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-Update-Agent - - hostname 200 0 0 1467 841 31 -2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-Update-Agent - - hostname 400 0 0 1467 841 31 -2007-01-23 05:00:11 W3SVC22 xxx.ossec.net 1.2.3.4 GET / - 80 - 192.168.2.33 HTTP/1.1 Windows-Update-Agent - - myhost.name 500 0 0 1467 841 31 -2005-05-21 05:39:27 W3SVC1 hostname123 192.168.0.101 GET /VirtualServerError/VSWebApp.exe view=1 1024 WEBBROWSER\User 192.168.0.101 HTTP/1.0 Mozilla/4.0+(User-Agent) - - xx.nada.com 200 0 0 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/imapd b/debian/ossec-hids/var/ossec/rules/log-entries/imapd deleted file mode 100644 index a77d05e..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/imapd +++ /dev/null @@ -1,1126 +0,0 @@ -May 7 13:40:14 gaucha imapd[26772]: imap service init from 200.255.5.8 -May 7 13:40:14 gaucha imapd[26772]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:14 gaucha imapd[26772]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:20 gaucha imapd[26788]: imap service init from 200.255.5.8 -May 7 13:40:20 gaucha imapd[26788]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:21 gaucha imapd[26788]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:25 gaucha imapd[26792]: imap service init from 200.255.5.8 -May 7 13:40:25 gaucha imapd[26792]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:25 gaucha imapd[26792]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:33 gaucha imapd[26801]: imap service init from 200.255.5.8 -May 7 13:40:33 gaucha imapd[26801]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:33 gaucha imapd[26801]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:38 gaucha imapd[26803]: imap service init from 200.255.5.8 -May 7 13:40:38 gaucha imapd[26803]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:39 gaucha imapd[26803]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:45 gaucha imapd[26810]: imap service init from 200.255.5.8 -May 7 13:40:45 gaucha imapd[26810]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:45 gaucha imapd[26810]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:55 gaucha imapd[26820]: imap service init from 200.255.5.8 -May 7 13:40:55 gaucha imapd[26820]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:40:55 gaucha imapd[26820]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:41:24 gaucha imapd[26906]: imap service init from 200.255.5.8 -May 7 13:41:24 gaucha imapd[26906]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:41:25 gaucha imapd[26906]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:41:25 gaucha imapd[26908]: imap service init from 200.255.5.8 -May 7 13:41:25 gaucha imapd[26908]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:41:25 gaucha imapd[26908]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:41:39 gaucha imapd[26924]: imap service init from 200.255.5.8 -May 7 13:41:39 gaucha imapd[26924]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:41:40 gaucha imapd[26924]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:41:43 gaucha imapd[26932]: imap service init from 200.255.5.8 -May 7 13:41:43 gaucha imapd[26932]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:41:44 gaucha imapd[26932]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:41:59 gaucha imapd[26953]: imap service init from 200.255.5.8 -May 7 13:41:59 gaucha imapd[26953]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:41:59 gaucha imapd[26953]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:42:00 gaucha imapd[26959]: imap service init from 200.255.5.8 -May 7 13:42:00 gaucha imapd[26959]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:42:00 gaucha imapd[26959]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:42:19 gaucha imapd[27019]: imap service init from 200.255.5.8 -May 7 13:42:19 gaucha imapd[27019]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:42:21 gaucha imapd[27019]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:42:48 gaucha imapd[27094]: imap service init from 200.255.5.8 -May 7 13:42:48 gaucha imapd[27094]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:42:48 gaucha imapd[27094]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:42:48 gaucha imapd[27096]: imap service init from 200.255.5.8 -May 7 13:42:48 gaucha imapd[27096]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:42:48 gaucha imapd[27096]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:51:53 gaucha imapd[27832]: imap service init from 200.255.5.8 -May 7 13:51:56 gaucha imapd[27832]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:51:59 gaucha imapd[27832]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:52:02 gaucha imapd[27832]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:52:02 gaucha imapd[27832]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:52:41 gaucha imapd[27991]: imap service init from 200.255.5.8 -May 7 13:52:44 gaucha imapd[27991]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:52:47 gaucha imapd[27991]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:52:50 gaucha imapd[27991]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:52:50 gaucha imapd[27991]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:52:51 gaucha imapd[27999]: imap service init from 200.255.5.8 -May 7 13:52:54 gaucha imapd[27999]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:52:57 gaucha imapd[27999]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:53:00 gaucha imapd[27999]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:53:00 gaucha imapd[27999]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:53:39 gaucha imapd[28041]: imap service init from 200.255.5.8 -May 7 13:53:42 gaucha imapd[28041]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:53:45 gaucha imapd[28041]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:53:48 gaucha imapd[28041]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:53:48 gaucha imapd[28041]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:54:10 gaucha imapd[28129]: imap service init from 200.255.5.8 -May 7 13:54:13 gaucha imapd[28129]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:54:16 gaucha imapd[28129]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:54:19 gaucha imapd[28129]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:54:19 gaucha imapd[28129]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:54:39 gaucha imapd[28170]: imap service init from 200.255.5.8 -May 7 13:54:42 gaucha imapd[28170]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:54:45 gaucha imapd[28170]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:54:48 gaucha imapd[28170]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:54:48 gaucha imapd[28170]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:55:37 gaucha imapd[28236]: imap service init from 200.255.5.8 -May 7 13:55:40 gaucha imapd[28236]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:55:43 gaucha imapd[28236]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:55:46 gaucha imapd[28236]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:55:46 gaucha imapd[28236]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:56:23 gaucha imapd[28311]: imap service init from 200.255.5.8 -May 7 13:56:27 gaucha imapd[28311]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:56:30 gaucha imapd[28311]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:56:33 gaucha imapd[28311]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:56:33 gaucha imapd[28311]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:57:08 gaucha imapd[28414]: imap service init from 200.255.5.8 -May 7 13:57:08 gaucha imapd[28414]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:57:08 gaucha imapd[28414]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:57:08 gaucha imapd[28416]: imap service init from 200.255.5.8 -May 7 13:57:08 gaucha imapd[28416]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:57:10 gaucha imapd[28416]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:57:16 gaucha imapd[28424]: imap service init from 200.255.5.8 -May 7 13:57:17 gaucha imapd[28424]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:57:17 gaucha imapd[28424]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:57:17 gaucha imapd[28425]: imap service init from 200.255.5.8 -May 7 13:57:17 gaucha imapd[28425]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:57:17 gaucha imapd[28425]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:57:56 gaucha imapd[28469]: imap service init from 200.255.5.8 -May 7 13:57:56 gaucha imapd[28469]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:57:57 gaucha imapd[28469]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:11 gaucha imapd[28538]: imap service init from 200.255.5.8 -May 7 13:58:11 gaucha imapd[28538]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:11 gaucha imapd[28538]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:12 gaucha imapd[28539]: imap service init from 200.255.5.8 -May 7 13:58:12 gaucha imapd[28539]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:12 gaucha imapd[28539]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:12 gaucha imapd[28541]: imap service init from 200.255.5.8 -May 7 13:58:12 gaucha imapd[28541]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:12 gaucha imapd[28541]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:20 gaucha imapd[28553]: imap service init from 200.255.5.8 -May 7 13:58:20 gaucha imapd[28553]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:20 gaucha imapd[28553]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:24 gaucha imapd[28557]: imap service init from 200.255.5.8 -May 7 13:58:24 gaucha imapd[28557]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:24 gaucha imapd[28557]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:50 gaucha imapd[28646]: imap service init from 200.255.5.8 -May 7 13:58:50 gaucha imapd[28646]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:58:50 gaucha imapd[28646]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:59:12 gaucha imapd[28691]: imap service init from 200.255.5.8 -May 7 13:59:12 gaucha imapd[28691]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:59:13 gaucha imapd[28691]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:59:13 gaucha imapd[28692]: imap service init from 200.255.5.8 -May 7 13:59:13 gaucha imapd[28692]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:59:13 gaucha imapd[28692]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:59:39 gaucha imapd[28713]: imap service init from 200.255.5.8 -May 7 13:59:39 gaucha imapd[28713]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:59:39 gaucha imapd[28713]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:59:40 gaucha imapd[28714]: imap service init from 200.255.5.8 -May 7 13:59:40 gaucha imapd[28714]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:59:40 gaucha imapd[28714]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:59:43 gaucha imapd[28718]: imap service init from 200.255.5.8 -May 7 13:59:43 gaucha imapd[28718]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 13:59:43 gaucha imapd[28718]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:00:51 gaucha imapd[28821]: imap service init from 200.255.5.8 -May 7 14:00:53 gaucha imapd[28824]: imap service init from 200.255.5.8 -May 7 14:00:53 gaucha imapd[28824]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:00:53 gaucha imapd[28824]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:00:54 gaucha imapd[28821]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:00:57 gaucha imapd[28821]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:00 gaucha imapd[28821]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:00 gaucha imapd[28821]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:04 gaucha imapd[28827]: imap service init from 200.255.5.8 -May 7 14:01:04 gaucha imapd[28827]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:04 gaucha imapd[28827]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:27 gaucha imapd[28910]: imap service init from 200.255.5.8 -May 7 14:01:27 gaucha imapd[28910]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:27 gaucha imapd[28910]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:31 gaucha imapd[28912]: imap service init from 200.255.5.8 -May 7 14:01:34 gaucha imapd[28912]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:37 gaucha imapd[28912]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:40 gaucha imapd[28912]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:40 gaucha imapd[28912]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:50 gaucha imapd[28938]: imap service init from 200.255.5.8 -May 7 14:01:50 gaucha imapd[28938]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:01:50 gaucha imapd[28938]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:07 gaucha imapd[28959]: imap service init from 200.255.5.8 -May 7 14:02:10 gaucha imapd[28959]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:11 gaucha imapd[28968]: imap service init from 200.255.5.8 -May 7 14:02:11 gaucha imapd[28968]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:11 gaucha imapd[28968]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:13 gaucha imapd[28959]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:16 gaucha imapd[28959]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:16 gaucha imapd[28959]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:16 gaucha imapd[28977]: imap service init from 200.255.5.8 -May 7 14:02:18 gaucha imapd[28978]: imap service init from 200.255.5.8 -May 7 14:02:18 gaucha imapd[28978]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:18 gaucha imapd[28978]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:19 gaucha imapd[28977]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:22 gaucha imapd[28977]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:25 gaucha imapd[28977]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:25 gaucha imapd[28977]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:25 gaucha imapd[28988]: imap service init from 200.255.5.8 -May 7 14:02:28 gaucha imapd[28988]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:31 gaucha imapd[28988]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:34 gaucha imapd[28988]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:34 gaucha imapd[28988]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:42 gaucha imapd[29001]: imap service init from 200.255.5.8 -May 7 14:02:42 gaucha imapd[29001]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:02:42 gaucha imapd[29001]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:03:44 gaucha imapd[29105]: imap service init from 200.255.5.8 -May 7 14:03:44 gaucha imapd[29105]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:03:44 gaucha imapd[29105]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:04:25 gaucha imapd[29565]: imap service init from 200.255.5.8 -May 7 14:04:25 gaucha imapd[29565]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:04:25 gaucha imapd[29565]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:05:14 gaucha imapd[29645]: imap service init from 200.255.5.8 -May 7 14:05:14 gaucha imapd[29645]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:05:14 gaucha imapd[29645]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:18:34 gaucha imapd[30752]: imap service init from 200.255.5.8 -May 7 14:18:34 gaucha imapd[30752]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:18:34 gaucha imapd[30752]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:18:34 gaucha imapd[30754]: imap service init from 200.255.5.8 -May 7 14:18:34 gaucha imapd[30754]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:18:43 gaucha imapd[30754]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:18:47 gaucha imapd[30766]: imap service init from 200.255.5.8 -May 7 14:18:47 gaucha imapd[30766]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:18:48 gaucha imapd[30766]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:18:55 gaucha imapd[30769]: imap service init from 200.255.5.8 -May 7 14:18:55 gaucha imapd[30769]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:18:55 gaucha imapd[30769]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:18:56 gaucha imapd[30772]: imap service init from 200.255.5.8 -May 7 14:18:56 gaucha imapd[30772]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:18:59 gaucha imapd[30772]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:19:03 gaucha imapd[30779]: imap service init from 200.255.5.8 -May 7 14:19:03 gaucha imapd[30779]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:19:04 gaucha imapd[30779]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:19:30 gaucha imapd[30793]: imap service init from 200.255.5.8 -May 7 14:19:30 gaucha imapd[30793]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:19:30 gaucha imapd[30793]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:19:46 gaucha imapd[30813]: imap service init from 200.255.5.8 -May 7 14:19:46 gaucha imapd[30813]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:19:46 gaucha imapd[30813]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:20:04 gaucha imapd[30831]: imap service init from 200.255.5.8 -May 7 14:20:04 gaucha imapd[30831]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:20:04 gaucha imapd[30831]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:21:52 gaucha imapd[31001]: imap service init from 200.255.5.8 -May 7 14:21:52 gaucha imapd[31001]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:21:52 gaucha imapd[31001]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:26:30 gaucha imapd[31461]: imap service init from 200.255.5.8 -May 7 14:26:33 gaucha imapd[31461]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:26:39 gaucha imapd[31461]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:26:45 gaucha imapd[31480]: imap service init from 200.255.5.8 -May 7 14:26:45 gaucha imapd[31480]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:26:45 gaucha imapd[31480]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:26:45 gaucha imapd[31481]: imap service init from 200.255.5.8 -May 7 14:26:45 gaucha imapd[31481]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:26:45 gaucha imapd[31481]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:27:08 gaucha imapd[31495]: imap service init from 200.255.5.8 -May 7 14:27:08 gaucha imapd[31495]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:27:08 gaucha imapd[31495]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:27:11 gaucha imapd[31497]: imap service init from 200.255.5.8 -May 7 14:27:11 gaucha imapd[31497]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:27:11 gaucha imapd[31497]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:27:13 gaucha imapd[31500]: imap service init from 200.255.5.8 -May 7 14:27:13 gaucha imapd[31500]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:27:13 gaucha imapd[31500]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:27:55 gaucha imapd[31531]: imap service init from 200.255.5.8 -May 7 14:27:55 gaucha imapd[31531]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:27:55 gaucha imapd[31531]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:27:59 gaucha imapd[31542]: imap service init from 200.255.5.8 -May 7 14:27:59 gaucha imapd[31542]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:27:59 gaucha imapd[31542]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:00 gaucha imapd[31543]: imap service init from 200.255.5.8 -May 7 14:28:00 gaucha imapd[31543]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:00 gaucha imapd[31543]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:16 gaucha imapd[31574]: imap service init from 200.255.5.8 -May 7 14:28:16 gaucha imapd[31574]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:16 gaucha imapd[31574]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:20 gaucha imapd[31582]: imap service init from 200.255.5.8 -May 7 14:28:20 gaucha imapd[31582]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:20 gaucha imapd[31582]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:23 gaucha imapd[31588]: imap service init from 200.255.5.8 -May 7 14:28:23 gaucha imapd[31588]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:24 gaucha imapd[31588]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:38 gaucha imapd[31599]: imap service init from 200.255.5.8 -May 7 14:28:38 gaucha imapd[31599]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:38 gaucha imapd[31599]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:41 gaucha imapd[31602]: imap service init from 200.255.5.8 -May 7 14:28:41 gaucha imapd[31602]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:41 gaucha imapd[31602]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:46 gaucha imapd[31605]: imap service init from 200.255.5.8 -May 7 14:28:46 gaucha imapd[31605]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:46 gaucha imapd[31605]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:50 gaucha imapd[31611]: imap service init from 200.255.5.8 -May 7 14:28:50 gaucha imapd[31611]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:28:50 gaucha imapd[31611]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:11 gaucha imapd[31848]: imap service init from 200.255.5.8 -May 7 14:31:11 gaucha imapd[31848]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:11 gaucha imapd[31848]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:11 gaucha imapd[31849]: imap service init from 200.255.5.8 -May 7 14:31:11 gaucha imapd[31849]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:11 gaucha imapd[31849]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:15 gaucha imapd[31858]: imap service init from 200.255.5.8 -May 7 14:31:15 gaucha imapd[31858]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:15 gaucha imapd[31858]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:24 gaucha imapd[31873]: imap service init from 200.255.5.8 -May 7 14:31:24 gaucha imapd[31873]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:24 gaucha imapd[31873]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:26 gaucha imapd[31875]: imap service init from 200.255.5.8 -May 7 14:31:26 gaucha imapd[31875]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:26 gaucha imapd[31875]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:30 gaucha imapd[31879]: imap service init from 200.255.5.8 -May 7 14:31:30 gaucha imapd[31879]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:30 gaucha imapd[31879]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:32 gaucha imapd[31881]: imap service init from 200.255.5.8 -May 7 14:31:32 gaucha imapd[31881]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:31:32 gaucha imapd[31881]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:36:00 gaucha imapd[32375]: imap service init from 200.255.5.8 -May 7 14:36:00 gaucha imapd[32375]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:36:00 gaucha imapd[32375]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:36:04 gaucha imapd[32381]: imap service init from 200.255.5.8 -May 7 14:36:04 gaucha imapd[32381]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:36:04 gaucha imapd[32381]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:36:06 gaucha imapd[32385]: imap service init from 200.255.5.8 -May 7 14:36:06 gaucha imapd[32385]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:36:06 gaucha imapd[32385]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:36:15 gaucha imapd[32442]: imap service init from 200.255.5.8 -May 7 14:36:15 gaucha imapd[32442]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:36:15 gaucha imapd[32442]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:36:21 gaucha imapd[32443]: imap service init from 200.255.5.8 -May 7 14:36:21 gaucha imapd[32443]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:36:21 gaucha imapd[32443]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:14 gaucha imapd[32479]: imap service init from 200.255.5.8 -May 7 14:37:14 gaucha imapd[32479]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:15 gaucha imapd[32479]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:15 gaucha imapd[32485]: imap service init from 200.255.5.8 -May 7 14:37:15 gaucha imapd[32485]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:15 gaucha imapd[32485]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:18 gaucha imapd[32488]: imap service init from 200.255.5.8 -May 7 14:37:18 gaucha imapd[32488]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:18 gaucha imapd[32488]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:19 gaucha imapd[32489]: imap service init from 200.255.5.8 -May 7 14:37:19 gaucha imapd[32489]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:19 gaucha imapd[32489]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:20 gaucha imapd[32493]: imap service init from 200.255.5.8 -May 7 14:37:20 gaucha imapd[32493]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:20 gaucha imapd[32493]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:20 gaucha imapd[32494]: imap service init from 200.255.5.8 -May 7 14:37:20 gaucha imapd[32494]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:20 gaucha imapd[32494]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:25 gaucha imapd[32502]: imap service init from 200.255.5.8 -May 7 14:37:25 gaucha imapd[32502]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:25 gaucha imapd[32502]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:25 gaucha imapd[32503]: imap service init from 200.255.5.8 -May 7 14:37:25 gaucha imapd[32503]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:25 gaucha imapd[32503]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:34 gaucha imapd[32508]: imap service init from 200.255.5.8 -May 7 14:37:34 gaucha imapd[32508]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:34 gaucha imapd[32508]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:34 gaucha imapd[32509]: imap service init from 200.255.5.8 -May 7 14:37:34 gaucha imapd[32509]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:34 gaucha imapd[32509]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:45 gaucha imapd[32520]: imap service init from 200.255.5.8 -May 7 14:37:45 gaucha imapd[32520]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:37:45 gaucha imapd[32520]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:22 gaucha imapd[32552]: imap service init from 200.255.5.8 -May 7 14:38:22 gaucha imapd[32552]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:22 gaucha imapd[32552]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:25 gaucha imapd[32555]: imap service init from 200.255.5.8 -May 7 14:38:28 gaucha imapd[32555]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:31 gaucha imapd[32555]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:34 gaucha imapd[32555]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:34 gaucha imapd[32555]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:38 gaucha imapd[32574]: imap service init from 200.255.5.8 -May 7 14:38:38 gaucha imapd[32574]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:38 gaucha imapd[32574]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:47 gaucha imapd[32590]: imap service init from 200.255.5.8 -May 7 14:38:47 gaucha imapd[32590]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:47 gaucha imapd[32590]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:48 gaucha imapd[32591]: imap service init from 200.255.5.8 -May 7 14:38:48 gaucha imapd[32591]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:38:49 gaucha imapd[32591]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:39:20 gaucha imapd[32640]: imap service init from 200.255.5.8 -May 7 14:39:20 gaucha imapd[32640]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:39:21 gaucha imapd[32640]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:39:26 gaucha imapd[32648]: imap service init from 200.255.5.8 -May 7 14:39:26 gaucha imapd[32648]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:39:26 gaucha imapd[32648]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:06 gaucha imapd[32713]: imap service init from 200.255.5.8 -May 7 14:40:06 gaucha imapd[32713]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:06 gaucha imapd[32713]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:07 gaucha imapd[32716]: imap service init from 200.255.5.8 -May 7 14:40:07 gaucha imapd[32716]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:07 gaucha imapd[32716]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:11 gaucha imapd[32717]: imap service init from 200.255.5.8 -May 7 14:40:11 gaucha imapd[32717]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:12 gaucha imapd[32717]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:18 gaucha imapd[32729]: imap service init from 200.255.5.8 -May 7 14:40:18 gaucha imapd[32729]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:18 gaucha imapd[32729]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:24 gaucha imapd[32733]: imap service init from 200.255.5.8 -May 7 14:40:24 gaucha imapd[32733]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:24 gaucha imapd[32733]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:25 gaucha imapd[32734]: imap service init from 200.255.5.8 -May 7 14:40:25 gaucha imapd[32734]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:25 gaucha imapd[32734]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:41 gaucha imapd[32750]: imap service init from 200.255.5.8 -May 7 14:40:41 gaucha imapd[32750]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:41 gaucha imapd[32750]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:54 gaucha imapd[32766]: imap service init from 200.255.5.8 -May 7 14:40:54 gaucha imapd[32766]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:54 gaucha imapd[32766]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:58 gaucha imapd[304]: imap service init from 200.255.5.8 -May 7 14:40:58 gaucha imapd[304]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:59 gaucha imapd[304]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:59 gaucha imapd[309]: imap service init from 200.255.5.8 -May 7 14:40:59 gaucha imapd[309]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:40:59 gaucha imapd[309]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:41:03 gaucha imapd[311]: imap service init from 200.255.5.8 -May 7 14:41:03 gaucha imapd[311]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:41:03 gaucha imapd[311]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:41:14 gaucha imapd[341]: imap service init from 200.255.5.8 -May 7 14:41:14 gaucha imapd[341]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:41:14 gaucha imapd[341]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:41:22 gaucha imapd[352]: imap service init from 200.255.5.8 -May 7 14:41:22 gaucha imapd[352]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:41:22 gaucha imapd[352]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:41:32 gaucha imapd[367]: imap service init from 200.255.5.8 -May 7 14:41:32 gaucha imapd[367]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:41:32 gaucha imapd[367]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:50:37 gaucha imapd[1357]: imap service init from 200.255.5.8 -May 7 14:50:37 gaucha imapd[1357]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:50:37 gaucha imapd[1357]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:50:37 gaucha imapd[1359]: imap service init from 200.255.5.8 -May 7 14:50:37 gaucha imapd[1359]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:50:38 gaucha imapd[1359]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:50:49 gaucha imapd[1380]: imap service init from 200.255.5.8 -May 7 14:50:49 gaucha imapd[1380]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:50:49 gaucha imapd[1380]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:50:58 gaucha imapd[1390]: imap service init from 200.255.5.8 -May 7 14:50:58 gaucha imapd[1390]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:50:58 gaucha imapd[1390]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:51:05 gaucha imapd[1456]: imap service init from 200.255.5.8 -May 7 14:51:05 gaucha imapd[1456]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:51:05 gaucha imapd[1456]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:51:10 gaucha imapd[1466]: imap service init from 200.255.5.8 -May 7 14:51:10 gaucha imapd[1466]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:51:10 gaucha imapd[1466]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:51:19 gaucha imapd[1540]: imap service init from 200.255.5.8 -May 7 14:51:19 gaucha imapd[1540]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:51:19 gaucha imapd[1540]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:55:51 gaucha imapd[2016]: imap service init from 200.255.5.8 -May 7 14:55:51 gaucha imapd[2016]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:55:51 gaucha imapd[2016]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:55:52 gaucha imapd[2019]: imap service init from 200.255.5.8 -May 7 14:55:52 gaucha imapd[2019]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:55:52 gaucha imapd[2019]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:56:26 gaucha imapd[2103]: imap service init from 200.255.5.8 -May 7 14:56:26 gaucha imapd[2103]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:56:26 gaucha imapd[2103]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:56:28 gaucha imapd[2108]: imap service init from 200.255.5.8 -May 7 14:56:28 gaucha imapd[2108]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8] -May 7 14:56:28 gaucha imapd[2108]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:10 gaucha imapd[2571]: imap service init from 200.255.5.8 -May 7 15:01:10 gaucha imapd[2571]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:10 gaucha imapd[2571]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:11 gaucha imapd[2574]: imap service init from 200.255.5.8 -May 7 15:01:11 gaucha imapd[2574]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:12 gaucha imapd[2574]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:17 gaucha imapd[2579]: imap service init from 200.255.5.8 -May 7 15:01:17 gaucha imapd[2579]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:17 gaucha imapd[2579]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:20 gaucha imapd[2583]: imap service init from 200.255.5.8 -May 7 15:01:20 gaucha imapd[2583]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:20 gaucha imapd[2583]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:21 gaucha imapd[2586]: imap service init from 200.255.5.8 -May 7 15:01:21 gaucha imapd[2586]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:21 gaucha imapd[2586]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:23 gaucha imapd[2591]: imap service init from 200.255.5.8 -May 7 15:01:23 gaucha imapd[2591]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:32 gaucha imapd[2591]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:45 gaucha imapd[2622]: imap service init from 200.255.5.8 -May 7 15:01:45 gaucha imapd[2622]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:01:45 gaucha imapd[2622]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:02:27 gaucha imapd[2694]: imap service init from 200.255.5.8 -May 7 15:02:27 gaucha imapd[2694]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:02:27 gaucha imapd[2694]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:02:32 gaucha imapd[2704]: imap service init from 200.255.5.8 -May 7 15:02:32 gaucha imapd[2704]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:02:32 gaucha imapd[2704]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:02:39 gaucha imapd[2707]: imap service init from 200.255.5.8 -May 7 15:02:39 gaucha imapd[2707]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:02:39 gaucha imapd[2707]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:02:51 gaucha imapd[2716]: imap service init from 200.255.5.8 -May 7 15:02:51 gaucha imapd[2716]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:02:51 gaucha imapd[2716]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:03:00 gaucha imapd[2723]: imap service init from 200.255.5.8 -May 7 15:03:00 gaucha imapd[2723]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:03:00 gaucha imapd[2723]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:03:22 gaucha imapd[2760]: imap service init from 200.255.5.8 -May 7 15:03:22 gaucha imapd[2760]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:03:22 gaucha imapd[2760]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:03:27 gaucha imapd[2765]: imap service init from 200.255.5.8 -May 7 15:03:27 gaucha imapd[2765]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:03:28 gaucha imapd[2765]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:03:50 gaucha imapd[2787]: imap service init from 200.255.5.8 -May 7 15:03:50 gaucha imapd[2787]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:03:50 gaucha imapd[2787]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:03:57 gaucha imapd[2802]: imap service init from 200.255.5.8 -May 7 15:03:57 gaucha imapd[2802]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:03:57 gaucha imapd[2802]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:04:01 gaucha imapd[2806]: imap service init from 200.255.5.8 -May 7 15:04:01 gaucha imapd[2806]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:04:03 gaucha imapd[2806]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:04:26 gaucha imapd[2846]: imap service init from 200.255.5.8 -May 7 15:04:26 gaucha imapd[2846]: Authenticated user=tupa8 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:04:26 gaucha imapd[2846]: Logout user=tupa8 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:04:26 gaucha imapd[2847]: imap service init from 200.255.5.8 -May 7 15:04:26 gaucha imapd[2847]: Authenticated user=tupa8 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:04:26 gaucha imapd[2847]: Logout user=tupa8 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:06:38 gaucha imapd[2983]: imap service init from 200.255.5.8 -May 7 15:06:38 gaucha imapd[2983]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:06:38 gaucha imapd[2983]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:06:38 gaucha imapd[2984]: imap service init from 200.255.5.8 -May 7 15:06:38 gaucha imapd[2984]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:06:38 gaucha imapd[2984]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:06:43 gaucha imapd[2985]: imap service init from 200.255.5.8 -May 7 15:06:43 gaucha imapd[2985]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:06:43 gaucha imapd[2985]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:06:43 gaucha imapd[2986]: imap service init from 200.255.5.8 -May 7 15:06:43 gaucha imapd[2986]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:06:43 gaucha imapd[2986]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:06:43 gaucha imapd[2987]: imap service init from 200.255.5.8 -May 7 15:06:44 gaucha imapd[2987]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:06:44 gaucha imapd[2987]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:07:14 gaucha imapd[2999]: imap service init from 200.255.5.8 -May 7 15:07:14 gaucha imapd[2999]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:07:15 gaucha imapd[2999]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:07:22 gaucha imapd[3001]: imap service init from 200.255.5.8 -May 7 15:07:22 gaucha imapd[3001]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:07:22 gaucha imapd[3001]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:09:06 gaucha imapd[3166]: imap service init from 200.255.5.8 -May 7 15:09:06 gaucha imapd[3166]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:09:06 gaucha imapd[3166]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:09:07 gaucha imapd[3169]: imap service init from 200.255.5.8 -May 7 15:09:07 gaucha imapd[3169]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:09:07 gaucha imapd[3169]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:09:26 gaucha imapd[3187]: imap service init from 200.255.5.8 -May 7 15:09:26 gaucha imapd[3187]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:09:26 gaucha imapd[3187]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:09:29 gaucha imapd[3188]: imap service init from 200.255.5.8 -May 7 15:09:29 gaucha imapd[3188]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:09:29 gaucha imapd[3188]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:09:32 gaucha imapd[3191]: imap service init from 200.255.5.8 -May 7 15:09:32 gaucha imapd[3191]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:09:32 gaucha imapd[3191]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:22 gaucha imapd[3259]: imap service init from 200.255.5.8 -May 7 15:10:22 gaucha imapd[3259]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:22 gaucha imapd[3259]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:31 gaucha imapd[3263]: imap service init from 200.255.5.8 -May 7 15:10:31 gaucha imapd[3263]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:31 gaucha imapd[3263]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:39 gaucha imapd[3273]: imap service init from 200.255.5.8 -May 7 15:10:39 gaucha imapd[3273]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:39 gaucha imapd[3273]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:40 gaucha imapd[3275]: imap service init from 200.255.5.8 -May 7 15:10:40 gaucha imapd[3275]: Authenticated user=leobarroso host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:40 gaucha imapd[3275]: Logout user=leobarroso host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:41 gaucha imapd[3276]: imap service init from 200.255.5.8 -May 7 15:10:41 gaucha imapd[3276]: Authenticated user=leobarroso host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:41 gaucha imapd[3276]: Logout user=leobarroso host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:58 gaucha imapd[3283]: imap service init from 200.255.5.8 -May 7 15:10:58 gaucha imapd[3283]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:59 gaucha imapd[3283]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:59 gaucha imapd[3285]: imap service init from 200.255.5.8 -May 7 15:10:59 gaucha imapd[3285]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:10:59 gaucha imapd[3285]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:11:06 gaucha imapd[3290]: imap service init from 200.255.5.8 -May 7 15:11:06 gaucha imapd[3290]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:11:06 gaucha imapd[3290]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:13:03 gaucha imapd[3386]: imap service init from 200.255.5.8 -May 7 15:13:03 gaucha imapd[3386]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:13:03 gaucha imapd[3386]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8] -May 7 15:14:04 gaucha imapd[3455]: imap service init from 200.255.5.8 -May 7 15:14:04 gaucha imapd[3455]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br -May 9 07:22:56 gaucha imapd[13648]: Logout user=marciabernardes host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:23:45 gaucha imapd[13784]: imap service init from 200.255.5.8 -May 9 07:23:45 gaucha imapd[13784]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:23:45 gaucha imapd[13784]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:23:45 gaucha imapd[13785]: imap service init from 200.255.5.8 -May 9 07:23:45 gaucha imapd[13785]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:23:47 gaucha imapd[13785]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:23:53 gaucha imapd[13795]: imap service init from 200.255.5.8 -May 9 07:23:53 gaucha imapd[13795]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:23:53 gaucha imapd[13795]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:24:01 gaucha imapd[13816]: imap service init from 200.255.5.8 -May 9 07:24:01 gaucha imapd[13816]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:24:01 gaucha imapd[13816]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:24:04 gaucha imapd[13824]: imap service init from 200.255.5.8 -May 9 07:24:04 gaucha imapd[13824]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:24:04 gaucha imapd[13824]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:24:06 gaucha imapd[13825]: imap service init from 200.255.5.8 -May 9 07:24:06 gaucha imapd[13825]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:24:06 gaucha imapd[13825]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:24:14 gaucha imapd[13897]: imap service init from 200.255.5.8 -May 9 07:24:14 gaucha imapd[13897]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:24:14 gaucha imapd[13897]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:25:46 gaucha imapd[14162]: imap service init from 200.255.5.8 -May 9 07:25:46 gaucha imapd[14162]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:25:46 gaucha imapd[14162]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:25:46 gaucha imapd[14164]: imap service init from 200.255.5.8 -May 9 07:25:46 gaucha imapd[14164]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:25:47 gaucha imapd[14164]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:03 gaucha imapd[14186]: imap service init from 200.255.5.8 -May 9 07:26:03 gaucha imapd[14186]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:03 gaucha imapd[14186]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:04 gaucha imapd[14190]: imap service init from 200.255.5.8 -May 9 07:26:04 gaucha imapd[14190]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:05 gaucha imapd[14190]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:07 gaucha imapd[14249]: imap service init from 200.255.5.8 -May 9 07:26:07 gaucha imapd[14249]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:07 gaucha imapd[14249]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:10 gaucha imapd[14307]: imap service init from 200.255.5.8 -May 9 07:26:10 gaucha imapd[14307]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:10 gaucha imapd[14307]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:13 gaucha imapd[14316]: imap service init from 200.255.5.8 -May 9 07:26:13 gaucha imapd[14316]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:13 gaucha imapd[14316]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:13 gaucha imapd[14318]: imap service init from 200.255.5.8 -May 9 07:26:13 gaucha imapd[14318]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:14 gaucha imapd[14318]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:16 gaucha imapd[14322]: imap service init from 200.255.5.8 -May 9 07:26:16 gaucha imapd[14322]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:16 gaucha imapd[14322]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:46 gaucha imapd[14421]: imap service init from 200.255.5.8 -May 9 07:26:46 gaucha imapd[14421]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:46 gaucha imapd[14421]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:48 gaucha imapd[14422]: imap service init from 200.255.5.8 -May 9 07:26:48 gaucha imapd[14422]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:48 gaucha imapd[14422]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:53 gaucha imapd[14432]: imap service init from 200.255.5.8 -May 9 07:26:53 gaucha imapd[14432]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:26:53 gaucha imapd[14432]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:27:01 gaucha imapd[14452]: imap service init from 200.255.5.8 -May 9 07:27:01 gaucha imapd[14452]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:27:01 gaucha imapd[14452]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:27:07 gaucha imapd[14463]: imap service init from 200.255.5.8 -May 9 07:27:07 gaucha imapd[14463]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:27:07 gaucha imapd[14463]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:27:20 gaucha imapd[14492]: imap service init from 200.255.5.8 -May 9 07:27:20 gaucha imapd[14492]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:27:21 gaucha imapd[14492]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:28:03 gaucha imapd[14618]: imap service init from 200.255.5.8 -May 9 07:28:03 gaucha imapd[14618]: Authenticated user=tetedias host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:28:03 gaucha imapd[14618]: Logout user=tetedias host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:28:18 gaucha imapd[14644]: imap service init from 200.255.5.8 -May 9 07:28:18 gaucha imapd[14644]: Authenticated user=tetedias host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:28:18 gaucha imapd[14644]: Logout user=tetedias host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:28:19 gaucha imapd[14649]: imap service init from 200.255.5.8 -May 9 07:28:19 gaucha imapd[14649]: Authenticated user=tetedias host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:28:19 gaucha imapd[14649]: Logout user=tetedias host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:02 gaucha imapd[15751]: imap service init from 200.255.5.8 -May 9 07:36:02 gaucha imapd[15751]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:02 gaucha imapd[15751]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:03 gaucha imapd[15752]: imap service init from 200.255.5.8 -May 9 07:36:03 gaucha imapd[15752]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:06 gaucha imapd[15752]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:09 gaucha imapd[15763]: imap service init from 200.255.5.8 -May 9 07:36:09 gaucha imapd[15763]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:09 gaucha imapd[15763]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:19 gaucha imapd[15782]: imap service init from 200.255.5.8 -May 9 07:36:19 gaucha imapd[15782]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:19 gaucha imapd[15782]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:33 gaucha imapd[15805]: imap service init from 200.255.5.8 -May 9 07:36:33 gaucha imapd[15805]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:33 gaucha imapd[15805]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:39 gaucha imapd[15811]: imap service init from 200.255.5.8 -May 9 07:36:39 gaucha imapd[15811]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:40 gaucha imapd[15811]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:42 gaucha imapd[15817]: imap service init from 200.255.5.8 -May 9 07:36:42 gaucha imapd[15817]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:36:42 gaucha imapd[15817]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:37:21 gaucha imapd[15954]: imap service init from 200.255.5.8 -May 9 07:37:21 gaucha imapd[15954]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:37:21 gaucha imapd[15954]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:00 gaucha imapd[16051]: imap service init from 200.255.5.8 -May 9 07:38:00 gaucha imapd[16051]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:01 gaucha imapd[16051]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:01 gaucha imapd[16053]: imap service init from 200.255.5.8 -May 9 07:38:01 gaucha imapd[16053]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:01 gaucha imapd[16053]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:14 gaucha imapd[16081]: imap service init from 200.255.5.8 -May 9 07:38:14 gaucha imapd[16081]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:14 gaucha imapd[16081]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:17 gaucha imapd[16139]: imap service init from 200.255.5.8 -May 9 07:38:17 gaucha imapd[16139]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:17 gaucha imapd[16139]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:19 gaucha imapd[16151]: imap service init from 200.255.5.8 -May 9 07:38:19 gaucha imapd[16151]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:19 gaucha imapd[16151]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:22 gaucha imapd[16207]: imap service init from 200.255.5.8 -May 9 07:38:22 gaucha imapd[16207]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:22 gaucha imapd[16207]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:31 gaucha imapd[16229]: imap service init from 200.255.5.8 -May 9 07:38:31 gaucha imapd[16229]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:31 gaucha imapd[16229]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:33 gaucha imapd[16237]: imap service init from 200.255.5.8 -May 9 07:38:33 gaucha imapd[16237]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:33 gaucha imapd[16237]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:36 gaucha imapd[16240]: imap service init from 200.255.5.8 -May 9 07:38:36 gaucha imapd[16240]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:36 gaucha imapd[16240]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:48 gaucha imapd[16260]: imap service init from 200.255.5.8 -May 9 07:38:48 gaucha imapd[16260]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:48 gaucha imapd[16260]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:54 gaucha imapd[16277]: imap service init from 200.255.5.8 -May 9 07:38:54 gaucha imapd[16277]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:54 gaucha imapd[16277]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:58 gaucha imapd[16286]: imap service init from 200.255.5.8 -May 9 07:38:58 gaucha imapd[16286]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:38:58 gaucha imapd[16286]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:05 gaucha imapd[16297]: imap service init from 200.255.5.8 -May 9 07:39:05 gaucha imapd[16297]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:05 gaucha imapd[16297]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:07 gaucha imapd[16301]: imap service init from 200.255.5.8 -May 9 07:39:07 gaucha imapd[16301]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:07 gaucha imapd[16301]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:08 gaucha imapd[16302]: imap service init from 200.255.5.8 -May 9 07:39:08 gaucha imapd[16302]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:09 gaucha imapd[16302]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:10 gaucha imapd[16304]: imap service init from 200.255.5.8 -May 9 07:39:10 gaucha imapd[16304]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:10 gaucha imapd[16304]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:16 gaucha imapd[16315]: imap service init from 200.255.5.8 -May 9 07:39:16 gaucha imapd[16315]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:16 gaucha imapd[16315]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:51 gaucha imapd[16397]: imap service init from 200.255.5.8 -May 9 07:39:51 gaucha imapd[16397]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:51 gaucha imapd[16397]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:54 gaucha imapd[16404]: imap service init from 200.255.5.8 -May 9 07:39:54 gaucha imapd[16404]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:39:54 gaucha imapd[16404]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:40:20 gaucha imapd[16514]: imap service init from 200.255.5.8 -May 9 07:40:20 gaucha imapd[16514]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:40:20 gaucha imapd[16514]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:40:22 gaucha imapd[16524]: imap service init from 200.255.5.8 -May 9 07:40:22 gaucha imapd[16524]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:40:22 gaucha imapd[16524]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:40:45 gaucha imapd[16638]: imap service init from 200.255.5.8 -May 9 07:40:45 gaucha imapd[16638]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:40:45 gaucha imapd[16638]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:41:11 gaucha imapd[16683]: imap service init from 200.255.5.8 -May 9 07:41:11 gaucha imapd[16683]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:41:11 gaucha imapd[16683]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:41:21 gaucha imapd[16703]: imap service init from 200.255.5.8 -May 9 07:41:21 gaucha imapd[16703]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:41:21 gaucha imapd[16703]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:41:24 gaucha imapd[16713]: imap service init from 200.255.5.8 -May 9 07:41:24 gaucha imapd[16713]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:41:28 gaucha imapd[16713]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:41:40 gaucha imapd[16789]: imap service init from 200.255.5.8 -May 9 07:41:40 gaucha imapd[16789]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:41:40 gaucha imapd[16789]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:41:57 gaucha imapd[16821]: imap service init from 200.255.5.8 -May 9 07:41:57 gaucha imapd[16821]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:41:58 gaucha imapd[16821]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:42:21 gaucha imapd[16892]: imap service init from 200.255.5.8 -May 9 07:42:21 gaucha imapd[16892]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:42:21 gaucha imapd[16892]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:42:22 gaucha imapd[16897]: imap service init from 200.255.5.8 -May 9 07:42:22 gaucha imapd[16897]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:42:22 gaucha imapd[16897]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:42:28 gaucha imapd[16900]: imap service init from 200.255.5.8 -May 9 07:42:28 gaucha imapd[16900]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:42:28 gaucha imapd[16900]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:42:51 gaucha imapd[16993]: imap service init from 200.255.5.8 -May 9 07:42:51 gaucha imapd[16993]: Authenticated user=bedan host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:42:51 gaucha imapd[16993]: Logout user=bedan host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:42:58 gaucha imapd[17002]: imap service init from 200.255.5.8 -May 9 07:42:58 gaucha imapd[17002]: Authenticated user=bedan host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:43:04 gaucha imapd[17002]: Logout user=bedan host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:43:56 gaucha imapd[17079]: imap service init from 200.255.5.8 -May 9 07:43:56 gaucha imapd[17079]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:43:57 gaucha imapd[17079]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:44:00 gaucha imapd[17086]: imap service init from 200.255.5.8 -May 9 07:44:00 gaucha imapd[17086]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:44:01 gaucha imapd[17086]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:44:08 gaucha imapd[17152]: imap service init from 200.255.5.8 -May 9 07:44:09 gaucha imapd[17152]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:44:09 gaucha imapd[17152]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:44:14 gaucha imapd[17161]: imap service init from 200.255.5.8 -May 9 07:44:14 gaucha imapd[17161]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:44:14 gaucha imapd[17161]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:44:41 gaucha imapd[17217]: imap service init from 200.255.5.8 -May 9 07:44:41 gaucha imapd[17217]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:44:41 gaucha imapd[17217]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:00 gaucha imapd[17263]: imap service init from 200.255.5.8 -May 9 07:45:00 gaucha imapd[17263]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:01 gaucha imapd[17263]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:21 gaucha imapd[17329]: imap service init from 200.255.5.8 -May 9 07:45:21 gaucha imapd[17329]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:22 gaucha imapd[17329]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:26 gaucha imapd[17405]: imap service init from 200.255.5.8 -May 9 07:45:29 gaucha imapd[17405]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:32 gaucha imapd[17405]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:35 gaucha imapd[17405]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:35 gaucha imapd[17405]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:39 gaucha imapd[17480]: imap service init from 200.255.5.8 -May 9 07:45:42 gaucha imapd[17480]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:45 gaucha imapd[17480]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:48 gaucha imapd[17480]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:48 gaucha imapd[17480]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:48 gaucha imapd[17488]: imap service init from 200.255.5.8 -May 9 07:45:48 gaucha imapd[17488]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:48 gaucha imapd[17488]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:49 gaucha imapd[17489]: imap service init from 200.255.5.8 -May 9 07:45:49 gaucha imapd[17489]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:49 gaucha imapd[17490]: imap service init from 200.255.5.8 -May 9 07:45:49 gaucha imapd[17490]: Authenticated user=carolduarte host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:49 gaucha imapd[17490]: Logout user=carolduarte host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:49 gaucha imapd[17489]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:49 gaucha imapd[17491]: imap service init from 200.255.5.8 -May 9 07:45:49 gaucha imapd[17491]: Authenticated user=carolduarte host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:52 gaucha imapd[17494]: imap service init from 200.255.5.8 -May 9 07:45:52 gaucha imapd[17494]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:53 gaucha imapd[17494]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:45:59 gaucha imapd[17549]: imap service init from 200.255.5.8 -May 9 07:45:59 gaucha imapd[17549]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:46:00 gaucha imapd[17549]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:46:12 gaucha imapd[17575]: imap service init from 200.255.5.8 -May 9 07:46:12 gaucha imapd[17575]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:46:12 gaucha imapd[17575]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:46:14 gaucha imapd[17577]: imap service init from 200.255.5.8 -May 9 07:46:14 gaucha imapd[17577]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:46:15 gaucha imapd[17577]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:47:09 gaucha imapd[17491]: Command stream end of file, while reading line user=carolduarte host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:48:48 gaucha imapd[17978]: imap service init from 200.255.5.8 -May 9 07:48:48 gaucha imapd[17978]: Authenticated user=wald-meister host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:48:48 gaucha imapd[17978]: Logout user=wald-meister host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:48:48 gaucha imapd[17979]: imap service init from 200.255.5.8 -May 9 07:48:48 gaucha imapd[17979]: Authenticated user=wald-meister host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:48:48 gaucha imapd[17979]: Logout user=wald-meister host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:48:54 gaucha imapd[17985]: imap service init from 200.255.5.8 -May 9 07:48:54 gaucha imapd[17985]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:48:54 gaucha imapd[17985]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:48:55 gaucha imapd[17986]: imap service init from 200.255.5.8 -May 9 07:48:55 gaucha imapd[17986]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:48:58 gaucha imapd[17986]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:13 gaucha imapd[18022]: imap service init from 200.255.5.8 -May 9 07:49:13 gaucha imapd[18022]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:13 gaucha imapd[18022]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:17 gaucha imapd[18076]: imap service init from 200.255.5.8 -May 9 07:49:17 gaucha imapd[18076]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:17 gaucha imapd[18076]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:23 gaucha imapd[18094]: imap service init from 200.255.5.8 -May 9 07:49:23 gaucha imapd[18094]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:23 gaucha imapd[18094]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:33 gaucha imapd[18164]: imap service init from 200.255.5.8 -May 9 07:49:33 gaucha imapd[18164]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:33 gaucha imapd[18164]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:39 gaucha imapd[18191]: imap service init from 200.255.5.8 -May 9 07:49:39 gaucha imapd[18191]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:40 gaucha imapd[18191]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:42 gaucha imapd[18199]: imap service init from 200.255.5.8 -May 9 07:49:42 gaucha imapd[18199]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:42 gaucha imapd[18199]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:47 gaucha imapd[18225]: imap service init from 200.255.5.8 -May 9 07:49:47 gaucha imapd[18225]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:49:47 gaucha imapd[18225]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:02 gaucha imapd[18304]: imap service init from 200.255.5.8 -May 9 07:50:02 gaucha imapd[18304]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:02 gaucha imapd[18304]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:05 gaucha imapd[18319]: imap service init from 200.255.5.8 -May 9 07:50:05 gaucha imapd[18319]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:05 gaucha imapd[18319]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:10 gaucha imapd[18350]: imap service init from 200.255.5.8 -May 9 07:50:10 gaucha imapd[18350]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:10 gaucha imapd[18350]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:13 gaucha imapd[18411]: imap service init from 200.255.5.8 -May 9 07:50:13 gaucha imapd[18411]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:13 gaucha imapd[18411]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:16 gaucha imapd[18420]: imap service init from 200.255.5.8 -May 9 07:50:16 gaucha imapd[18420]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:16 gaucha imapd[18420]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:33 gaucha imapd[18508]: imap service init from 200.255.5.8 -May 9 07:50:33 gaucha imapd[18508]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:33 gaucha imapd[18508]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:38 gaucha imapd[18527]: imap service init from 200.255.5.8 -May 9 07:50:38 gaucha imapd[18527]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:38 gaucha imapd[18527]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:57 gaucha imapd[18626]: imap service init from 200.255.5.8 -May 9 07:50:57 gaucha imapd[18626]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:50:57 gaucha imapd[18626]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:51:04 gaucha imapd[18650]: imap service init from 200.255.5.8 -May 9 07:51:04 gaucha imapd[18650]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:51:05 gaucha imapd[18650]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:51:07 gaucha imapd[18670]: imap service init from 200.255.5.8 -May 9 07:51:07 gaucha imapd[18670]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:51:07 gaucha imapd[18670]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:51:15 gaucha imapd[18708]: imap service init from 200.255.5.8 -May 9 07:51:15 gaucha imapd[18708]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:51:15 gaucha imapd[18708]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:51:57 gaucha imapd[18897]: imap service init from 200.255.5.8 -May 9 07:51:58 gaucha imapd[18897]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:51:58 gaucha imapd[18897]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:52:14 gaucha imapd[18968]: imap service init from 200.255.5.8 -May 9 07:52:14 gaucha imapd[18968]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:52:15 gaucha imapd[18968]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:52:17 gaucha imapd[18986]: imap service init from 200.255.5.8 -May 9 07:52:17 gaucha imapd[18986]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:52:17 gaucha imapd[18986]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:53:53 gaucha imapd[19553]: imap service init from 200.255.5.8 -May 9 07:53:53 gaucha imapd[19553]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:53:53 gaucha imapd[19553]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:53:54 gaucha imapd[19558]: imap service init from 200.255.5.8 -May 9 07:53:54 gaucha imapd[19558]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:53:54 gaucha imapd[19558]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:54:24 gaucha imapd[19699]: imap service init from 200.255.5.8 -May 9 07:54:24 gaucha imapd[19699]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:54:24 gaucha imapd[19699]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:54:29 gaucha imapd[19724]: imap service init from 200.255.5.8 -May 9 07:54:29 gaucha imapd[19724]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:54:29 gaucha imapd[19724]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:54:33 gaucha imapd[19747]: imap service init from 200.255.5.8 -May 9 07:54:33 gaucha imapd[19747]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:54:33 gaucha imapd[19747]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:55:07 gaucha imapd[20068]: imap service init from 200.255.5.8 -May 9 07:55:07 gaucha imapd[20068]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:55:07 gaucha imapd[20068]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:55:19 gaucha imapd[20104]: imap service init from 200.255.5.8 -May 9 07:55:19 gaucha imapd[20104]: Authenticated user=valseved host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:55:19 gaucha imapd[20104]: Logout user=valseved host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:55:19 gaucha imapd[20105]: imap service init from 200.255.5.8 -May 9 07:55:19 gaucha imapd[20105]: Authenticated user=valseved host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:55:27 gaucha imapd[20105]: Logout user=valseved host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:56:24 gaucha imapd[20542]: imap service init from 200.255.5.8 -May 9 07:56:24 gaucha imapd[20542]: Authenticated user=valseved host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:56:24 gaucha imapd[20542]: Logout user=valseved host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:59:06 gaucha imapd[20981]: imap service init from 200.255.5.8 -May 9 07:59:06 gaucha imapd[20981]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:59:06 gaucha imapd[20981]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:59:06 gaucha imapd[20982]: imap service init from 200.255.5.8 -May 9 07:59:06 gaucha imapd[20982]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:59:09 gaucha imapd[20982]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:59:43 gaucha imapd[21049]: imap service init from 200.255.5.8 -May 9 07:59:43 gaucha imapd[21049]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:59:43 gaucha imapd[21049]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:59:43 gaucha imapd[21050]: imap service init from 200.255.5.8 -May 9 07:59:43 gaucha imapd[21050]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8] -May 9 07:59:43 gaucha imapd[21050]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:21 gaucha imapd[21262]: imap service init from 200.255.5.8 -May 9 08:00:21 gaucha imapd[21262]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:21 gaucha imapd[21262]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:23 gaucha imapd[21271]: imap service init from 200.255.5.8 -May 9 08:00:23 gaucha imapd[21271]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:23 gaucha imapd[21271]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:37 gaucha imapd[21282]: imap service init from 200.255.5.8 -May 9 08:00:37 gaucha imapd[21282]: Authenticated user=bgr host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:37 gaucha imapd[21282]: Logout user=bgr host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:38 gaucha imapd[21283]: imap service init from 200.255.5.8 -May 9 08:00:38 gaucha imapd[21283]: Authenticated user=bgr host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:38 gaucha imapd[21283]: Logout user=bgr host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:58 gaucha imapd[21362]: imap service init from 200.255.5.8 -May 9 08:00:58 gaucha imapd[21362]: Authenticated user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:58 gaucha imapd[21362]: Logout user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:58 gaucha imapd[21363]: imap service init from 200.255.5.8 -May 9 08:00:58 gaucha imapd[21363]: Authenticated user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:00:58 gaucha imapd[21363]: Logout user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:01:28 gaucha imapd[21427]: imap service init from 200.255.5.8 -May 9 08:01:28 gaucha imapd[21427]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:01:28 gaucha imapd[21427]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:01:43 gaucha imapd[21459]: imap service init from 200.255.5.8 -May 9 08:01:43 gaucha imapd[21459]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:01:43 gaucha imapd[21459]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:01:44 gaucha imapd[21460]: imap service init from 200.255.5.8 -May 9 08:01:44 gaucha imapd[21460]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:01:44 gaucha imapd[21460]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:01:46 gaucha imapd[21462]: imap service init from 200.255.5.8 -May 9 08:01:46 gaucha imapd[21462]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:01:47 gaucha imapd[21462]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:02:03 gaucha imapd[21486]: imap service init from 200.255.5.8 -May 9 08:02:03 gaucha imapd[21486]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:02:04 gaucha imapd[21486]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:02:05 gaucha imapd[21491]: imap service init from 200.255.5.8 -May 9 08:02:05 gaucha imapd[21491]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:02:06 gaucha imapd[21491]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:01 gaucha imapd[21603]: imap service init from 200.255.5.8 -May 9 08:03:01 gaucha imapd[21603]: Authenticated user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:01 gaucha imapd[21603]: Logout user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:02 gaucha imapd[21610]: imap service init from 200.255.5.8 -May 9 08:03:02 gaucha imapd[21610]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:02 gaucha imapd[21610]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:02 gaucha imapd[21611]: imap service init from 200.255.5.8 -May 9 08:03:02 gaucha imapd[21611]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:04 gaucha imapd[21611]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:05 gaucha imapd[21615]: imap service init from 200.255.5.8 -May 9 08:03:06 gaucha imapd[21615]: Authenticated user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:06 gaucha imapd[21615]: Logout user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:10 gaucha imapd[21620]: imap service init from 200.255.5.8 -May 9 08:03:10 gaucha imapd[21620]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:10 gaucha imapd[21620]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:13 gaucha imapd[21632]: imap service init from 200.255.5.8 -May 9 08:03:13 gaucha imapd[21632]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:13 gaucha imapd[21632]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:28 gaucha imapd[21652]: imap service init from 200.255.5.8 -May 9 08:03:28 gaucha imapd[21652]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:28 gaucha imapd[21652]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:31 gaucha imapd[21658]: imap service init from 200.255.5.8 -May 9 08:03:31 gaucha imapd[21658]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:31 gaucha imapd[21658]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:44 gaucha imapd[21671]: imap service init from 200.255.5.8 -May 9 08:03:44 gaucha imapd[21671]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:44 gaucha imapd[21671]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:55 gaucha imapd[21693]: imap service init from 200.255.5.8 -May 9 08:03:55 gaucha imapd[21693]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:56 gaucha imapd[21693]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:59 gaucha imapd[21695]: imap service init from 200.255.5.8 -May 9 08:03:59 gaucha imapd[21695]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:03:59 gaucha imapd[21695]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:01 gaucha imapd[21699]: imap service init from 200.255.5.8 -May 9 08:04:01 gaucha imapd[21699]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:01 gaucha imapd[21699]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:19 gaucha imapd[21725]: imap service init from 200.255.5.8 -May 9 08:04:19 gaucha imapd[21725]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:19 gaucha imapd[21725]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:23 gaucha imapd[21735]: imap service init from 200.255.5.8 -May 9 08:04:23 gaucha imapd[21735]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:23 gaucha imapd[21735]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:26 gaucha imapd[21743]: imap service init from 200.255.5.8 -May 9 08:04:26 gaucha imapd[21743]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:26 gaucha imapd[21743]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:32 gaucha imapd[21749]: imap service init from 200.255.5.8 -May 9 08:04:32 gaucha imapd[21749]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:46 gaucha imapd[21749]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:55 gaucha imapd[21881]: imap service init from 200.255.5.8 -May 9 08:04:55 gaucha imapd[21881]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:56 gaucha imapd[21881]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:58 gaucha imapd[21940]: imap service init from 200.255.5.8 -May 9 08:04:58 gaucha imapd[21940]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:04:58 gaucha imapd[21940]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:01 gaucha imapd[21947]: imap service init from 200.255.5.8 -May 9 08:05:01 gaucha imapd[21947]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:01 gaucha imapd[21947]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:05 gaucha imapd[21964]: imap service init from 200.255.5.8 -May 9 08:05:05 gaucha imapd[21964]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:05 gaucha imapd[21964]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:18 gaucha imapd[22030]: imap service init from 200.255.5.8 -May 9 08:05:18 gaucha imapd[22030]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:18 gaucha imapd[22030]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:21 gaucha imapd[22038]: imap service init from 200.255.5.8 -May 9 08:05:21 gaucha imapd[22038]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:22 gaucha imapd[22038]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:24 gaucha imapd[22040]: imap service init from 200.255.5.8 -May 9 08:05:24 gaucha imapd[22040]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:24 gaucha imapd[22040]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:35 gaucha imapd[22057]: imap service init from 200.255.5.8 -May 9 08:05:35 gaucha imapd[22057]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:35 gaucha imapd[22057]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:37 gaucha imapd[22062]: imap service init from 200.255.5.8 -May 9 08:05:37 gaucha imapd[22062]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:37 gaucha imapd[22062]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:40 gaucha imapd[22067]: imap service init from 200.255.5.8 -May 9 08:05:40 gaucha imapd[22067]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:40 gaucha imapd[22067]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:55 gaucha imapd[22140]: imap service init from 200.255.5.8 -May 9 08:05:55 gaucha imapd[22140]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:05:56 gaucha imapd[22140]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:06:13 gaucha imapd[22167]: imap service init from 200.255.5.8 -May 9 08:06:13 gaucha imapd[22167]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:06:13 gaucha imapd[22167]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:06:18 gaucha imapd[22176]: imap service init from 200.255.5.8 -May 9 08:06:18 gaucha imapd[22176]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:06:18 gaucha imapd[22176]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:06:31 gaucha imapd[22209]: imap service init from 200.255.5.8 -May 9 08:06:31 gaucha imapd[22209]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:06:31 gaucha imapd[22209]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:06:31 gaucha imapd[22212]: imap service init from 200.255.5.8 -May 9 08:06:31 gaucha imapd[22212]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:06:43 gaucha imapd[22212]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:32 gaucha imapd[22350]: imap service init from 200.255.5.8 -May 9 08:07:32 gaucha imapd[22350]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:33 gaucha imapd[22350]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:36 gaucha imapd[22355]: imap service init from 200.255.5.8 -May 9 08:07:36 gaucha imapd[22355]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:36 gaucha imapd[22355]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:48 gaucha imapd[22382]: imap service init from 200.255.5.8 -May 9 08:07:48 gaucha imapd[22382]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:48 gaucha imapd[22382]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:48 gaucha imapd[22387]: imap service init from 200.255.5.8 -May 9 08:07:48 gaucha imapd[22387]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:48 gaucha imapd[22387]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:51 gaucha imapd[22395]: imap service init from 200.255.5.8 -May 9 08:07:51 gaucha imapd[22395]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:51 gaucha imapd[22395]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:55 gaucha imapd[22401]: imap service init from 200.255.5.8 -May 9 08:07:55 gaucha imapd[22401]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:55 gaucha imapd[22401]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:58 gaucha imapd[22409]: imap service init from 200.255.5.8 -May 9 08:07:58 gaucha imapd[22409]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:07:58 gaucha imapd[22409]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:08:00 gaucha imapd[22417]: imap service init from 200.255.5.8 -May 9 08:08:00 gaucha imapd[22417]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:08:00 gaucha imapd[22417]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:08:09 gaucha imapd[22427]: imap service init from 200.255.5.8 -May 9 08:08:10 gaucha imapd[22427]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:08:10 gaucha imapd[22427]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:08:55 gaucha imapd[22498]: imap service init from 200.255.5.8 -May 9 08:08:55 gaucha imapd[22498]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:08:55 gaucha imapd[22498]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:08:58 gaucha imapd[22502]: imap service init from 200.255.5.8 -May 9 08:08:58 gaucha imapd[22502]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:04 gaucha imapd[22502]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:12 gaucha imapd[22530]: imap service init from 200.255.5.8 -May 9 08:09:12 gaucha imapd[22530]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:13 gaucha imapd[22530]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:14 gaucha imapd[22539]: imap service init from 200.255.5.8 -May 9 08:09:14 gaucha imapd[22539]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:15 gaucha imapd[22539]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:19 gaucha imapd[22600]: imap service init from 200.255.5.8 -May 9 08:09:19 gaucha imapd[22600]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:19 gaucha imapd[22600]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:24 gaucha imapd[22604]: imap service init from 200.255.5.8 -May 9 08:09:24 gaucha imapd[22604]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:24 gaucha imapd[22604]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:25 gaucha imapd[22606]: imap service init from 200.255.5.8 -May 9 08:09:25 gaucha imapd[22606]: Authenticated user=fonterra host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:26 gaucha imapd[22606]: Logout user=fonterra host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:26 gaucha imapd[22608]: imap service init from 200.255.5.8 -May 9 08:09:26 gaucha imapd[22608]: Authenticated user=fonterra host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:27 gaucha imapd[22608]: Logout user=fonterra host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:51 gaucha imapd[22633]: imap service init from 200.255.5.8 -May 9 08:09:51 gaucha imapd[22633]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:52 gaucha imapd[22633]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:58 gaucha imapd[22650]: imap service init from 200.255.5.8 -May 9 08:09:58 gaucha imapd[22650]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:09:58 gaucha imapd[22650]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:10:17 gaucha imapd[22800]: imap service init from 200.255.5.8 -May 9 08:10:17 gaucha imapd[22800]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:10:17 gaucha imapd[22800]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:10:18 gaucha imapd[22801]: imap service init from 200.255.5.8 -May 9 08:10:18 gaucha imapd[22801]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:10:18 gaucha imapd[22801]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:10:19 gaucha imapd[22805]: imap service init from 200.255.5.8 -May 9 08:10:19 gaucha imapd[22805]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:10:20 gaucha imapd[22805]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:10:30 gaucha imapd[22825]: imap service init from 200.255.5.8 -May 9 08:10:30 gaucha imapd[22825]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:10:30 gaucha imapd[22825]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:10:38 gaucha imapd[22836]: imap service init from 200.255.5.8 -May 9 08:10:38 gaucha imapd[22836]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:10:38 gaucha imapd[22836]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8] -May 9 08:11:00 gaucha imapd[22914]: imap service init from 200.255.5.8 -May 9 08:11:00 gaucha imapd[22914]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8] diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/kernel b/debian/ossec-hids/var/ossec/rules/log-entries/kernel deleted file mode 100644 index 82fda3d..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/kernel +++ /dev/null @@ -1 +0,0 @@ -kernel: tcp_parse_options: Illegal window scaling value 200 >14 received. diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/mail-alerts b/debian/ossec-hids/var/ossec/rules/log-entries/mail-alerts deleted file mode 100644 index 6ed765a..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/mail-alerts +++ /dev/null @@ -1,63 +0,0 @@ -OSSEC HIDS Notification. -2006 May 25 17:07:58 - -Received From: (gaucha) 200.255.5.5->/var/log/maillog -Rule: 6254 fired (level 10) -> "Multiple attempts to send e-mail from invalid/unkonown sender domain.'" -Portion of the log(s): - -sm-mta[20900]: k4PK8NYf020900: ruleset=check_mail, arg1=, relay=200-138-41-205.ctame705.dsl.brasiltelecom.net.br [200.138.41.205] (may be forged), reject=553 5.1.8 ... Domain of sender address brbomaquinas@brbom.com does not exist -sm-mta[20881]: k4PK8FOQ020881: ruleset=check_mail, arg1=, relay=200-138-41-205.ctame705.dsl.brasiltelecom.net.br [200.138.41.205] (may be forged), reject=553 5.1.8 ... Domain of sender address brbomaquinas@brbom.com does not exist -sm-mta[20867]: k4PK86E0020867: ruleset=check_mail, arg1=, relay=200-138-41-205.ctame705.dsl.brasiltelecom.net.br [200.138.41.205] (may be forged), reject=553 5.1.8 ... Domain of sender address brbomaquinas@brbom.com does not exist - - - - -OSSEC HIDS Notification. -2006 May 25 16:40:15 - -Received From: (gaucha) 200.255.5.5->/var/log/maillog -Rule: 6253 fired (level 10) -> "Multiple relaying attempts for spam.'" -Portion of the log(s): - -sm-mta[14582]: k4PJeY7S014582: ruleset=check_rcpt, arg1=, relay=200-207-91-189.speedycti.com.br [200.207.91.189] (may be forged), reject=550 5.7.1 ... Relaying denied. IP name possibly forged [200.207.91.189] -sm-mta[14582]: k4PJeY7S014582: ruleset=check_rcpt, arg1=, relay=200-207-91-189.speedycti.com.br [200.207.91.189] (may be forged), reject=550 5.7.1 ... Relaying denied. IP name possibly forged [200.207.91.189] -sm-mta[14582]: k4PJeY7S014582: ruleset=check_rcpt, arg1=, relay=200-207-91-189.speedycti.com.br [200.207.91.189] (may be forged), reject=550 5.7.1 ... Relaying denied. IP name possibly forged [200.207.91.189] - - - - --END OF NOTIFICATION - - - -OSSEC HIDS Notification. -2006 May 24 20:25:21 - -Received From: (gaucha) 200.255.5.5->/var/log/maillog -Rule: 6253 fired (level 10) -> "Multiple relaying attempts for spam.'" -Portion of the log(s): - -sm-mta[22707]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org -sm-mta[22675]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org -sm-mta[22653]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org -sm-mta[22625]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org - - - - -OSSEC HIDS Notification. -2006 May 25 03:13:08 - -Received From: (gaucha) 200.255.5.5->/var/log/maillog -Rule: 6253 fired (level 10) -> "Multiple relaying attempts for spam.'" -Portion of the log(s): - -sm-mta[21399]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org -sm-mta[21392]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org -sm-mta[21377]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org -sm-mta[21373]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org - - - - --END OF NOTIFICATION - - diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/mail-errors b/debian/ossec-hids/var/ossec/rules/log-entries/mail-errors deleted file mode 100644 index c9d888d..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/mail-errors +++ /dev/null @@ -1,32 +0,0 @@ -pop3d: authentication error: Input/output error -pop3d: authentication error: Input/output error -postfix/postfix-script: fatal: the Postfix mail system is not running -postfix/postfix-script: fatal: the Postfix mail system is not running - -OSSEC HIDS Notification. -2006 May 25 03:50:36 - -Received From: /var/log/maillog -Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'" -Portion of the log(s): - - postfix/smtp[8909]: 774C14AEF2: to=, relay=127.0.0.1[127.0.0.1], delay=423, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 Local Error (in reply to end of DATA command)) - - - - --END OF NOTIFICATION - - -OSSEC HIDS Notification. -2006 May 25 03:32:34 - -Received From: /var/log/maillog -Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'" -Portion of the log(s): - -scorpion postfix/smtp[9144]: connect to rmailb2.walla.co.il[192.118.82.145]: Connection refused (port 25) - - - - --END OF NOTIFICATION - diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/ns1 b/debian/ossec-hids/var/ossec/rules/log-entries/ns1 deleted file mode 100644 index 10e61b4..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/ns1 +++ /dev/null @@ -1,11 +0,0 @@ -> 1:Nov 30 18:01:53 xx.xx.xx.xx ns204: NetScreen device_id=ns204 -> [Root]system-critical-00027: 2nd push has been confirmed. (2005-11-30 -> 17:56:44) -> -> 2:Nov 30 18:01:59 xx.xx.xx.xx ns204: NetScreen device_id=ns204 -> [Root]system-critical-00027: Configuration Erase sequence accepted, -> unit reset. (2005-11-30 17:56:50) -> -> 3:Nov 30 18:01:59 xx.xx.xx.xx ns204: NetScreen device_id=ns204 -> [Root]system-notification-00033: NSM keys were deleted. (2005-11-30 -> 17:56:50) diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/proftpd b/debian/ossec-hids/var/ossec/rules/log-entries/proftpd deleted file mode 100644 index 477c6fc..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/proftpd +++ /dev/null @@ -1,68 +0,0 @@ -May 21 20:20:44 slacker proftpd[25526] slacker.lab.ossec.net: ProFTPD 1.2.10 (stable) (built Tue Aug 2 22:33:07 PDT 2005) standalone mode STARTUP -May 21 20:21:18 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session opened. -May 21 20:21:21 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): no such user 'a' -May 21 20:21:21 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): USER a: no such user found from 192.168.2.10 [192.168.2.10] to 192.168.2.32:21 -May 21 20:22:14 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session closed. -May 21 20:22:15 slacker proftpd[25556] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session opened. -May 21 20:22:28 slacker proftpd[25556] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): USER dcid: Login successful. -May 21 20:22:35 slacker proftpd[25556] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session closed. -May 21 20:22:42 slacker proftpd[25557] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session opened. -May 21 20:22:44 slacker proftpd[25557] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): USER dcid (Login failed): Incorrect password. -May 21 20:22:46 slacker proftpd[25557] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session closed. - -May 30 14:41:52 valhalla proftpd[11727]: valhalla.ahmetozturk.name.tr (85.103.201.222[85.103.201.222]) - unable to find open port in PassivePorts range 65532-65533: defaulting to INPORT_ANY -May 30 15:39:27 valhalla proftpd[13464]: valhalla.ahmetozturk.name.tr (212.156.175.130[212.156.175.130]) - unable to find open port in PassivePorts range 65532-65533: defaulting to INPORT_ANY - - -May 29 18:49:42 valhalla proftpd[16661]: valhalla.ahmetozturk.name.tr (85.103.107.214[85.103.107.214]) - Refused PORT 192,168,1,33,4,83 (address mismatch) -May 31 13:11:38 valhalla proftpd[10486]: valhalla.ahmetozturk.name.tr (85.102.240.252[85.102.240.252]) - Refused PORT 10,0,65,23,19,139 (address mismatch) - - -Jun 1 11:51:24 valhalla proftpd[7301]: valhalla.ahmetozturk.name.tr (81.215.6.178[81.215.6.178]) - Maximum login attempts (3) exceeded -Jun 1 11:51:24 valhalla proftpd[7301]: valhalla.ahmetozturk.name.tr (81.215.6.178[81.215.6.178]) - Maximum login attempts (3) exceeded - - - -May 29 11:27:28 hayaletgemi proftpd[4874]: warning: host name/name mismatch: www.ahmetozturk.name.tr != nil.alannim.com -Jun 3 07:48:10 hayaletgemi proftpd[1026]: warning: host name/address mismatch: 216.117.134.168 != nameservices.net - - -Jun 2 15:07:14 hayaletgemi proftpd[458988]: warning: can't verify hostname: gethostbyname(designstudio) failed -Jun 3 15:35:28 hayaletgemi proftpd[696376]: warning: can't verify hostname: gethostbyname(dsl.dynamic859612386.ttnet.net.tr) failed - - - -May 30 17:06:40 queen proftpd[1769554]: connect from 212.146.159.45 -May 30 21:46:50 queen proftpd[2142266]: connect from 88.224.90.235 - - -May 30 21:04:35 valhalla proftpd[22104]: valhalla.ahmetozturk.name.tr (85.97.67.160[85.97.67.160]) - FTP no transfer timeout, disconnected -May 30 22:53:09 valhalla proftpd[24395]: valhalla.ahmetozturk.name.tr (88.240.52.97[88.240.52.97]) - FTP no transfer timeout, disconnected - - -May 31 06:50:39 valhalla proftpd[345]: valhalla.ahmetozturk.name.tr (217.20.94.150[217.20.94.150]) - FTP login timed out, disconnected -May 31 15:13:38 valhalla proftpd[14273]: valhalla.ahmetozturk.name.tr (85.104.215.80[85.104.215.80]) - FTP login timed out, disconnected - - - -May 31 11:26:23 valhalla proftpd[6399]: valhalla.ahmetozturk.name.tr (88.226.116.196[88.226.116.196]) - FTP session idle timeout, disconnected. -May 31 13:10:54 valhalla proftpd[8987]: valhalla.ahmetozturk.name.tr (85.104.215.80[85.104.215.80]) - FTP session idle timeout, disconnected. - - -May 30 13:44:57 valhalla proftpd[8521]: valhalla.ahmetozturk.name.tr (84.134.231.103[84.134.231.103]) - Data transfer stall timeout: 3600 seconds -Jun 3 08:24:13 valhalla proftpd[24038]: valhalla.ahmetozturk.name.tr (85.104.252.16[85.104.252.16]) - Data transfer stall timeout: 3600 seconds - - -May 29 15:13:37 whale proftpd[4555]: whale.ahmetozturk.name.tr (dsl85-105-3059.ttnet.net.tr[85.105.10.139]) - ProFTPD terminating (signal 11) -May 29 15:13:53 whale proftpd[4592]: whale.ahmetozturk.name.tr (dsl85-105-3059.ttnet.net.tr[85.105.10.139]) - ProFTPD terminating (signal 11) - - -May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 10 entries to 20 entries -May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 20 entries to 40 entries -May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 40 entries to 80 entries -May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 80 entries to 160 entries -May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 160 entries to 320 entries - - -May 30 16:22:39 whale proftpd[25749]: whale.ahmetozturk.name.tr (adsl85-105-30850.tt.net.tr[85.105.10.222]) - listen() failed in inet_listen(): Address already in use -May 31 13:21:13 whale proftpd[15942]: whale.ahmetozturk.name.tr (adsl85-105-30850.tt.net.tr[85.105.10.222]) - listen() failed in inet_listen(): Address already in use diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/smbd b/debian/ossec-hids/var/ossec/rules/log-entries/smbd deleted file mode 100644 index 1170bed..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/smbd +++ /dev/null @@ -1,9 +0,0 @@ -smbd[12252]: getpeername failed. Error was Transport endpoint is not connected -smbd[12252]: Denied connection from (0.0.0.0) -smbd[12252]: getpeername failed. Error was Transport endpoint is not connected -smbd[12252]: Connection denied from 0.0.0.0 -smbd[12252]: write_socket_data: write failure. Error = Connection reset by peer -smbd[12252]: write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection reset by peer -smbd[12252]: Error writing 5 bytes to client. -1. (Connection reset by peer) -May 31 15:54:18 homesmbsrv smbd[124]: Permission denied-- user not allowed to delete, pause, or resume print job. User name: oahmet. Printer name: prnq1. - diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/spamd b/debian/ossec-hids/var/ossec/rules/log-entries/spamd deleted file mode 100644 index 3fb6d88..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/spamd +++ /dev/null @@ -1,19 +0,0 @@ -A clean mail: - -Mar 19 08:21:13 h780152 spamd[11565]: connection from localhost [127.0.0.1] at port 49144 -Mar 19 08:21:13 h780152 spamd[11565]: checking message <20060318231614.f9991a2d.johnxj@comcast.net> for root:98. -Mar 19 08:21:14 h780152 spamd[11565]: clean message (0.0/6.0) for root:98 in 1.6 seconds, 3347 bytes. -Mar 19 08:21:14 h780152 spamd[11565]: result: . 0 - AWL,FORGED_RCVD_HELO scantime=1.6,size=3347,mid=<20060318231614.f9991a2d.johnxj@comcast.net>,autolearn=ham -Mar 19 08:21:14 h780152 qmail-scanner[25042]: Clear:RC:0(217.72.192.234):SA:0(0.0/6.0): 1.681359 3302 sylpheed-admin@good-day.net peter@ifup.de [sylpheed:27685]_Sync_two_copies_of_Sylpheed <20060318231614.f9991a2d.johnxj@comcast.net> 1142752873.25044-0.ifup.de:898 - - -and a recognized spam: - -Mar 19 08:36:33 h780152 spamd[18424]: connection from localhost [127.0.0.1] at port 49145 -Mar 19 08:36:33 h780152 spamd[18424]: checking message <3388717865.3821662804@douglas.co.za> for root:98. -Mar 19 08:36:37 h780152 spamd[18424]: identified spam (8.1/6.0) for root:98 in 4.2 seconds, 1432 bytes. -Mar 19 08:36:37 h780152 spamd[18424]: result: Y 8 - FORGED_RCVD_HELO,INFO_TLD,RCVD_BY_IP,RCVD_IN_XBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=4.2,size=1432,mid=<3388717865.3821662804@douglas.co.za>,autolearn=no -Mar 19 08:36:37 h780152 qmail-scanner[31528]: Clear:RC:0(213.165.64.100):SA:1(8.1/6.0): 4.195255 1371 srs0=k3bc=5k=douglas.co.za=deonegqf@gmx.net peter@ifup.de $E}{UALLYY_EXPLICIT:_Group_glorious_teens_hardcoore <3388717865.3821662804@douglas.co.za> 1142753793.31530-0.ifup.de:134 - - -Thanks Peter diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/sshd b/debian/ossec-hids/var/ossec/rules/log-entries/sshd deleted file mode 100644 index e6e7065..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/sshd +++ /dev/null @@ -1,345 +0,0 @@ -Jul 7 10:51:24 eva sshd[19537]: Invalid user admin from 83.15.231.75 -Jul 7 10:51:25 eva sshd[19539]: Invalid user admin from 83.15.231.75 -Jul 7 10:51:26 eva sshd[19542]: Invalid user admin from 83.15.231.75 -Jul 7 10:51:26 eva sshd[19544]: Invalid user admin from 83.15.231.75 -Jul 7 10:51:28 eva sshd[19546]: Invalid user admin from 83.15.231.75 -Jul 7 10:51:28 eva sshd[19548]: Invalid user admin from 83.15.231.75 -Jul 7 10:51:29 eva sshd[19550]: Invalid user admin from 83.15.231.75 -Jul 7 10:51:30 eva sshd[19553]: Invalid user admin from 83.15.231.75 -Jul 7 10:51:31 eva sshd[19555]: Invalid user admin1 from 83.15.231.75 -Jul 7 10:51:32 eva sshd[19557]: Invalid user admin1 from 83.15.231.75 -Jul 7 10:51:33 eva sshd[19559]: Invalid user admin1 from 83.15.231.75 -Jul 7 10:51:34 eva sshd[19561]: Invalid user admin1 from 83.15.231.75 -Jul 7 10:51:35 eva sshd[19564]: Invalid user admin1 from 83.15.231.75 -Jul 7 10:51:36 eva sshd[19566]: Invalid user admin1 from 83.15.231.75 -Jul 7 10:51:37 eva sshd[19568]: Invalid user admin01 from 83.15.231.75 -Jul 7 10:51:38 eva sshd[19570]: Invalid user admin01 from 83.15.231.75 -Jul 7 10:51:39 eva sshd[19572]: Invalid user admin01 from 83.15.231.75 -Jul 7 10:51:40 eva sshd[19574]: Invalid user admin01 from 83.15.231.75 -Jul 7 10:51:41 eva sshd[19577]: Invalid user admin01 from 83.15.231.75 -Jul 7 10:51:42 eva sshd[19579]: Invalid user test from 83.15.231.75 -Jul 7 10:51:43 eva sshd[19581]: Invalid user test from 83.15.231.75 -Jul 7 10:51:44 eva sshd[19583]: Invalid user test from 83.15.231.75 -Jul 7 10:51:45 eva sshd[19585]: Invalid user test from 83.15.231.75 -Jul 7 10:51:45 eva sshd[19588]: Invalid user test from 83.15.231.75 -Jul 7 10:51:46 eva sshd[19590]: Invalid user test from 83.15.231.75 -Jul 7 10:51:47 eva sshd[19592]: Invalid user test from 83.15.231.75 -Jul 7 10:51:48 eva sshd[19594]: Invalid user test1 from 83.15.231.75 -Jul 7 10:51:49 eva sshd[19596]: Invalid user test1 from 83.15.231.75 -Jul 7 10:51:50 eva sshd[19598]: Invalid user test1 from 83.15.231.75 -Jul 7 10:51:51 eva sshd[19601]: Invalid user test1 from 83.15.231.75 -Jul 7 10:51:52 eva sshd[19603]: Invalid user test1 from 83.15.231.75 -Jul 7 10:51:53 eva sshd[19605]: Invalid user test1 from 83.15.231.75 -Jul 7 10:51:54 eva sshd[19607]: Invalid user test01 from 83.15.231.75 -Jul 7 10:51:55 eva sshd[19609]: Invalid user test01 from 83.15.231.75 -Jul 7 10:51:56 eva sshd[19612]: Invalid user test01 from 83.15.231.75 -Jul 7 10:51:56 eva sshd[19614]: Invalid user test01 from 83.15.231.75 -Jul 7 10:51:58 eva sshd[19616]: Invalid user test01 from 83.15.231.75 -Jul 7 10:51:58 eva sshd[19618]: Invalid user test02 from 83.15.231.75 -Jul 7 10:52:00 eva sshd[19620]: Invalid user test02 from 83.15.231.75 -Jul 7 10:52:00 eva sshd[19623]: Invalid user test02 from 83.15.231.75 -Jul 7 10:52:01 eva sshd[19625]: Invalid user test02 from 83.15.231.75 -Jul 7 10:52:02 eva sshd[19627]: Invalid user test02 from 83.15.231.75 -Jul 7 10:52:03 eva sshd[19629]: Invalid user test03 from 83.15.231.75 -Jul 7 10:52:04 eva sshd[19631]: Invalid user test03 from 83.15.231.75 -Jul 7 10:52:05 eva sshd[19633]: Invalid user test03 from 83.15.231.75 -Jul 7 10:52:06 eva sshd[19636]: Invalid user test03 from 83.15.231.75 -Jul 7 10:52:07 eva sshd[19638]: Invalid user test03 from 83.15.231.75 -Jul 7 10:52:08 eva sshd[19640]: Invalid user test04 from 83.15.231.75 -Jul 7 10:52:09 eva sshd[19642]: Invalid user test04 from 83.15.231.75 -Jul 7 10:52:18 eva sshd[19646]: Invalid user test04 from 83.15.231.75 -Jul 7 10:52:20 eva sshd[19648]: Invalid user test04 from 83.15.231.75 -Jul 7 10:52:20 eva sshd[19651]: Invalid user guest from 83.15.231.75 -Jul 7 10:52:21 eva sshd[19653]: Invalid user guest from 83.15.231.75 -Jul 7 10:52:22 eva sshd[19655]: Invalid user guest from 83.15.231.75 -Jul 7 10:52:23 eva sshd[19657]: Invalid user guest from 83.15.231.75 -Jul 7 10:52:24 eva sshd[19659]: Invalid user guest from 83.15.231.75 -Jul 7 10:52:25 eva sshd[19661]: Invalid user guest from 83.15.231.75 -Jul 7 10:52:26 eva sshd[19664]: Invalid user guest from 83.15.231.75 -Jul 7 10:52:27 eva sshd[19666]: Invalid user guest01 from 83.15.231.75 -Jul 7 10:52:28 eva sshd[19668]: Invalid user guest01 from 83.15.231.75 -Jul 7 10:52:29 eva sshd[19670]: Invalid user ftpadmin from 83.15.231.75 -Jul 7 10:52:30 eva sshd[19672]: Invalid user ftpadmin from 83.15.231.75 -Jul 7 10:52:31 eva sshd[19675]: Invalid user ftpadmin from 83.15.231.75 -Jul 7 10:52:32 eva sshd[19677]: Invalid user ftpadmin from 83.15.231.75 -Jul 7 10:52:33 eva sshd[19679]: Invalid user ftpuser from 83.15.231.75 -Jul 7 10:52:33 eva sshd[19681]: Invalid user ftpuser from 83.15.231.75 -Jul 7 10:52:35 eva sshd[19683]: Invalid user ftpuser from 83.15.231.75 -Jul 7 10:52:35 eva sshd[19686]: Invalid user ftpuser from 83.15.231.75 -Jul 7 10:52:36 eva sshd[19688]: Invalid user backup from 83.15.231.75 -Jul 7 10:52:37 eva sshd[19690]: Invalid user backup from 83.15.231.75 -Jul 7 10:52:38 eva sshd[19692]: Invalid user backup from 83.15.231.75 -Jul 7 10:52:39 eva sshd[19694]: Invalid user backup from 83.15.231.75 -Jul 7 10:52:40 eva sshd[19696]: Invalid user postgres from 83.15.231.75 -Jul 7 10:52:41 eva sshd[19699]: Invalid user postgres from 83.15.231.75 -Jul 7 10:52:43 eva sshd[19703]: Invalid user account from 83.15.231.75 -Jul 7 10:52:44 eva sshd[19705]: Invalid user webmaster from 83.15.231.75 -Jul 7 10:52:45 eva sshd[19707]: Invalid user webmaster from 83.15.231.75 -Jul 7 10:52:46 eva sshd[19710]: Invalid user webmaster from 83.15.231.75 -Jul 7 10:52:46 eva sshd[19712]: Invalid user webmaster from 83.15.231.75 -Jul 7 10:52:48 eva sshd[19714]: Invalid user webmaster from 83.15.231.75 -Jul 7 10:52:48 eva sshd[19716]: Invalid user webadmin from 83.15.231.75 -Jul 7 10:52:49 eva sshd[19718]: Invalid user webadmin from 83.15.231.75 -Jul 7 10:52:50 eva sshd[19721]: Invalid user webadmin from 83.15.231.75 -Jul 7 10:52:51 eva sshd[19723]: Invalid user webadmin from 83.15.231.75 -Jul 7 10:52:52 eva sshd[19725]: Invalid user webadmin from 83.15.231.75 -Jul 7 10:52:53 eva sshd[19727]: Invalid user nagios from 83.15.231.75 -Jul 7 10:52:54 eva sshd[19729]: Invalid user nagios from 83.15.231.75 -Jul 7 10:52:55 eva sshd[19731]: Invalid user nagios from 83.15.231.75 -Jul 7 10:52:56 eva sshd[19734]: Invalid user nagios from 83.15.231.75 -Jul 7 10:52:57 eva sshd[19736]: Invalid user nagios from 83.15.231.75 -Jul 7 10:52:58 eva sshd[19738]: Invalid user ftptest from 83.15.231.75 -Jul 7 10:52:59 eva sshd[19740]: Invalid user ftptest from 83.15.231.75 -Jul 7 10:53:00 eva sshd[19742]: Invalid user ftptest from 83.15.231.75 -Jul 7 10:53:01 eva sshd[19745]: Invalid user ftptest from 83.15.231.75 -Jul 7 10:53:01 eva sshd[19747]: Invalid user ftptest from 83.15.231.75 -Jul 7 10:53:02 eva sshd[19749]: Invalid user ftptest from 83.15.231.75 -Jul 7 10:53:03 eva sshd[19751]: Invalid user library from 83.15.231.75 -Jul 7 10:53:04 eva sshd[19753]: Invalid user library from 83.15.231.75 -Jul 7 10:53:05 eva sshd[19755]: Invalid user library from 83.15.231.75 -Jul 7 10:53:06 eva sshd[19758]: Invalid user ftpguest from 83.15.231.75 -Jul 7 10:53:07 eva sshd[19760]: Invalid user ftpguest from 83.15.231.75 -Jul 7 10:53:08 eva sshd[19762]: Invalid user ftpguest from 83.15.231.75 -Jul 7 10:53:09 eva sshd[19764]: Invalid user ftpguest from 83.15.231.75 -Jul 7 10:53:10 eva sshd[19766]: Invalid user info from 83.15.231.75 -Jul 7 10:53:11 eva sshd[19769]: Invalid user info from 83.15.231.75 -Jul 7 10:53:11 eva sshd[19771]: Invalid user info from 83.15.231.75 -Jul 7 10:53:13 eva sshd[19782]: Invalid user info from 83.15.231.75 -Jul 7 10:53:13 eva sshd[19787]: Invalid user info from 83.15.231.75 -Jul 7 10:53:21 eva sshd[19805]: Invalid user upload from 83.15.231.75 -Jul 7 10:53:22 eva sshd[19807]: Invalid user upload from 83.15.231.75 -Jul 7 10:53:23 eva sshd[19809]: Invalid user upload from 83.15.231.75 -Jul 7 10:53:23 eva sshd[19811]: Invalid user upload from 83.15.231.75 -Jul 7 10:53:25 eva sshd[19813]: Invalid user upload from 83.15.231.75 -Jul 7 10:53:25 eva sshd[19816]: Invalid user upload from 83.15.231.75 -Jul 7 10:53:26 eva sshd[19818]: Invalid user upload from 83.15.231.75 -Jul 7 10:53:27 eva sshd[19820]: Invalid user usertest from 83.15.231.75 -Jul 7 10:53:28 eva sshd[19822]: Invalid user update from 83.15.231.75 -Jul 7 10:53:29 eva sshd[19824]: Invalid user update from 83.15.231.75 -Jul 7 10:53:30 eva sshd[19826]: Invalid user update from 83.15.231.75 -Jul 7 10:53:31 eva sshd[19829]: Invalid user update from 83.15.231.75 -Jul 7 10:53:32 eva sshd[19831]: Invalid user update from 83.15.231.75 -Jul 7 10:53:33 eva sshd[19833]: Invalid user update from 83.15.231.75 -Jul 7 10:53:40 eva sshd[19845]: Invalid user apache from 83.15.231.75 -Jul 7 10:53:41 eva sshd[19847]: Invalid user apache from 83.15.231.75 -Jul 7 10:53:42 eva sshd[19849]: Invalid user apache from 83.15.231.75 -Jul 7 10:53:43 eva sshd[19851]: Invalid user apache from 83.15.231.75 -Jul 7 10:53:44 eva sshd[19853]: Invalid user apache from 83.15.231.75 -Jul 7 10:53:45 eva sshd[19855]: Invalid user apache from 83.15.231.75 -Jul 7 10:53:46 eva sshd[19858]: Invalid user webuser from 83.15.231.75 -Jul 7 10:53:47 eva sshd[19860]: Invalid user webuser from 83.15.231.75 -Jul 7 10:53:48 eva sshd[19862]: Invalid user webuser from 83.15.231.75 -Jul 7 10:53:49 eva sshd[19864]: Invalid user webuser from 83.15.231.75 -Jul 7 10:53:50 eva sshd[19866]: Invalid user webuser from 83.15.231.75 -Jul 7 10:53:51 eva sshd[19869]: Invalid user webuser from 83.15.231.75 -Jul 7 10:53:51 eva sshd[19871]: Invalid user webuser from 83.15.231.75 -Jul 7 10:53:53 eva sshd[19873]: Invalid user oracle from 83.15.231.75 -Jul 7 10:53:54 eva sshd[19875]: Invalid user oracle from 83.15.231.75 -Jul 7 10:53:58 eva sshd[19878]: Invalid user oracle from 83.15.231.75 -Jul 7 10:53:59 eva sshd[19880]: Invalid user oracle from 83.15.231.75 -Jul 7 10:54:00 eva sshd[19882]: Invalid user cyrus from 83.15.231.75 -Jul 7 10:54:01 eva sshd[19885]: Invalid user cyrus from 83.15.231.75 -Jul 7 10:54:01 eva sshd[19887]: Invalid user cyrus from 83.15.231.75 -Jul 7 10:54:02 eva sshd[19889]: Invalid user cyrus from 83.15.231.75 -Jul 7 10:54:03 eva sshd[19891]: Invalid user server from 83.15.231.75 -Jul 7 10:54:04 eva sshd[19893]: Invalid user server from 83.15.231.75 -Jul 7 10:54:06 eva sshd[19898]: Invalid user daniel from 83.15.231.75 -Jul 7 10:54:07 eva sshd[19900]: Invalid user user from 83.15.231.75 -Jul 7 10:54:08 eva sshd[19902]: Invalid user user from 83.15.231.75 -Jul 7 10:54:09 eva sshd[19904]: Invalid user user from 83.15.231.75 -Jul 7 10:54:10 eva sshd[19906]: Invalid user user from 83.15.231.75 -Jul 7 10:54:11 eva sshd[19909]: Invalid user user from 83.15.231.75 -Jul 7 10:54:12 eva sshd[19911]: Invalid user linux from 83.15.231.75 -Jul 7 10:54:13 eva sshd[19913]: Invalid user linux from 83.15.231.75 -Jul 7 10:54:13 eva sshd[19915]: Invalid user linux from 83.15.231.75 -Jul 7 10:54:15 eva sshd[19917]: Invalid user linux from 83.15.231.75 -Jul 7 10:54:15 eva sshd[19920]: Invalid user linux from 83.15.231.75 -Jul 7 10:54:16 eva sshd[19922]: Invalid user student from 83.15.231.75 -Jul 7 10:54:17 eva sshd[19924]: Invalid user student from 83.15.231.75 -Jul 7 10:54:18 eva sshd[19926]: Invalid user student from 83.15.231.75 -Jul 7 10:54:19 eva sshd[19928]: Invalid user student from 83.15.231.75 -Jul 7 10:54:20 eva sshd[19930]: Invalid user student from 83.15.231.75 -Jul 7 10:54:21 eva sshd[19933]: Invalid user temp from 83.15.231.75 -Jul 7 10:54:22 eva sshd[19935]: Invalid user temp from 83.15.231.75 -Jul 7 10:54:23 eva sshd[19937]: Invalid user temp from 83.15.231.75 -Jul 7 10:54:24 eva sshd[19939]: Invalid user temp from 83.15.231.75 -Jul 7 10:54:25 eva sshd[19941]: Invalid user temp from 83.15.231.75 -Jul 7 10:54:26 eva sshd[19944]: Invalid user contact from 83.15.231.75 -Jul 7 10:54:26 eva sshd[19946]: Invalid user contact from 83.15.231.75 -Jul 7 10:54:27 eva sshd[19948]: Invalid user ftpd from 83.15.231.75 -Jul 7 10:54:28 eva sshd[19950]: Invalid user gopher from 83.15.231.75 -Jul 7 10:54:29 eva sshd[19952]: Invalid user gopher from 83.15.231.75 -Jul 7 10:54:30 eva sshd[19954]: Invalid user jobs from 83.15.231.75 -Jul 7 10:54:31 eva sshd[19957]: Invalid user sysadmin from 83.15.231.75 -Jul 7 10:54:32 eva sshd[19959]: Invalid user sysadmin from 83.15.231.75 -Jul 7 10:54:33 eva sshd[19961]: Invalid user sysadmin from 83.15.231.75 -Jul 7 10:54:34 eva sshd[19963]: Invalid user sysadmin from 83.15.231.75 -Jul 7 10:54:35 eva sshd[19965]: Invalid user named from 83.15.231.75 -Jul 7 10:54:36 eva sshd[19968]: Invalid user pgsql from 83.15.231.75 -Jul 7 10:54:36 eva sshd[19970]: Invalid user pgsql from 83.15.231.75 -Jul 7 10:54:38 eva sshd[19972]: Invalid user pgsql from 83.15.231.75 -Jul 7 10:54:38 eva sshd[19974]: Invalid user pgsql from 83.15.231.75 -Jul 7 10:54:39 eva sshd[19976]: Invalid user unix from 83.15.231.75 -Jul 7 10:54:40 eva sshd[19979]: Invalid user unix from 83.15.231.75 -Jul 7 10:54:41 eva sshd[19981]: Invalid user unix from 83.15.231.75 -Jul 7 10:54:42 eva sshd[19983]: Invalid user unix from 83.15.231.75 -Jul 7 10:54:49 eva sshd[20000]: Invalid user postmaster from 83.15.231.75 -Jul 7 10:54:50 eva sshd[20003]: Invalid user postmaster from 83.15.231.75 -Jul 7 10:54:51 eva sshd[20005]: Invalid user operator from 83.15.231.75 -Jul 7 10:54:52 eva sshd[20007]: Invalid user operator from 83.15.231.75 -Jul 7 10:54:54 eva sshd[20011]: Invalid user users from 83.15.231.75 -Jul 7 10:54:55 eva sshd[20013]: Invalid user internet from 83.15.231.75 -Jul 7 10:54:56 eva sshd[20016]: Invalid user internet from 83.15.231.75 -Jul 7 10:54:58 eva sshd[20020]: Invalid user carlos from 83.15.231.75 -Jul 7 10:54:58 eva sshd[20022]: Invalid user adm from 83.15.231.75 -Jul 7 10:55:00 eva sshd[20024]: Invalid user data from 83.15.231.75 -Jul 7 10:55:00 eva sshd[20027]: Invalid user nologin from 83.15.231.75 -Jul 7 10:55:01 eva sshd[20029]: Invalid user smtp from 83.15.231.75 -Jul 7 10:55:03 eva sshd[20031]: Invalid user gdm from 83.15.231.75 -Jul 7 10:55:04 eva sshd[20033]: Invalid user martin from 83.15.231.75 -Jul 7 10:55:05 eva sshd[20035]: Invalid user carlos from 83.15.231.75 -Jul 7 10:55:06 eva sshd[20038]: Invalid user david from 83.15.231.75 -Jul 7 10:55:06 eva sshd[20040]: Invalid user richard from 83.15.231.75 -Jul 7 10:55:08 eva sshd[20042]: Invalid user andy from 83.15.231.75 -Jul 7 10:55:08 eva sshd[20044]: Invalid user kevin from 83.15.231.75 -Jul 7 10:55:10 eva sshd[20046]: Invalid user jeff from 83.15.231.75 -Jul 7 10:55:10 eva sshd[20049]: Invalid user data from 83.15.231.75 -Jul 7 10:55:11 eva sshd[20051]: Invalid user patrick from 83.15.231.75 -Jul 7 10:55:12 eva sshd[20053]: Invalid user jane from 83.15.231.75 -Jul 7 10:55:13 eva sshd[20055]: Invalid user sql from 83.15.231.75 -Jul 7 10:55:14 eva sshd[20057]: Invalid user tester from 83.15.231.75 -Jul 7 10:55:15 eva sshd[20059]: Invalid user andrew from 83.15.231.75 -Jul 7 10:55:16 eva sshd[20062]: Invalid user steven from 83.15.231.75 -Jul 7 10:55:17 eva sshd[20064]: Invalid user angela from 83.15.231.75 -Jul 7 10:55:18 eva sshd[20066]: Invalid user andrea from 83.15.231.75 -Jul 7 10:55:19 eva sshd[20068]: Invalid user webaccount from 83.15.231.75 -Jul 7 10:55:20 eva sshd[20070]: Invalid user seth from 83.15.231.75 -Jul 7 10:55:21 eva sshd[20073]: Invalid user bobby from 83.15.231.75 -Jul 7 10:55:21 eva sshd[20075]: Invalid user peter from 83.15.231.75 -Jul 7 10:55:23 eva sshd[20077]: Invalid user john from 83.15.231.75 -Jul 7 10:55:23 eva sshd[20079]: Invalid user mike from 83.15.231.75 -Jul 7 10:55:24 eva sshd[20081]: Invalid user ally from 83.15.231.75 -Jul 7 10:55:25 eva sshd[20084]: Invalid user norman from 83.15.231.75 -Jul 7 10:55:26 eva sshd[20086]: Invalid user nike from 83.15.231.75 -Jul 7 10:55:27 eva sshd[20088]: Invalid user diana from 83.15.231.75 -Jul 7 10:55:28 eva sshd[20090]: Invalid user george from 83.15.231.75 -Jul 7 10:55:29 eva sshd[20092]: Invalid user james from 83.15.231.75 -Jul 7 10:55:30 eva sshd[20094]: Invalid user transfer from 83.15.231.75 -Jul 7 10:55:31 eva sshd[20097]: Invalid user spam from 83.15.231.75 -Jul 7 10:55:32 eva sshd[20099]: Invalid user spam from 83.15.231.75 -Jul 7 10:55:35 eva sshd[20102]: Invalid user denis from 83.15.231.75 -Jul 7 10:55:36 eva sshd[20104]: Invalid user anders from 83.15.231.75 -Jul 7 10:55:37 eva sshd[20106]: Invalid user friends from 83.15.231.75 -Jul 7 10:55:38 eva sshd[20108]: Invalid user friend from 83.15.231.75 -Jul 7 10:55:39 eva sshd[20110]: Invalid user blast from 83.15.231.75 -Jul 7 10:55:40 eva sshd[20112]: Invalid user ferrari from 83.15.231.75 -Jul 7 10:55:41 eva sshd[20115]: Invalid user bill from 83.15.231.75 -Jul 7 10:55:42 eva sshd[20117]: Invalid user bill from 83.15.231.75 -Jul 7 10:55:43 eva sshd[20119]: Invalid user bill from 83.15.231.75 -Jul 7 10:55:44 eva sshd[20121]: Invalid user bill from 83.15.231.75 -Jul 7 10:55:45 eva sshd[20123]: Invalid user demo from 83.15.231.75 -Jul 7 10:55:46 eva sshd[20126]: Invalid user forum from 83.15.231.75 -Jul 7 10:55:47 eva sshd[20128]: Invalid user master from 83.15.231.75 -Jul 7 10:55:48 eva sshd[20130]: Invalid user pat from 83.15.231.75 -Jul 7 10:55:49 eva sshd[20132]: Invalid user jan from 83.15.231.75 -Jul 7 10:55:50 eva sshd[20134]: Invalid user mark from 83.15.231.75 -Jul 7 10:55:50 eva sshd[20137]: Invalid user support from 83.15.231.75 -Jul 7 10:55:51 eva sshd[20139]: Invalid user cold from 83.15.231.75 -Jul 7 10:55:52 eva sshd[20141]: Invalid user smith from 83.15.231.75 -Jul 7 10:55:53 eva sshd[20143]: Invalid user ppp from 83.15.231.75 -Jul 7 10:55:54 eva sshd[20145]: Invalid user anna from 83.15.231.75 -Jul 7 10:55:55 eva sshd[20147]: Invalid user seba from 83.15.231.75 -Jul 7 10:55:56 eva sshd[20150]: Invalid user lotus from 83.15.231.75 -Jul 7 10:55:57 eva sshd[20152]: Invalid user engine from 83.15.231.75 -Jul 7 10:55:58 eva sshd[20154]: Invalid user domain from 83.15.231.75 -Jul 7 10:55:59 eva sshd[20156]: Invalid user www from 83.15.231.75 -Jul 7 10:56:00 eva sshd[20158]: Invalid user www from 83.15.231.75 -Jul 7 10:56:01 eva sshd[20161]: Invalid user www from 83.15.231.75 -Jul 7 10:56:02 eva sshd[20163]: Invalid user www from 83.15.231.75 -Jul 7 10:56:03 eva sshd[20165]: Invalid user www from 83.15.231.75 -Jul 7 10:56:03 eva sshd[20167]: Invalid user masters from 83.15.231.75 -Jul 7 10:56:05 eva sshd[20169]: Invalid user users from 83.15.231.75 -Jul 7 10:56:05 eva sshd[20172]: Invalid user users from 83.15.231.75 -Jul 7 10:56:06 eva sshd[20174]: Invalid user solaris from 83.15.231.75 -Jul 7 10:56:07 eva sshd[20176]: Invalid user cvs from 83.15.231.75 -Jul 7 10:56:08 eva sshd[20178]: Invalid user guest1 from 83.15.231.75 -Jul 7 10:56:09 eva sshd[20180]: Invalid user guest02 from 83.15.231.75 -Jul 7 10:56:10 eva sshd[20182]: Invalid user www-data from 83.15.231.75 -Aug 7 15:13:17 eva sshd[27633]: Invalid user webmaster from 200.94.18.3 -Aug 7 15:13:23 eva sshd[27650]: Invalid user sales from 200.94.18.3 -Aug 7 15:13:24 eva sshd[27652]: Invalid user admin from 200.94.18.3 -Aug 7 15:13:26 eva sshd[27655]: Invalid user andrea from 200.94.18.3 -Aug 7 15:13:28 eva sshd[27657]: Invalid user backup from 200.94.18.3 -Aug 7 15:13:29 eva sshd[27659]: Invalid user guest from 200.94.18.3 -Aug 7 15:13:31 eva sshd[27662]: Invalid user guest1 from 200.94.18.3 -Aug 7 15:13:33 eva sshd[27664]: Invalid user guest2 from 200.94.18.3 -Aug 7 15:13:34 eva sshd[27666]: Invalid user guest3 from 200.94.18.3 -Aug 7 15:13:36 eva sshd[27669]: Invalid user guest4 from 200.94.18.3 -Aug 7 15:13:38 eva sshd[27671]: Invalid user guest5 from 200.94.18.3 -Aug 7 15:13:39 eva sshd[27673]: Invalid user guest6 from 200.94.18.3 -Aug 7 15:13:41 eva sshd[27676]: Invalid user guest7 from 200.94.18.3 -Aug 7 15:13:43 eva sshd[27678]: Invalid user guest8 from 200.94.18.3 -Aug 7 15:13:44 eva sshd[27680]: Invalid user guest9 from 200.94.18.3 -Aug 7 15:13:46 eva sshd[27683]: Invalid user guest10 from 200.94.18.3 -Aug 7 15:13:48 eva sshd[27685]: Invalid user michael from 200.94.18.3 -Aug 7 15:13:50 eva sshd[27688]: Invalid user gigi from 200.94.18.3 -Aug 7 15:13:52 eva sshd[27692]: Invalid user france from 200.94.18.3 -Aug 7 15:13:54 eva sshd[27694]: Invalid user raider from 200.94.18.3 -Aug 7 15:13:55 eva sshd[27696]: Invalid user movie from 200.94.18.3 -Aug 7 15:13:57 eva sshd[27699]: Invalid user movies from 200.94.18.3 -Aug 7 15:13:59 eva sshd[27701]: Invalid user judith from 200.94.18.3 -Aug 7 15:14:00 eva sshd[27705]: Invalid user default from 200.94.18.3 -Aug 7 15:14:02 eva sshd[27708]: Invalid user sean from 200.94.18.3 -Aug 7 15:14:04 eva sshd[27710]: Invalid user erik from 200.94.18.3 -Aug 7 15:14:05 eva sshd[27713]: Invalid user house from 200.94.18.3 -Aug 7 15:14:07 eva sshd[27721]: Invalid user status from 200.94.18.3 -Aug 7 15:14:09 eva sshd[27727]: Invalid user music from 200.94.18.3 -Aug 7 15:14:10 eva sshd[27734]: Invalid user test from 200.94.18.3 -Aug 7 15:14:12 eva sshd[27737]: Invalid user christian from 200.94.18.3 -Aug 7 15:14:14 eva sshd[27744]: Invalid user upload from 200.94.18.3 -Aug 7 15:14:15 eva sshd[27746]: Invalid user security from 200.94.18.3 -Aug 7 15:14:17 eva sshd[27749]: Invalid user scanner from 200.94.18.3 -Aug 7 15:14:19 eva sshd[27751]: Invalid user work from 200.94.18.3 -Aug 7 15:14:20 eva sshd[27753]: Invalid user eli from 200.94.18.3 -Aug 7 15:14:22 eva sshd[27756]: Invalid user ariel from 200.94.18.3 -Aug 7 15:14:24 eva sshd[27759]: Invalid user matt from 200.94.18.3 -Aug 7 15:14:25 eva sshd[27761]: Invalid user smoke from 200.94.18.3 -Aug 7 15:14:27 eva sshd[27764]: Invalid user papa from 200.94.18.3 -Aug 7 15:14:29 eva sshd[27766]: Invalid user beth from 200.94.18.3 -Aug 7 15:14:30 eva sshd[27768]: Invalid user samba from 200.94.18.3 -Aug 7 15:14:32 eva sshd[27771]: Invalid user library from 200.94.18.3 -Aug 7 15:14:34 eva sshd[27773]: Invalid user don from 200.94.18.3 -Aug 7 15:14:35 eva sshd[27775]: Invalid user webuser from 200.94.18.3 -Aug 7 15:14:37 eva sshd[27778]: Invalid user monitor from 200.94.18.3 -Aug 7 15:14:39 eva sshd[27780]: Invalid user roberto from 200.94.18.3 -Aug 7 15:14:40 eva sshd[27782]: Invalid user mama from 200.94.18.3 -Aug 7 15:14:42 eva sshd[27785]: Invalid user windows from 200.94.18.3 -Aug 7 15:14:44 eva sshd[27787]: Invalid user fritz from 200.94.18.3 -Aug 7 15:14:45 eva sshd[27789]: Invalid user linux from 200.94.18.3 -Aug 7 15:14:47 eva sshd[27797]: Invalid user debian from 200.94.18.3 -Aug 7 15:14:49 eva sshd[27805]: Invalid user darwin from 200.94.18.3 -Aug 7 15:14:50 eva sshd[27807]: Invalid user redhat from 200.94.18.3 -Aug 7 15:14:52 eva sshd[27810]: Invalid user edith from 200.94.18.3 -Aug 7 15:14:54 eva sshd[27812]: Invalid user neo from 200.94.18.3 -Aug 7 15:14:55 eva sshd[27814]: Invalid user neo from 200.94.18.3 -Aug 7 15:14:57 eva sshd[27817]: Invalid user bebe from 200.94.18.3 -Aug 7 15:14:59 eva sshd[27819]: Invalid user postgres from 200.94.18.3 -Aug 7 15:15:00 eva sshd[27821]: Invalid user antonio from 200.94.18.3 -Aug 7 15:15:02 eva sshd[27824]: Invalid user archive from 200.94.18.3 -Aug 7 15:15:05 eva sshd[27845]: Invalid user cathy from 200.94.18.3 -Aug 7 15:15:06 eva sshd[27848]: Invalid user alex from 200.94.18.3 -Aug 7 15:15:08 eva sshd[27850]: Invalid user download from 200.94.18.3 -Aug 7 15:15:10 eva sshd[27852]: Invalid user eric from 200.94.18.3 -Aug 7 15:15:11 eva sshd[27855]: Invalid user gaby from 200.94.18.3 -Aug 7 15:15:13 eva sshd[27857]: Invalid user beer from 200.94.18.3 -Aug 7 15:15:15 eva sshd[27859]: Invalid user mp3 from 200.94.18.3 -Aug 7 15:15:16 eva sshd[27862]: Invalid user ghost from 200.94.18.3 -Aug 7 15:15:18 eva sshd[27864]: Invalid user virus from 200.94.18.3 -Aug 7 15:15:20 eva sshd[27871]: Invalid user gloria from 200.94.18.3 -Aug 7 15:15:21 eva sshd[27874]: Invalid user erwin from 200.94.18.3 -Aug 7 15:15:23 eva sshd[27881]: Invalid user update from 200.94.18.3 -Aug 7 15:15:25 eva sshd[27883]: Invalid user kiss from 200.94.18.3 -Aug 7 15:15:26 eva sshd[27886]: Invalid user army from 200.94.18.3 -Aug 7 15:15:28 eva sshd[27888]: Invalid user andreas from 200.94.18.3 -Aug 7 15:15:33 eva sshd[27891]: Invalid user jojo from 200.94.18.3 -Aug 7 15:15:34 eva sshd[27893]: Invalid user service from 200.94.18.3 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/symantecws b/debian/ossec-hids/var/ossec/rules/log-entries/symantecws deleted file mode 100644 index cd60dda..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/symantecws +++ /dev/null @@ -1,12 +0,0 @@ -20070717,30020,1=3,41=SWS-3.0.1.86/lists,100=Version 3.0.3299,3=7,2=29 -20070717,30024,100=SWS-3.0.1.86,2=36 -20070717,30044,1=3,3=1,2=302 -20070717,30044,1=3,1202=20070715.002,1203=20070715.002,3=7,2=301 -20070717,30225,1=3,41=SWS-3.0.1.86/dictionaries,100=Version 3.0.638,3=7,2=29 -20070717,30517,1=3,41=SWS-3.0.1.86/vendor-config,100=Version 3.0.6,3=7,2=29 -20070717,40031,1=3,41=SWS-3.0.1.86/lists,100=Version 3.0.3299,3=7,2=29 -20070717,73613,1=5,11=10.1.1.3,10=userc,3=1,2=1 -20070717,103426,1=5,11=1.2.3.4,10=virtadmin,3=1,2=1 -20070717,73614,1=5,11=1.2.3.4,1106=News,60=http://news.bbc.co.uk/,10=userX,1000=212.58.240.42,2=27 -20070717,115252,1=5,11=1.2.3.4,1106=Miscellaneous,60=https://ad.doubleclick.net/,10=userY,1000=216.73.87.52,2=27 -20070717,122017,1=5,11=2.3.4.5,1106=Finance,60=http://www.esl.org/abc.exe,10=userB,1000=208.2.188.219,2=27 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/telnetd b/debian/ossec-hids/var/ossec/rules/log-entries/telnetd deleted file mode 100644 index a30e5c9..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/telnetd +++ /dev/null @@ -1,15 +0,0 @@ -May 27 15:52:37 valhalla telnetd[4882]: refused connect from mstr195175-16075.dial-in.ttnet.net.tr -May 27 16:48:29 valhalla telnetd[5010]: refused connect from 88.226.34.75 -Jun 2 09:50:28 queen in.telnetd[19636]: [ID 947420 local2.warning] refused connect from 220-129-149-114.dynamic.hinet.net -May 11 10:28:07 queen in.telnetd[19847]: [ID 927837 local2.info] connect from dsl85-105-30859.ttnet.net.tr -May 30 17:11:32 hayaletgemi telnetd[360652]: connect from valhalla.metu.edu.tr -May 12 14:45:17 hayaletgemi in.telnetd[4821]: [ID 927837 local2.info] connect from dsl85-105-30859.ttnet.net.tr -May 12 14:45:17 hayaletgemi telnetd[4821]: [ID 682499 daemon.info] ttloop: read: Not a data message -May 28 17:14:52 queen telnetd[76014]: connect from vod85-15-3859.ttnet.net.tr -May 28 17:14:53 queen telnetd[76014]: ttloop: read: A connection with a remote socket was reset by that socket. -Jun 2 09:59:27 valhalla-eth in.telnetd[19826]: [ID 927837 local2.info] connect from adsl105-3085-tr.ttnet.net.tr -Jun 2 09:59:28 valhalla-eth telnetd[19826]: [ID 485252 daemon.info] ttloop: peer died: Error 0 -May 29 23:57:28 isik telnetd[946360]: connect from 85-10-085.ttnet.net.tr -May 29 23:57:28 isik telnetd[946360]: ttloop: peer died: A file or directory in the path name does not exist. -May 29 20:59:00 valhalla-eth telnetd[2507000]: warning: can't verify hostname: gethostbyname(dsl.dynamic812154227.ttnet.net.tr -May 30 00:19:11 valhalla-eth telnetd[987186]: warning: can't verify hostname: gethostbyname(131.1.satis-tl.ru) failed diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/unkown b/debian/ossec-hids/var/ossec/rules/log-entries/unkown deleted file mode 100644 index 993af03..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/unkown +++ /dev/null @@ -1,17 +0,0 @@ - Apr 14 19:18:56 mozart in.telnetd[11634]: connect from 192.168.11.200 - Apr 14 19:18:56 mozart imapd[11635]: connect from 192.168.11.200 - Apr 14 19:18:56 mozart in.fingerd[11637]: connect from 192.168.11.200 - Apr 14 19:18:56 mozart ipop3d[11638]: connect from 192.168.11.200 - Apr 14 19:18:56 mozart in.telnetd[11639]: connect from 192.168.11.200 - Apr 14 19:18:56 mozart in.ftpd[11640]: connect from 192.168.11.200 - Apr 14 19:19:03 mozart ipop3d[11642]: connect from 192.168.11.200 - Apr 14 19:19:03 mozart imapd[11643]: connect from 192.168.11.200 - Apr 14 19:19:04 mozart in.fingerd[11646]: connect from 192.168.11.200 - Apr 14 19:19:05 mozart in.fingerd[11648]: connect from 192.168.11.200 - - Apr 14 21:01:58 mozart imapd[11667]: command stream end of file, while reading line user=??? host=[192.168.11.200] - Apr 14 21:01:58 mozart ipop3d[11668]: No such file or directory while reading line user=??? host=[192.168.11.200] - Apr 14 21:02:05 mozart sendmail[11675]: NOQUEUE: [192.168.11.200]: expn root - - Apr 14 21:03:09 mozart telnetd[11682]: ttloop: peer died: Invalid or incomplete multibyte or wide character - Apr 14 21:03:12 mozart ftpd[11688]: FTP session closed diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/vpn.log b/debian/ossec-hids/var/ossec/rules/log-entries/vpn.log deleted file mode 100644 index 18dfa36..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/vpn.log +++ /dev/null @@ -1,20 +0,0 @@ -31220 06/01/2005 19:05:22.120 SEV=8 IKEDBG/0 RPT=41554 12.34.56.78 RECEIVED Message (msgid=0) with payloads :HDR + SA (1) + NONE (0) total length : 84 -31222 06/01/2005 19:05:22.120 SEV=8 IKEDBG/0 RPT=41555 12.34.56.78 RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84 -31224 06/01/2005 19:05:22.120 SEV=9 IKEDBG/0 RPT=41556 12.34.56.78 processing SA payload -31225 06/01/2005 19:05:22.120 SEV=8 IKEDECODE/0 RPT=28390 12.34.56.78 SA Payload Decode : DOI : IPSEC (1) -31228 06/01/2005 19:05:22.120 SEV=8 IKEDECODE/0 RPT=28391 12.34.56.78 Proposal Decode: -31233 06/01/2005 19:05:22.120 SEV=8 IKEDECODE/0 RPT=28393 12.34.56.78 Phase 1 SA Attribute Decode for Transform # 1: -31238 06/01/2005 19:05:22.120 SEV=12 IKEDECODE/0 RPT=28394 IKE Decode of received SA attributes follows: 0000: 80010005 80020002 80030001 80040002 ................ -31241 06/01/2005 19:05:22.120 SEV=7 IKEDBG/0 RPT=41557 12.34.56.78 Oakley proposal is acceptable -31244 06/01/2005 19:05:22.230 SEV=9 IKEDBG/46 RPT=12648 12.34.56.78 constructing Cisco Unity VID payload -31245 06/01/2005 19:05:22.230 SEV=9 IKEDBG/46 RPT=12649 12.34.56.78 constructing xauth V6 VID payload -31247 06/01/2005 19:05:22.230 SEV=9 IKEDBG/38 RPT=1153 12.34.56.78 Constructing VPN 3000 spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409) -31286 06/01/2005 19:05:22.460 SEV=8 AUTHDBG/1 RPT=1302 AUTH_Open() returns 277 -31287 06/01/2005 19:05:22.460 SEV=7 AUTH/12 RPT=1302 Authentication session opened: handle = 277 -31311 06/01/2005 19:05:22.560 SEV=6 AUTH/41 RPT=1240 12.34.56.78 Authentication successful: handle = 277, server = Internal, group = L2L: Smc -31325 06/01/2005 19:05:22.560 SEV=4 AUTH/22 RPT=1084 User [L2L: Smc] Group [L2L: Smc] connected, Session Type: IPSec/LAN-to-LAN -31326 06/01/2005 19:05:22.570 SEV=4 AUTH/84 RPT=1029 LAN-to-LAN tunnel to headend device 12.34.56.78 connected -31351 06/01/2005 19:05:22.580 SEV=7 AUTH/13 RPT=1300 Authentication session closed: handle = 277 -31352 06/01/2005 19:05:25.540 SEV=4 EVENT/39 RPT=1915 Event Manager erased file(s) LOG34591.TXT when saving file: log35028.txt -22929 04/06/2005 10:07:08.170 SEV=3 AUTH/5 RPT=10801 66.119.119.212 Authentication rejected: Reason = Unspecified handle = 732, server = 162.116.30.137, user = Romano_Bobby, domain = -Nov 23 19:10:03 test.net 24067 23/11/2006 19:10:03.123 SEV=4 IKE/52 RPT=764 112.10.1.1 Group [NONE] User [xyz] User (xyz) authenticated. diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/vpopmail b/debian/ossec-hids/var/ossec/rules/log-entries/vpopmail deleted file mode 100644 index 06465ae..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/vpopmail +++ /dev/null @@ -1,26 +0,0 @@ -Sep 14 07:21:42 iron vpopmail[939]: vchkpw-pop3: password fail keith1@xxxx.com:219.136.100.198 -Sep 14 07:21:42 iron vpopmail[937]: vchkpw-pop3: password fail keith2@xxxx.com:219.136.100.198 -Sep 14 07:21:42 iron vpopmail[935]: vchkpw-pop3: password fail keith3@xxxx.com:219.136.100.198 -Sep 14 07:21:42 iron vpopmail[931]: vchkpw-pop3: password fail keith4@xxxx.com:219.136.100.198 -Sep 14 07:21:41 iron vpopmail[923]: vchkpw-pop3: password fail keith5@xxxx.com:219.136.100.198 -Sep 14 07:21:40 iron vpopmail[910]: vchkpw-pop3: password fail keith6@xxxx.com:219.136.100.198 -Sep 14 07:21:40 iron vpopmail[903]: vchkpw-pop3: password fail keith7@xxxx.com:219.136.100.198 -Sep 14 07:21:40 iron vpopmail[901]: vchkpw-pop3: password fail keith9@xxxx.com:219.136.100.198 -Sep 14 07:21:39 iron vpopmail[899]: vchkpw-pop3: password fail keitha@xxxx.com:219.136.100.198 -Sep 14 07:21:39 iron vpopmail[896]: vchkpw-pop3: password fail keithb@xxxx.com:219.136.100.198 -Sep 14 07:21:39 iron vpopmail[893]: vchkpw-pop3: password fail keithc@xxxx.com:219.136.100.198 -Sep 14 07:21:39 iron vpopmail[890]: vchkpw-pop3: password fail keithd@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[883]: vchkpw-pop3: password fail keithe@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[888]: vchkpw-pop3: password fail keithf@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[881]: vchkpw-pop3: password fail keithg@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[884]: vchkpw-pop3: password fail keithh@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[878]: vchkpw-pop3: password fail keithi@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[872]: vchkpw-pop3: password fail keithj@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[873]: vchkpw-pop3: password fail keithk@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[876]: vchkpw-pop3: password fail keithl@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[870]: vchkpw-pop3: password fail keithm@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[868]: vchkpw-pop3: password fail keithn@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[866]: vchkpw-pop3: password fail keitho@xxxx.com:219.136.100.198 -Sep 14 07:21:38 iron vpopmail[863]: vchkpw-pop3: password fail keithp@xxxx.com:219.136.100.198 -Sep 14 07:21:37 iron vpopmail[858]: vchkpw-pop3: password fail keithq@xxxx.com:219.136.100.198 -Sep 14 07:21:37 iron vpopmail[860]: vchkpw-pop3: password fail keiths@xxxx.com:219.136.100.198 diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/worms b/debian/ossec-hids/var/ossec/rules/log-entries/worms deleted file mode 100644 index 4095102..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/worms +++ /dev/null @@ -1,54 +0,0 @@ -86 200.255.5.155 TCP_MISS/404 1495 GET http://pawlacz.com/nul.php - DIRECT/193.84.182.19 text/html -588 200.255.5.155 TCP_MISS/404 1495 GET http://pawlacz.com/nul.php - DIRECT/193.84.182.19 text/html -9 200.255.5.155 TCP_NEGATIVE_HIT/404 726 GET http://arborfolia.com/nul.php - NONE/- text/html -326 200.255.5.155 TCP_MISS/404 717 GET http://arborfolia.com/nul.php - DIRECT/66.49.208.142 text/html -1001 200.255.5.155 TCP_MISS/404 4439 GET http://appaloosa.no/nul.php - DIRECT/85.19.133.103 text/html -966 200.255.5.155 TCP_MISS/404 4439 GET http://appaloosa.no/nul.php - DIRECT/85.19.133.103 text/html -543 200.255.5.155 TCP_MISS/404 518 GET http://1point2.iae.nl/nul.php - DIRECT/212.61.24.92 text/html -545 200.255.5.155 TCP_MISS/404 518 GET http://1point2.iae.nl/nul.php - DIRECT/212.61.24.92 text/html -504 200.255.5.155 TCP_MISS/404 443 GET http://ujscie.one.pl/nul.php - DIRECT/82.96.66.63 text/html - - -OSSEC HIDS Notification. -2006 Jun 20 08:09:32 - -Received From: (wrouter) 200.255.5.3->/usr/local/squid/var/logs/access.log -Rule: 5055 fired (level 10) -> "Multiple attempts to access a non-existent file.'" -Portion of the log(s): - -576 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html -543 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html -955 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html -934 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html -328 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html -329 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html -546 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html -512 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html -2085 200.255.5.155 TCP_MISS/404 502 GET http://www.jonogueira.com/nul.php - DIRECT/69.0.160.233 text/html - - - - --END OF NOTIFICATION - - - - OSSEC HIDS Notification. - 2006 Jun 20 08:09:33 - - Received From: (wrouter) 200.255.5.3->/usr/local/squid/var/logs/access.log - Rule: 5055 fired (level 10) -> "Multiple attempts to access a non-existent file.'" - Portion of the log(s): - - 1004 200.255.5.155 TCP_MISS/404 1812 GET http://avenue.ee/nul.php - DIRECT/195.5.116.3 text/html - 784 200.255.5.155 TCP_MISS/404 1812 GET http://avenue.ee/nul.php - DIRECT/195.5.116.3 text/html - 543 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html - 955 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html - 934 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html - 328 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html - 329 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html - 546 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html - 512 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html - -http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=223894 - -http://www.trendmicro.co.jp/vinfo/virusencyclo/default5.asp?VName=TROJ_BAGLE.EY&VSect=T diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/xferlog b/debian/ossec-hids/var/ossec/rules/log-entries/xferlog deleted file mode 100644 index 784a015..0000000 --- a/debian/ossec-hids/var/ossec/rules/log-entries/xferlog +++ /dev/null @@ -1,14 +0,0 @@ -Fri Mar 31 10:22:44 2006 0 201.44.122.146 32003 /usr/pages/users/resende/htdocs/images/festas/bannerterror.jpg a _ d r canalresende ftp 0 * c - - "Fri Mar 31 10:22:45 2006 0 201.44.122.146 88302 - /usr/pages/users/resende/htdocs/images/festas/banterror.jpg a _ d r - canalresende ftp 0 * c" - -Mon Apr 17 18:27:14 2006 1 64.160.42.130 0 /pub/lyx/devel/log b _ o a mozilla@example.com ftp 0 * i -Mon Apr 17 18:27:20 2006 2 64.160.42.130 42930 /pub/lyx/devel/log/qtbuild.log b _ o a mozilla@example.com ftp 0 * c -Mon Apr 17 20:35:20 2006 1 66.249.66.74 0 /pub/noweb b _ o a googlebot@google.com ftp 0 * i -Tue Apr 18 00:29:01 2006 176 193.219.28.2 6359760 /pub/lyx/devel/lyx-devel.tar.bz2 b _ o a mirror@icm.edu.pl ftp 0 * i -Tue Apr 18 00:30:02 2006 60 193.219.28.2 0 /pub/lyx/devel/log/xformsbuild.log b _ o a mirror@icm.edu.pl ftp 0 * i -Tue Apr 18 00:31:02 2006 60 193.219.28.2 0 /pub/lyx/devel/log/qtbuild.log b _ o a mirror@icm.edu.pl ftp 0 * i -Tue Apr 18 10:47:30 2006 1 66.249.65.137 0 /pub/lyx/html b _ o a googlebot@google.com ftp 0 * i -Tue Apr 18 15:48:41 2006 1 83.135.64.94 0 /pub/lyx b _ o a mozilla@example.com ftp 0 * i diff --git a/debian/ossec-hids/var/ossec/rules/mailscanner_rules.xml b/debian/ossec-hids/var/ossec/rules/mailscanner_rules.xml deleted file mode 100644 index eae1f6f..0000000 --- a/debian/ossec-hids/var/ossec/rules/mailscanner_rules.xml +++ /dev/null @@ -1,51 +0,0 @@ - - - - - - mailscanner - Grouping of mailscanner rules. - - - - 3700 - not - Non spam message. Ignored. - - - - 3700 - spam - Mail Scanner spam detected. - spam, - - - - 3702 - - Multiple attempts of spam. - multiple_spam, - - - - 1002 - update.bad.phishing.sites - ^Phishing bad sites list updated - ignore - - - - diff --git a/debian/ossec-hids/var/ossec/rules/mcafee_av_rules.xml b/debian/ossec-hids/var/ossec/rules/mcafee_av_rules.xml deleted file mode 100644 index d3b2aab..0000000 --- a/debian/ossec-hids/var/ossec/rules/mcafee_av_rules.xml +++ /dev/null @@ -1,125 +0,0 @@ - - -^259$|^100$|^1000$|^1001$|^1002$|^1003$|^1004$|^1005$|^1006$|^1007$|^1008$|^5003$|^5005$|^5008$|^5010$|^5011$|^5019$|^5020$|^5021$|^5022$|^5030$|^5031$|^5032$|^5033$|^5034$|^5035$|^5046$|^5047$|^5048$|^5049$|^5051$|^5054$|^5057$|^5059$|^5060$|^5063$|^5063$ -^258$|^5001$|^5028$|^5036$|^5037$|^5038$|^5039$|^5040$|^5041$|^5053$|^5056$|^5061$|^5062$|^5065$ -^257$|^5000$|^5026$|^5052$|^5055$ -quarantined|moved to quarantine|file was deleted|deleted successfully|has been deleted|message deleted|deleted after|cleaned|successfully deleted -The file \.+ contain|infected with|User defined detection|scan found|error attempting to clean -10 - - - - 18101,18102,18103 - windows - ^McLogEvent - Grouping of McAfee Windows AV rules. - - - - 7500 - $MCAFEE_INFO - McAfee Windows AV informational event. - - - - 7500 - $MCAFEE_WARN - McAfee Windows AV warning event. - - - - 7500 - $MCAFEE_ERROR - McAfee Windows AV error event. - - - - 7500 - $MCAFEE_VIRUS - virus - McAfee Windows AV - Virus detected and not removed. - - - - 7504 - $MCAFEE_VIRUS_OK - virus - McAfee Windows AV - Virus detected and properly removed. - - - - 7504 - Will be deleted - virus - McAfee Windows AV - Virus detected and file will be deleted. - - - - 7500 - scan started|scan stopped - McAfee Windows AV - Scan started or stopped. - - - - 7501 - ^257 - completed. No detections - McAfee Windows AV - Scan completed with no viruses found. - - - - 7500 - scan was cancelled |has taken too long - McAfee Windows AV - Virus scan cancelled. - - - - 7500 - scan was canceled because - McAfee Windows AV - Virus scan cancelled due to shutdown. - - - - 7500 - update was successful - McAfee Windows AV - Virus program or DAT update succeeded. - - - - 7500 - update failed - McAfee Windows AV - Virus program or DAT update failed. - - - - 7500 - update was cancelled - McAfee Windows AV - Virus program or DAT update cancelled. - - - - 7505 - contains the EICAR test file - alert_by_email - McAfee Windows AV - EICAR test file detected. - - - - - - 7502 - Multiple McAfee AV warning events. - - - - diff --git a/debian/ossec-hids/var/ossec/rules/mhn_cowrie_rules.xml b/debian/ossec-hids/var/ossec/rules/mhn_cowrie_rules.xml deleted file mode 100644 index d7218b6..0000000 --- a/debian/ossec-hids/var/ossec/rules/mhn_cowrie_rules.xml +++ /dev/null @@ -1,26 +0,0 @@ - - - - - - - - - cowrie - SSH login attempted on cowrie honeypot - SSH login attempted on cowrie honeypot - - - - cowrie - SSH session on cowrie honeypot - SSH session established on cowrie honeypot - - - - cowrie - command attempted on cowrie honeypot - A command was attempted in SSH session on cowrie honeypot - - - diff --git a/debian/ossec-hids/var/ossec/rules/mhn_dionaea_rules.xml b/debian/ossec-hids/var/ossec/rules/mhn_dionaea_rules.xml deleted file mode 100644 index cad0529..0000000 --- a/debian/ossec-hids/var/ossec/rules/mhn_dionaea_rules.xml +++ /dev/null @@ -1,13 +0,0 @@ - - - - - - - - - dionaea - Connection to Dionaea Honeypot identified - - - diff --git a/debian/ossec-hids/var/ossec/rules/ms-exchange_rules.xml b/debian/ossec-hids/var/ossec/rules/ms-exchange_rules.xml deleted file mode 100644 index 1ef5b05..0000000 --- a/debian/ossec-hids/var/ossec/rules/ms-exchange_rules.xml +++ /dev/null @@ -1,56 +0,0 @@ - - - - - - - - - msexchange - Grouping of Exchange rules. - - - - 3800 - RCPT - ^550 - E-mail rcpt is not valid (invalid account). - spam, - - - - 3800 - ^5 - E-mail 500 error code. - spam, - - - - 3801 - - Multiple e-mail attempts to an invalid account. - multiple_spam, - - - - 3802 - - Multiple e-mail 500 error code (spam). - multiple_spam, - - - - diff --git a/debian/ossec-hids/var/ossec/rules/ms-se_rules.xml b/debian/ossec-hids/var/ossec/rules/ms-se_rules.xml deleted file mode 100644 index fdfa23f..0000000 --- a/debian/ossec-hids/var/ossec/rules/ms-se_rules.xml +++ /dev/null @@ -1,131 +0,0 @@ - - - - - - - - windows - 18101,18102,18103 - ^Microsoft Antimalware - Grouping of Microsoft Security Essentials rules. - - - - 7701 - ^1118$|^1119$ - virus - Microsoft Security Essentials - Virus detected, but unable to remove. - - - - 7701 - ^1107$ - virus - Microsoft Security Essentials - Virus detected and properly removed. - - - - 7701 - ^1119$|^1118$|^1117$|^1116$ - virus - Microsoft Security Essentials - Virus detected. - - - - 7701 - ^1015$ - virus, - Microsoft Security Essentials - Suspicious activity detected. - - - - 7701 - ^5007$ - Microsoft Security Essentials - Configuration changed. - policy_changed, - - - - 7701 - ^5008$ - Microsoft Security Essentials - Service failed. - - - - 7701 - ^3002$ - Microsoft Security Essentials - Real time protection failed. - - - - 7701 - ^2012$ - Microsoft Security Essentials - Cannot use Dynamic Signature Service. - - - - 7701 - ^2004$ - Microsoft Security Essentials - Loading definitions failed. Using last good set. - - - - 7701 - ^2003$ - Microsoft Security Essentials - Engine update failed. - - - - 7701 - ^2001$ - Microsoft Security Essentials - Definitions update failed. - - - - 7701 - ^1005$ - Microsoft Security Essentials - Scan error. Scan has stopped. - - - - 7701 - ^1002$ - Microsoft Security Essentials - Scan stopped before completion. - - - - - 7711, 7712 - Virus:DOS/EICAR_Test_File - alert_by_email - Microsoft Security Essentials - EICAR test file detected. - - - - - 7711 - Multiple Microsoft Security Essentials AV warnings detected. - - - - 7712 - Multiple Microsoft Security Essentials AV warnings detected. - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/ms1016_usbdetect_rules.xml b/debian/ossec-hids/var/ossec/rules/ms1016_usbdetect_rules.xml deleted file mode 100644 index 24fd618..0000000 --- a/debian/ossec-hids/var/ossec/rules/ms1016_usbdetect_rules.xml +++ /dev/null @@ -1,10 +0,0 @@ - - - - - 18104 - ^6416$ - A new external device was recognized by the System - windows, - - diff --git a/debian/ossec-hids/var/ossec/rules/ms_dhcp_rules.xml b/debian/ossec-hids/var/ossec/rules/ms_dhcp_rules.xml deleted file mode 100644 index c0c8385..0000000 --- a/debian/ossec-hids/var/ossec/rules/ms_dhcp_rules.xml +++ /dev/null @@ -1,436 +0,0 @@ - - - - - - - - - - - - - ms-dhcp-ipv4 - Grouping for the MS-DHCP rules. - - - - 6300 - ^00 - The log was started. - service_start, - - - - 6300 - ^01 - The log was stopped. - service_availability, - - - - 6300 - ^02 - The log was temporarily paused due to low disk space. - system_error, - - - - 6300 - ^10 - A new IP address was leased to a client. - dhcp_lease_action, - - - - 6300 - ^11 - A lease was renewed by a client. - dhcp_lease_action, - - - - 6300 - ^12 - A lease was released by a client. - dhcp_lease_action, - - - - 6300 - ^13 - An IP address was found to be in use on the network. - dhcp_lease_action, - - - - 6300 - ^14 - A lease request could not be satisfied because the scope's address pool was exhausted. - service_availability,dhcp_lease_action, - - - - 6300 - ^15 - A lease was denied. - dhcp_lease_action, - - - - 6300 - ^16 - A lease was deleted. - dhcp_lease_action, - - - - 6300 - ^17 - A lease was expired and DNS records for an expired leases have not been deleted. - dhcp_lease_action, - - - - 6300 - ^18 - A lease was expired and DNS records were deleted. - dhcp_lease_action,dhcp_dns_maintenance - - - - 6300 - ^20 - A BOOTP address was leased to a client. - dhcp_lease_action, - - - - 6300 - ^21 - A dynamic BOOTP address was leased to a client. - dhcp_lease_action, - - - - - 6300 - ^22 - A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. - dhcp_lease_action, - - - - 6300 - ^23 - A BOOTP IP address was deleted after checking to see it was not in use. - dhcp_lease_action, - - - - 6300 - ^24 - IP address cleanup operation has began. - dhcp_maintenance, - - - - 6300 - ^25 - IP address cleanup statistics. - dhcp_maintenance, - - - - 6300 - ^30 - DNS update request to the named DNS server. - dhcp_dns_maintenance, - - - - 6300 - ^31 - DNS update failed. - dhcp_dns_maintenance, - - - - 6300 - ^32 - DNS update successful. - dhcp_dns_maintenance, - - - - 6300 - ^33 - Packet dropped due to NAP policy. - dhcp_lease_action, - - - - - 6300 - ^5 - Codes above 50 are used for Rogue Server Detection information. - dhcp_rogue_server, - - - - - - - - - ms-dhcp-ipv6 - Grouping for the MS-DHCP rules. - - - - 6350 - ^11000 - Solicit. - dhcp_ipv6, - - - - 6350 - ^11001|^11002 - Advertise. - dhcp_ipv6, - - - - 6350 - ^11003 - Confirm. - dhcp_ipv6, - - - - 6350 - ^11004 - Renew. - dhcp_ipv6, - - - - 6350 - ^11005 - Rebind. - dhcp_ipv6, - - - - - 6350 - ^11006 - DHCP Decline. - dhcp_ipv6, - - - - 6350 - ^11007 - Release. - dhcp_ipv6, - - - - 6350 - ^11008 - Information Request. - dhcp_ipv6, - - - - 6350 - ^11009 - Scope Full. - dhcp_ipv6, - - - - 6350 - ^11010 - Started. - service_start, - - - - 6350 - ^11011 - Stopped. - service_availability, - - - - 6350 - ^11012 - Audit log paused. - service_availability, - - - - - 6350 - ^11013 - DHCP Log File. - system_error, - - - - 6350 - ^11014 - Bad Address. - dhcp_ipv6, - - - - 6350 - ^11015 - Address is already in use. - dhcp_ipv6, - - - - 6350 - ^11016 - Client deleted. - dhcp_ipv6, - - - - 6350 - ^11017 - DNS record not deleted. - dhcp_ipv6, - - - - 6350 - ^11018 - Expired. - dhcp_ipv6, - - - - 6350 - ^11019 - Expired and Deleted count. - dhcp_ipv6, - - - - 6350 - ^11020 - Database cleanup begin. - dhcp_ipv6, - - - - - 6350 - ^11021 - Database cleanup end. - dhcp_ipv6, - - - - 6350 - ^11023 - Service not authorized in AD. - dhcp_ipv6, - - - - 6350 - ^11024 - Service authorized in AD. - dhcp_ipv6, - - - - 6350 - ^11025 - Service has not determined if it is authorized in AD. - dhcp_ipv6, - - - diff --git a/debian/ossec-hids/var/ossec/rules/ms_firewall_rules.xml b/debian/ossec-hids/var/ossec/rules/ms_firewall_rules.xml deleted file mode 100644 index 391e8ad..0000000 --- a/debian/ossec-hids/var/ossec/rules/ms_firewall_rules.xml +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - 18104 - ^5024$ - Windows Firewall Service has started successfully - windows_firewall - - - - 18104 - ^5025$ - Windows Firewall Service has been stopped - windows_firewall - - - - 18104 - ^5027$ - Windows Firewall Service was unable to retrieve the security policy from the local storage. Windows Firewall will continue to enforce the current policy - windows_firewall - - - - 18104 - ^5028$ - Windows Firewall was unable to parse the new security policy. Windows Firewall will continue to enforce the current policy - windows_firewall - - - - 18104 - ^5029$ - The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy - windows_firewall - - - - 18104 - ^5030$ - Windows Firewall Service failed to start - windows_firewall - - - - 18105 - ^5031$ - Windows Firewall Service blocked an application from accepting incoming connections on the network - windows_firewall - - - - 18105 - ^5032$ - Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network - windows_firewall - - - - 18104 - ^5033$ - Windows Firewall Driver started successfully - windows_firewall - - - - 18104 - ^5034$ - Windows Firewall Driver was stopped - windows_firewall - - - - 18105 - ^5035$ - Windows Firewall Driver failed to start - windows_firewall - - - - 18105 - ^5037$ - Windows Firewall Driver detected a critical runtime error, terminating - windows_firewall - - - - 18104 - ^4946$ - A rule was added to Windows Firewall exception list - windows_firewall - - - - 18104 - ^4947$ - A rule was modified from Windows Firewall exception list - windows_firewall - - - - 18104 - ^4948$ - A rule was deleted from Windows Firewall exception list - windows_firewall - - - - 18104 - ^4949$ - Windows Firewall settings were restored to the default values - windows_firewall - - - - 18104 - ^4950$ - A Windows Firewall setting was changed - windows_firewall - - - - 18105 - ^4951$ - Windows Firewall ignored a rule because its major version number is not recognized. - windows_firewall - - - - 18105 - ^4952$ - Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced - windows_firewall - - - - 18105 - ^4953$ - Windows Firewall ignored a rule because it could not be parsed - windows_firewall - - - - 18104 - ^4954$ - Group Policy settings for Windows Firewall were changed, and the new settings were applied - windows_firewall - - - - 18104 - ^4956$ - Windows Firewall changed the active profile - windows_firewall - - - - 18105 - ^4957$ - Windows Firewall did not apply some rules - windows_firewall - - - - 18105 - ^4958$ - Windows Firewall did not apply some rules because the rule referred to items not configured on this computer - windows_firewall - - - diff --git a/debian/ossec-hids/var/ossec/rules/ms_ftpd_rules.xml b/debian/ossec-hids/var/ossec/rules/ms_ftpd_rules.xml deleted file mode 100644 index 51431ea..0000000 --- a/debian/ossec-hids/var/ossec/rules/ms_ftpd_rules.xml +++ /dev/null @@ -1,73 +0,0 @@ - - - - - - msftp - Grouping for the Microsoft ftp rules. - - - - 11500 - USER - New FTP connection. - connection_attempt, - - - - 11500 - PASS - 530 - FTP Authentication failed. - authentication_failed, - - - - 11500 - PASS - 230 - FTP Authentication success. - authentication_success, - - - - 11500 - ^5 - FTP client request failed. - - - - 11502 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11501 - - Multiple connection attempts from same source. - recon, - - - - 11504 - - Multiple FTP errors from same source. - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/ms_ipsec_rules.xml b/debian/ossec-hids/var/ossec/rules/ms_ipsec_rules.xml deleted file mode 100644 index 07f4300..0000000 --- a/debian/ossec-hids/var/ossec/rules/ms_ipsec_rules.xml +++ /dev/null @@ -1,149 +0,0 @@ - - - - - - - 18104 - ^4646$ - IKE DoS-prevention mode started - windows, - - - - - 18105 - ^4652$|^4653$ - An IPsec Main Mode negotiation failed - windows, - - - - - 18105 - ^4654$ - An IPsec Quick Mode negotiation failed - windows, - - - - - 18104 - ^4983$|^4984$ - An IPsec Extended Mode negotiation failed - windows, - - - - - 18104 - ^4960$ - IPsec dropped an inbound packet that failed an integrity check - windows, - - - - - 18104 - ^4961$|^4962$ - IPsec dropped an inbound packet that failed a replay check - windows, - - - - - 18104 - ^4963$ - IPsec dropped an inbound clear text packet that should have been secured - windows, - - - - - 18104 - ^4965$ - IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI) - windows, - - - - - 18104 - ^4976$ - During Main Mode negotiation, IPsec received an invalid negotiation packet - windows, - - - - - 18104 - ^4977$ - During Quick Mode negotiation, IPsec received an invalid negotiation packet - windows, - - - - - 18104 - ^4978$ - During Extended Mode negotiation, IPsec received an invalid negotiation packet - windows, - - - - - 18104 - ^5453$ - An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started - windows, - - - - - 18105 - ^5480$ - IPsec Services failed to get the complete list of network interfaces on the computer - windows, - - - - - 18105 - ^5483$ - IPsec Services failed to initialize RPC server. IPsec Services could not be started - windows, - - - - - 18105 - ^5484$ - IPsec Services has experienced a critical failure and has been shut down - windows, - - - - - 18105 - ^5485$ - IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces - windows, - - - - - 18104 - ^4710$ - IPsec Services was disabled - windows, - - - - - 18105 - ^4712$ - IPsec Services encountered a potentially serious failure - windows, - - - diff --git a/debian/ossec-hids/var/ossec/rules/ms_powershell_rules.xml b/debian/ossec-hids/var/ossec/rules/ms_powershell_rules.xml deleted file mode 100644 index 8a64e8d..0000000 --- a/debian/ossec-hids/var/ossec/rules/ms_powershell_rules.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - - - - - - - - - - 18101 - ^400$ - PowerShell - Windows PowerShell was started. - - - - 18101 - ^800$ - PowerShell - Windows PowerShell command executed. - - - - 18101 - ^403$ - PowerShell - Windows PowerShell was stopped. - - - - 20501 - Set-StrictMode -Version 1; \.+\w+ - A wrong/misspelled command was tried - - - - 20501 - CommandLine= CommandInvocation - Powershell background activity - - - - 20501 - Set-ExecutionPolicy|Mimikatz|EncodedCommand|Payload|Find-AVSignature|DllInjection|ReflectivePEInjection|Invoke-Shellcode|Invoke--Shellcode|Invoke-ShellcodeMSIL|Get-GPPPassword|Get-Keystrokes|Get-TimedScreenshot|Get-VaultCredential|Invoke-CredentialInjection|Invoke-NinjaCopy|Invoke-TokenManipulation|Out-Minidump|Set-MasterBootRecord|New-ElevatedPersistenceOption|Invoke-CallbackIEX|Invoke-PSInject|Invoke-DllEncode|Get-ServiceUnquoted|Get-ServiceEXEPerms|Get-ServicePerms|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-UserAddMSI|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Invoke-FindDLLHijack|Invoke-FindPathHijack|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-UnattendedInstallFiles|Get-Webconfig|Get-Webconfig|Get-ApplicationHost|Invoke-AllChecks|Invoke-MassCommand|Invoke-MassMimikatz|Invoke-MassSearch|Invoke-MassTemplate|Invoke-MassTokens|HTTP-Backdoor|Add-ScrnSaveBackdoor|Gupt-Backdoor|Invoke-ADSBackdoor|Execute-OnTime|DNS_TXT_Pwnage|Out-Word|Out-Excel|Out-Java|Out-Shortcut|Out-CHM|Out-HTA|Enable-DuplicateToken|Remove-Update|Execute-DNSTXT-Code|Download-Execute-PS|Execute-Command-MSSQL|Download_Execute|Get-PassHashes|Invoke-CredentialsPhish|Get-LsaSecret|Get-Information|Invoke-MimikatzWDigestDowngrade|Copy-VSS|Check-VM|Invoke-NetworkRelay|Create-MultipleSessions|Run-EXEonRemote|Invoke-BruteForce|Port-Scan|Invoke-PowerShellIcmp|Invoke-PowerShellUdp|Invoke-PsGcatAgent|Invoke-PoshRatHttps|Invoke-PowerShellTcp|Invoke-PoshRatHttp|Invoke-PowerShellWmi|Invoke-PSGcat|Remove-PoshRat|TexttoEXE|Invoke-Encode|Invoke-Decode|Base64ToString|StringtoBase64|Do-Exfiltration|Parse_Keys|Add-Exfiltration|Add-Persistence|Remove-Persistence|Invoke-CreateCertificate|powercat|Find-PSServiceAccounts|Get-PSADForestKRBTGTInfo|Discover-PSMSSQLServers|Discover-PSMSExchangeServers|Get-PSADForestInfo|Get-KerberosPolicy|Discover-PSInterestingServices - Possibly Dangerous Command Detected (https://gist.github.com/gfoss/2b39d680badd2cad9d82#file-powershell-command-line-logging) - - - diff --git a/debian/ossec-hids/var/ossec/rules/msauth_rules.xml b/debian/ossec-hids/var/ossec/rules/msauth_rules.xml deleted file mode 100644 index 51ed17b..0000000 --- a/debian/ossec-hids/var/ossec/rules/msauth_rules.xml +++ /dev/null @@ -1,972 +0,0 @@ - - - -6 - - - - windows - Group of windows rules. - - - - 18100 - ^INFORMATION - Windows informational event. - - - - 18100 - ^WARNING - Windows warning event. - - - - 18100 - ^ERROR - Windows error event. - system_error, - - - - 18100 - ^AUDIT_SUCCESS|^success - Windows audit success event. - - - - 18100 - ^AUDIT_FAILURE|^failure - Windows audit failure event. - - - - 18105 - ^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$ - Windows Logon Failure. - win_authentication_failed, - - - - 18104 - ^528$|^540$|^673$|^4624$|^4769$ - Windows Logon Success. - authentication_success, - - - - 18105 - ^577$|^4673$ - Failed attempt to perform a privileged - operation. - - - - 18104 - ^682$|^683$|^4778$|^4779$ - Session reconnected/disconnected to winstation. - - - - 18104 - ^624$|^626$|^4720$|^4722$ - User account enabled or created. - adduser,account_changed, - - - - 18104 - ^628$|^642$|^685$|^4738$|^4781$ - User account changed. - account_changed, - - - - 18104 - ^630$|^629$|^4725$|^4726$ - User account disabled or deleted. - adduser,account_changed, - - - - 18104 - ^612$|^643$|^4719$|^4907$|^4912$|^4719$ - Windows Audit Policy changed. - policy_changed, - - - - 18104 - ^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$| - ^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$| - ^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$| - ^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$| - ^665$|^4761$|^666$|^4762$ - Group Account Changed - group_changed,win_group_changed, - - - - 18104 - ^640$ - General account database changed. - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=640 - adduser,account_changed, - - - - 18104 - ^644$|^4740$ - User account locked out (multiple login errors). - authentication_failures, - - - - 18104 - ^513$|^4609$ - Windows is shutting down. - system_shutdown, - - - - 18104 - ^517$|^1102$ - Windows audit log was cleared. - logs_cleared, - - - - 18107 - alert_by_email - - First time this user logged in this system. - authentication_success, - - - - 18105 - ^680$ - Windows login attempt (ignored). Duplicated. - - - - 18102, 18103 - ^20187$|^20014$|^20078$|^20050$|^20049$|^20189$ - Remote access login failure. - authentication_failed, - - - - 18101 - ^20158$ - Remote access login success. - authentication_success, - - - - 18104 - ^646$|^645$|^647$|^4741$|^4742$|^4743$ - Computer account added/changed/deleted. - account_changed, - - - - - ^65xxx - Group account added/changed/deleted. - This rule has been deprecated - account_changed, - - - - 18103 - ^13570$ - Windows file system full. - low_diskspace, - - - - - - 18106 - ^529$|^4625$ - Logon Failure - Unknown user or bad password. - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625 - win_authentication_failed, - - - - 18106 - ^530$ - Logon Failure - Account logon time restriction - violation. - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=530 - win_authentication_failed,login_denied, - - - - 18106 - ^531$ - Logon Failure - Account currently disabled. - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=531 - win_authentication_failed,login_denied, - - - - 18106 - ^532$ - Logon Failure - Specified account expired. - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=532 - win_authentication_failed,login_denied, - - - - 18106 - ^533$ - Logon Failure - User not allowed to login at - this computer. - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=533 - win_authentication_failed,login_denied, - - - - 18106 - ^534$ - Logon Failure - User not granted logon type. - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=534 - win_authentication_failed, - - - - 18106 - ^535$ - Logon Failure - Account's password expired. - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=535 - win_authentication_failed, - - - - 18106 - ^536$|^537$ - Logon Failure - Internal error. - win_authentication_failed, - - - - 18106 - ^539$ - Logon Failure - Account locked out. - win_authentication_failed, - - - - 18105 - ^673$|^675$|^681$|^4769$ - Windows DC Logon Failure. - win_authentication_failed, - - - - 18104 - ^520$|^4616$ - System time changed. - time_changed, - - - - 18102 - ^1076$ - unexpected shutdown - system_error, system_shutdown, - Unexpected Windows shutdown. - - - - 18104 - ^671$|^4767$ - User account unlocked. - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767 - account_changed, - - - - 18114 - ^631$|^635$|^658$ - Security enabled group created. - adduser,account_changed, - - - - 18114 - ^634$|^638$|^662$ - Security enabled group deleted. - adduser,account_changed, - - - - - 18101 - ^7040$ - policy_changed, - Service startup type was changed. - This does not appear to be logged on Windows 2000. - - - - 18101 - ^11724$ - alert_by_email - Application Uninstalled. - - - - 18101 - ^11707$ - alert_by_email - Application Installed. - - - - 18104 - ^4608$ - Windows is starting up. - - - - 18104 - ^538$|^551$|^4634$|^4647$ - Windows User Logoff. - - - - - - 18104 - ^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$| - ^663$|^4759$ - Group Account Created - group_created,win_group_created, - - - - 18104 - ^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$| - ^667$|^4763$ - Group Account Deleted - group_deleted,win_group_deleted, - - - - 18200 - ^631$|^4727$ - Security Enabled Global Group Created - group_created,win_group_created, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631 - - - - 18114 - ^632$|^4728$ - Security Enabled Global Group Member Added - group_changed,win_group_changed, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632 - - - - 18114 - ^633$|^4729$ - Security Enabled Global Group Member Removed - group_changed,win_group_changed, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633 - - - - 18201 - ^634$|^4730$ - Security Enabled Global Group Deleted - group_deleted,win_group_deleted, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634 - - - - 18200 - ^635$|^4731$ - Security Enabled Local Group Created - group_created,win_group_created, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635 - - - - 18114 - ^636$|^4732$ - Security Enabled Local Group Member Added - group_changed,win_group_changed, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636 - - - - 18114 - ^637$|^4733$ - Security Enabled Local Group Member Removed - group_changed,win_group_changed, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637 - - - - 18201 - ^638$|^4734$ - Security Enabled Local Group Deleted - group_deleted,win_group_deleted, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638 - - - - 18114 - ^639$|^4735$ - Security Enabled Local Group Changed - group_changed,win_group_changed, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639 - - - - 18114 - ^641$|^4737$ - Security Enabled Global Group Changed - group_changed,win_group_changed, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641 - - - - 18200 - ^658$|^4754$ - Security Enabled Universal Group Created - group_created,win_group_created, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658 - - - - 18114 - ^659$|^4755$ - Security Enabled Universal Group Changed - group_changed,win_group_changed, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659 - - - - 18114 - ^660$|^4756$ - Security Enabled Universal Group Member Added - group_changed,win_group_changed, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660 - - - - 18114 - ^661$|^4757$ - Security Enabled Universal Group Member Removed - group_changed,win_group_changed, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661 - - - - 18201 - ^662$|^4758$ - Security Enabled Universal Group Deleted - group_deleted,win_group_deleted, - http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662 - - - - 18207,18208 - ID:\s+\p*S-1-5-32-544 - Administrators Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0 - Everyone Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-9}| ID:\s+S-1-5-9 - Enterprise Domain Controllers Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-11}| ID:\s+S-1-5-11 - Authenticated Users Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-13}| ID:\s+S-1-5-13 - Terminal Server Users Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18203,18204 - ID:\s+%{S-1-5-21\S+-512}| ID:\s+S-1-5-21\S+-512 - Domain Admins Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18203,18204 - ID:\s+%{S-1-5-21\S+-513}| ID:\s+S-1-5-21\S+-513 - Domain Users Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18223,18203 - Target Account Name: None - Local User Group NONE - Bogus group user added to upon creation - - - - 18203,18204 - ID:\s+%{S-1-5-21\S+-514}| ID:\s+S-1-5-21\S+-514 - Domain Guests Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18203,18204 - ID:\s+%{S-1-5-21\S+-515}| ID:\s+S-1-5-21\S+-515 - Domain Computers Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18203,18204 - ID:\s+%{S-1-5-21\S+-516}| ID:\s+S-1-5-21\S+-516 - Domain Controllers Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-21\S+-517}| ID:\s+S-1-5-21\S+-517 - Cert Publishers Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18203,18204 - ID:\s+%{S-1-5-21\.+-518}| ID:\s+S-1-5-21\.+-518 - Schema Admins Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18203,18204 - ID:\s+%{S-1-5-21\S+-519}| ID:\s+S-1-5-21\S+-519 - Enterprise Admins Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18203,18204 - ID:\s+%{S-1-5-21\S+-520}| ID:\s+S-1-5-21\S+-520 - Group Policy Creator Owners Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-21\S+-553}| ID:\s+S-1-5-21\S+-553 - RAS and IAS Servers Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-545}| ID:\s+S-1-5-32-545 - Users Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-546}| ID:\s+S-1-5-32-546 - Guests Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-547}| ID:\s+S-1-5-32-547 - Power Users Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-548}| ID:\s+S-1-5-32-548 - Account Operators Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-549}| ID:\s+S-1-5-32-549 - Server Operators Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-550}| ID:\s+S-1-5-32-550 - Print Operators Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-551}| ID:\s+S-1-5-32-551 - Backup Operators Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-552}| ID:\s+S-1-5-32-552 - Replicators Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-554}| ID:\s+S-1-5-32-554 - Pre-Windows 2000 Compatible Access Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-555}| ID:\s+S-1-5-32-555 - Remote Desktop Users Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-556}| ID:\s+S-1-5-32-556 - Network Configuration Operators Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-557}| ID:\s+S-1-5-32-557 - Incoming Forest Trust Builders Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-558}| ID:\s+S-1-5-32-558 - Performance Monitor Users Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-559}| ID:\s+S-1-5-32-559 - Performance Log Users Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-560}| ID:\s+S-1-5-32-560 - Windows Authorization Access Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-561}| ID:\s+S-1-5-32-561 - Terminal Server License Servers Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-562}| ID:\s+S-1-5-32-562 - Distributed COM Users Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-\s*21\.+\s*-498}| ID:\s+S-1-5-\s*21\.+\s*-498 - Enterprise Read-only Domain Controllers Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-\s*21\.+\s*-529}| ID:\s+S-1-5-\s*21\.+\s*-529 - Read-only Domain Controllers Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-569}| ID:\s+S-1-5-32-569 - Cryptographic Operators Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-\s*21\.+\s*-571}| ID:\s+S-1-5-\s*21\.+\s*-571 - Allowed RODC Password Replication Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-\s*21\.+\s*-572}| ID:\s+S-1-5-\s*21\.+\s*-572 - Denied RODC Password Replication Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-573}| ID:\s+S-1-5-32-573 - Event Log Readers Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18207,18208 - ID:\s+%{S-1-5-32-574}| ID:\s+S-1-5-32-574 - Certificate Service DCOM Access Group Changed - group_changed,win_group_changed, - http://support.microsoft.com/kb/243330 - - - - 18101 - ^200$|^300$|^302$ - TS Gateway login success. - authentication_success, - https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx - - - - 18102, 18103 - ^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$ - TS Gateway login failure. - authentication_failed, - https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx - - - - 18101 - ^202$|^303$ - TS Gateway user disconnected. - https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx - - - - - 18107,18149 - ^528$|^538$|^540$|^4624$ - ^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON - Windows Logon Success (ignored). - - - - - - 18139 - Failure Code: 0x1F - Windows DC integrity check on decrypted - field failed. - - win_authentication_failed,attacks, - - - - 18139 - Failure Code: 0x22 - Windows DC - Possible replay attack. - - win_authentication_failed,attacks, - - - - 18139 - Failure Code: 0x25 - Windows DC - Clock skew too great. - - win_authentication_failed,attacks, - - - - - - 18105 - ^18456$ - win_authentication_failed, - MS SQL Server Logon Failure. - - - - 18104 - ^18454$|^18453$ - MS SQL Server Logon Success. - authentication_success, - - - - - 18107 - ^4624$ - Logon Type: 8 - MS Exchange Logon Success. - - - - 18149 - ^4634$ - Logon Type: 8 - User Logoff Exchange. - - - - - - 18108 - - Multiple failed attempts to perform a - privileged operation by the same user. - - - - win_authentication_failed - Multiple Windows Logon Failures. - authentication_failures, - - - - 18105 - Multiple Windows audit failure events. - - - - 18103 - Multiple Windows error events. - - - - 18102 - Multiple Windows warning events. - - - - 18125 - Multiple remote access login failures. - authentication_failures, - - - - 18258 - Multiple TS Gateway login failures. - authentication_failures, - - - - - 18103 - chromoting - : chromoting: \.* Access denied for client: - Chrome Remote Desktop attempt - access denied - - - - 18101 - chromoting - : chromoting: \.* Client connected: - Chrome Remote Desktop attempt - connected - - - - 18101 - chromoting - : chromoting: \.* Client disconnected: - Chrome Remote Desktop attempt - disconnected - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/mysql_rules.xml b/debian/ossec-hids/var/ossec/rules/mysql_rules.xml deleted file mode 100644 index 5c57e37..0000000 --- a/debian/ossec-hids/var/ossec/rules/mysql_rules.xml +++ /dev/null @@ -1,85 +0,0 @@ - - - - - - - mysql_log - MySQL messages grouped. - - - - 50100 - ^MySQL log: \d+ \S+ \d+ Connect - Database authentication success. - authentication_success, - - - - 50105 - Access denied for user - Database authentication failure. - authentication_failed, - - - - 50100 - ^MySQL log: \d+ \S+ \d+ Query - Database query. - - - - 50100 - ^MySQL log: \d+ \S+ \d+ Quit - User disconnected from database. - - - - 50100 - mysqld ended|Shutdown complete - Database shutdown message. - service_availability, - - - - 50100 - mysqld started|mysqld restarted - Database startup message. - service_availability, - - - - 50100 - ^MySQL log: \d+ \S+ \d+ [ERROR] - Database error. - - - - 50125 - Fatal error: - Database fatal error. - service_availability, - - - - 50125 - Multiple database errors. - service_availability, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/named_rules.xml b/debian/ossec-hids/var/ossec/rules/named_rules.xml deleted file mode 100644 index c9e95a9..0000000 --- a/debian/ossec-hids/var/ossec/rules/named_rules.xml +++ /dev/null @@ -1,325 +0,0 @@ - - - - - - named - Grouping of the named rules - - - - 12100 - dropping source port zero packet from - Invalid DNS packet. Possibility of attack. - invalid_access, - - - - 12100 - denied AXFR from - Failed attempt to perform a zone transfer. - access_denied, - - - - 12100 - denied update from|unapproved update from - DNS update denied. - Generally mis-configuration. - http://seclists.org/incidents/2000/May/217 - client_misconfig, - - - - 12100 - unable to rename log file - Log permission misconfiguration in Named. - system_error, - - - - 12100 - unexpected RCODE - Unexpected error while resolving domain. - - - - 12100 - refused notify from non-master - DNS configuration error. - - - - 12100 - update \S+ denied - DNS update using RFC2136 Dynamic protocol. - - - - 12100 - query (cache) denied|: query (cache) - Query cache denied (probably config error). - http://www.reedmedia.net/misc/dns/errors.html - connection_attempt, - - - - 12100 - exiting (due to fatal error) - Named fatal error. DNS service going down. - service_availability, - - - - ^zone \S+ serial number \S+ received from master - \S+ \S ours (\S+) - Serial number from master is lower - than stored. - system_error, - - - - ^transfer of \S+ from \S+ failed while receiving \S+ REFUSED - Unable to perform zone transfer. - system_error, - - - - ^zone \S+: expired - Zone transfer error. - - - - 12100 - zone transfer deferred due to quota - Zone transfer deferred. - - - - 12100 - bad owner name (check-names) - Hostname contains characters that check-names does not like. - - - - 12100 - loaded serial|transferred serial - Zone transfer. - - - - 12100 - syntax error near| - reloading configuration failed: unexpected token - Syntax error in a named configuration file. - - - - - 12100 - refresh: retry limit for master \S+ exceeded - Zone transfer rety limit exceeded - - - - 12100 - already exists previous definition - Zone has been duplicated. - - - - 12100 - starting BIND - BIND has been started - - - - 12100 - has no address records - Missing A or AAAA record - - - - 12100 - zone \S+: \(master\) removed - Zone has been removed from a master server - - - - 12100 - loading from master file \S+ failed: not at top of zone$ - Origin of zone and owner name of SOA do not match. - - - - 12100 - already exists previous definition - Zone has been duplicated - - - - 12100 - reloading configuration failed: unexpected end of input - BIND Configuration error. - - - - 12100 - zone \S+: \(master\) removed - Zone has been removed from a master server - - - - 12100 - loading from master file \S+ failed: not at top of zone$ - Origin of zone and owner name of SOA do not match. - - - - 12100 - ^transfer of| - AXFR started$ - Zone transfer. - - - - 12128 - failed to connect: connection refused - Zone transfer failed, unable to connect to master. - - - - 12100 - IPv6 interfaces failed - Could not listen on IPv6 interface. - - - - 12100 - failed; interface ignored - Could not bind to an interface. - - - - 12128 - failed while receiving responses: not authoritative - Master is not authoritative for zone. - - - - 12100 - open: \S+: permission denied$ - Could not open configuration file, permission denied. - - - - 12100 - loading configuration: permission denied - Could not open configuration file, permission denied. - - - - 12100 - IN SOA -E - Domain in SOA -E. - - - - 12128 - failed to connect: host unreachable - Master appears to be down. - - - - 12100 - IN AXFR - - Domain is queried for a zone transferred. - - - - 12100 - IN A + - Domain A record found. - - - - 12100 - client \S+: bad zone transfer request: \S+: non-authoritative zone \(NOTAUTH\) - Bad zone transfer request. - - - - 12100 - refresh: failure trying master - Cannot refresh a domain from the master server. - - - - 12100 - SOA record not at top of zone - Origin of zone and owner name of SOA do not match. - - - - 12100 - command channel listening on - named command channel is listening. - - - - 12100 - automatic empty zone - named has created an automatic empty zone. - - - - 12100 - reloading configuration failed: out of memory - Server does not have enough memory to reload the configuration. - - - - 12100 - zone transfer \S+ denied - zone transfer denied - - - - 12100 - error sending response: host unreachable$ - Cannot send a DNS response. - - - - 12100 - update forwarding \.+ denied$ - Cannot update forwarding domain. - - - - 12100 - : parsing failed$ - Parsing of a configuration file has failed. - - - - 12108 - - Multiple query (cache) failures. - connection_attempt, - - - diff --git a/debian/ossec-hids/var/ossec/rules/netscreenfw_rules.xml b/debian/ossec-hids/var/ossec/rules/netscreenfw_rules.xml deleted file mode 100644 index 8f4a07c..0000000 --- a/debian/ossec-hids/var/ossec/rules/netscreenfw_rules.xml +++ /dev/null @@ -1,123 +0,0 @@ - - - - - - netscreenfw - Grouping for the Netscreen Firewall rules - - - - 4500 - notification - Netscreen notification message. - - - - 4500 - warning - Netscreen warning message. - - - - 4500 - critical - Netscreen critical/alert message. - - - - 4500 - alert - Netscreen critical/alert message. - - - - 4500 - information - Netscreen informational message. - - - - - 4503 - ^00027 - Netscreen Erase sequence started. - service_availability, - - - - 4501 - ^00002 - Successfull admin login to the Netscreen firewall - authentication_success, - - - - 4502 - ^00515 - Successfull admin login to the Netscreen firewall - authentication_success, - - - - 4501 - ^00018 - Firewall policy changed. - config_changed, - - - - 4504 - ^00767 - Firewall configuration changed. - config_changed, - - - - 4503 - - Multiple Netscreen critical messages from - same source IP. - - - - 4503 - Multiple Netscreen critical messages. - - - - 4513 - - Multiple Netscreen alert messages from - same source IP. - - - - 4513 - Multiple Netscreen alert messages. - - - - 4500 - SYN flood! - netscreen detected a SYN flood. - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/nginx_rules.xml b/debian/ossec-hids/var/ossec/rules/nginx_rules.xml deleted file mode 100644 index 96ab323..0000000 --- a/debian/ossec-hids/var/ossec/rules/nginx_rules.xml +++ /dev/null @@ -1,88 +0,0 @@ - - - - - - nginx-errorlog - Nginx messages grouped. - - - - 31300 - ^\S+ \S+ [error] - Nginx error message. - - - - 31300 - ^\S+ \S+ [warn] - Nginx warning message. - - - - 31300 - ^\S+ \S+ [crit] - Nginx critical message. - - - - 31301 - failed (2: No such file or directory)|is not found (2: No such file or directory) - Server returned 404 (reported in the access.log). - - - - 31301 - accept() failed (53: Software caused connection abort) - Incomplete client request. - - - - 31301 - no user/password was provided for basic authentication - Initial 401 authentication request. - - - - 31301 - password mismatch, client| was not found in - Web authentication failed. - authentication_failed, - - - - 31315 - - Multiple web authentication failures. - authentication_failures, - - - - 31303 - failed (2: No such file or directory - Common cache error when files were removed. - - - - 31301 - failed (36: File name too long) - Invalid URI, file name too long. - invalid_request, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/nsd_rules.xml b/debian/ossec-hids/var/ossec/rules/nsd_rules.xml deleted file mode 100644 index e561ab0..0000000 --- a/debian/ossec-hids/var/ossec/rules/nsd_rules.xml +++ /dev/null @@ -1,97 +0,0 @@ - - - - - nsd - NSD grouping. - - - - 53200 - unrecognized RR type - Syntax error in nsd configuration. - - - - nsd - 53200 - server initialization failed|syntax error$ - Syntax error in nsd configuration. - - - - 53200 - ^NSTATS|^XSTATS - nsd statistics - - - - nsd - Can't bind - Cannot bind to a socket. - - - - nsd - nsd is already running - nsd is already running. - - - - nsd - 53200 - received notify response error NOT IMPL - Notify is not implemented. - - - - nsd - 53200 - read with \d+ errors$ - Zone file read with errors. - - - - nsd - 53200 - received error code - Error grouping. - - - - nsd - 53208 - NOT IMPL - Zone xfer not implemented. - - - - 53200 - tcp: Connection reset by peer$ - tcp connection reset. - - - - 53200 - received error code NOT IMPL - Attempted zone transfer not configured. - - - - 53208 - received error code SERVER NOT AUTHORITATIVE FOR ZONE - Server not authoritative for zone transfer. - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/openbsd-dhcpd_rules.xml b/debian/ossec-hids/var/ossec/rules/openbsd-dhcpd_rules.xml deleted file mode 100644 index 4aa4251..0000000 --- a/debian/ossec-hids/var/ossec/rules/openbsd-dhcpd_rules.xml +++ /dev/null @@ -1,84 +0,0 @@ - - - - - - dhcpd - dhcpd grouping. - - - - 53000 - ^DHCPREQUEST|^DHCPOFFER |^DHCPDISCOVER|^DHCPACK - Normal dhcp. - - - - 53000 - answers a ping after sending a release|Possible release spoof - A host issued a release but is responding to pings. - - - - 53000 - expecting left brace.$| - fixed-address parameter not allowed here.$| - parameters not allowed after first declaration.$| - Configuration file errors encountered - Configuration errors. - - - - 53000 - exiting.$ - dhcpd is exiting. - - - - 53000 - Can't listen on - dhcpd cannot listen to an interface. - - - - 53006 - has no subnet declaration for - dhcpd is not configured to listen to an interface. - - - - 53000 - Listening on - dhcpd has been started. - - - - 53000 - ^Address range - Message with address range. - - - - 53009 - not on net - Defined address range is not on the configured network. - - - - 53000 - ^no free leases - DHCP server has run out of leases. - - - - 53000 - ^already acking lease - Multiple acks. - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/openbsd_rules.xml b/debian/ossec-hids/var/ossec/rules/openbsd_rules.xml deleted file mode 100644 index 6675e9e..0000000 --- a/debian/ossec-hids/var/ossec/rules/openbsd_rules.xml +++ /dev/null @@ -1,299 +0,0 @@ - - - - - - - - - - bsd_kernel - Grouping of bsd_kernel alerts - - - - 51500 - ichiic0: abort failed, status 0x40 - A timeout occurred waiting for a transfer. - - - - 51500 - Check Condition (error 0x70) on opcode 0x0 - Check media in optical drive. - - - - 51500 - BBB bulk-in clear stall failed - A disk has timed out. - - - - 51500 - arp info overwritten for - arp info has been overwritten for a host - - - - 51500 - was not properly unmounted - A filesystem was not properly unmounted, likely system crash - - - - 51500 - UKC> quit - UKC was used, possibly modifying a kernel at boot time. - - - - 51500 - Michael MIC failure - Michael MIC failure: Checksum failure in the tkip protocol. - - - - 51500 - soft error (corrected) - A soft error has been corrected on a hard drive, - this is a possible early sign of failure. - - - - 51500 - acpithinkpad\d: - unknown event - Unknown acpithinkpad event - - - - 51500 - Critical temperature, shutting down - System shutdown due to temperature - - - - 51500 - _AL0[0] _PR0 failed - Unknown ACPI event (bug 6299 in OpenBSD bug tracking system). - - - - 51500 - ehci_freex: xfer=0xffff8000003ef800 not busy, 0x4f4e5155 - USB diagnostic message. - - - - 51500 - ichiic0: abort failed, status 0x0 - Possible APM or ACPI event. - - - - 51500 - Filesystem is not clean - run fsck - Unclean filesystem, run fsck. - - - - 51500 - atascsi_passthru_done, timeout - Timeout in atascsi_passthru_done. - - - - 51500 - RTC BIOS diagnostic error 80\pclock_battery\p - Clock battery error 80 - - - - 51500 - i/o error on block - I/O error on a storage device - - - - 51500 - kbc: cmd word write error - kbc error. - - - - 51500 - BBB reset failed, IOERROR - USB reset failed, IOERROR. - - - - groupdel - Grouping for groupdel rules. - groupdel, - - - - 51521 - group deleted - Group deleted. - groupdel, - - - - savecore - no core dump - No core dumps. - - - - reboot - rebooted by - System was rebooted. - - - - ^ftp-proxy - proxy cannot connect to server - ftp-proxy cannot connect to a server. - - - - bsd_kernel - uncorrectable data error reading fsbn - Hard drive is dying. - - - - bsd_kernel - ^carp - state transition - MASTER -> BACKUP - CARP master to backup. - - - - bsd_kernel - duplicate IP6 address - Duplicate IPv6 address. - - - - bsd_kernel - failed loadfirmware of file - Could not load a firmware. - - - - ^hotplugd - Permission denied$ - hotplugd could not open a file. - - - - open-userdel - user removed: name= - User account deleted. - account_changed, - - - - ntpd - bad peer from - Bad ntp peer. - - - - ^dhclient$ - 1002 - receive_packet failed on - dhclient receive_packet failed. - - - - 51533 - Input/output error$ - dhclient receive_packet failed due to I/O error. - - - - ^dhclient$ - 1002 - SIOCDIFADDR failed - SIOCDIFADDR failed - - - - 51535 - Device not configured$ - dhclient: device not configured. - - - - - - - - doas - doas grouping - - - - 51550 - cannot stat - doas cannot stat a file. - - - - 51551 - : Permission denied$ - doas cannot stat a file due to permissions. - - - - 51550 - path not secure$ - A critical path for doas does not have secure permissions. - - - - 51550 - failed command for - Failed doas command. - - - - 51550 - ran command - A command was run using doas. - - - - 51555 - as root - A doas command was run as root. - - - - 51550 - failed auth for - doas authentication failed. - - - - sendsyslog - ^dropped - sendsyslog dropped log messages. - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/opensmtpd_rules.xml b/debian/ossec-hids/var/ossec/rules/opensmtpd_rules.xml deleted file mode 100644 index 11dadbc..0000000 --- a/debian/ossec-hids/var/ossec/rules/opensmtpd_rules.xml +++ /dev/null @@ -1,68 +0,0 @@ - - - - - - smtpd - OpenSMTPd grouping. - - - - smtpd - 53500 - Failed - Message failed. - - - - smtpd - 53500 - New session - New session created. - - - - smtpd - 53500 - Closing session - Session closed. - - - - smtpd - 53500 - Accepted - Message accepted. - - - - smtpd - 53500 - delivery: Ok - Email delivered. - - - - 53501 - Command not supported$ - SMTP command not supported. - - - - smtpd - 53500 - IO error: No SSL error$ - OpenSMTPd: no SSL - - - - smtpd - 53500 - Server certificate verification failed - Server TLS certificate verification failed. - - - diff --git a/debian/ossec-hids/var/ossec/rules/ossec_rules.xml b/debian/ossec-hids/var/ossec/rules/ossec_rules.xml deleted file mode 100644 index 7de90f5..0000000 --- a/debian/ossec-hids/var/ossec/rules/ossec_rules.xml +++ /dev/null @@ -1,362 +0,0 @@ - - - - - - - ossec - ossec - Grouping of ossec rules. - - - - 500 - - alert_by_email - Agent started - New ossec agent connected. - - - - 500 - alert_by_email - Ossec started - Ossec server started. - - - - 500 - alert_by_email - Agent started - Ossec agent started. - - - - 500 - alert_by_email - Agent disconnected - Ossec agent disconnected. - - - - ossec - rootcheck - Rootcheck event. - rootcheck, - - - - 509 - Host-based anomaly detection event (rootcheck). - rootcheck, - - - - - 510 - ^NTFS Alternate data stream found - Thumbs.db:encryptable'.|:Zone.Identifier'.| - Exchsrvr/Mailroot/vsi - Ignored common NTFS ADS entries. - rootcheck, - - - - 510 - ^Windows Audit - Windows Audit event. - rootcheck, - - - - 510 - ^Windows Malware - Windows malware detected. - rootcheck, - - - - 510 - ^Application Found - Windows application monitor event. - rootcheck, - - - - 510 - ^Starting rootcheck scan|^Ending rootcheck scan.| - ^Starting syscheck scan|^Ending syscheck scan. - Ignoring rootcheck/syscheck scan messages. - rootcheck,syscheck - - - - 510 - ^System Audit - System Audit event. - rootcheck, - - - - 514 - Adware|Spyware - Windows Adware/Spyware application found. - rootcheck, - - - - 516 - ^System Audit: Web vulnerability - System Audit: Vulnerable web application found. - rootcheck, - - - - - 500 - ^ossec: output: - OSSEC process monitoring rules. - process_monitor, - - - - 530 - ossec: output: 'df -P': /dev/ - 100% - Partition usage reached 100% (disk space monitor). - low_diskspace, - - - - 531 - cdrom|/media|usb|/mount|floppy|dvd - Ignoring external medias. - - - - 530 - ossec: output: 'netstat -tan - - Listened ports status (netstat) changed (new port opened or closed). - - - - 530 - ossec: output: 'w' - - no_log - List of logged in users. It will not be alerted by default. - - - - 530 - ossec: output: 'last -n - - no_log - List of the last logged in users. - - - - ossec - syscheck_integrity_changed - Integrity checksum changed. - syscheck, - - - - ossec - syscheck_integrity_changed_2nd - Integrity checksum changed again (2nd time). - syscheck, - - - - ossec - syscheck_integrity_changed_3rd - Integrity checksum changed again (3rd time). - syscheck, - - - - ossec - syscheck_deleted - File deleted. Unable to retrieve checksum. - syscheck, - - - - ossec - syscheck_new_entry - File added to the system. - syscheck, - - - - 500 - ^ossec: agentless: - Integrity checksum for agentless device changed. - syscheck,agentless - - - - - ossec - hostinfo_modified - Host information changed. - hostinfo, - - - - ossec - hostinfo_new - Host information added. - hostinfo, - - - - - - 500 - ^ossec: File rotated - Log file rotated. - - - - 500 - ^ossec: File size reduced - Log file size reduced. - attacks, - - - - 500 - ^ossec: Event log cleared - Microsoft Event log cleared. - logs_cleared, - - - - ossec - 550 - syscheck-registry - syscheck, - Registry Integrity Checksum Changed - - - - ossec - 551 - syscheck-registry - syscheck, - Registry Integrity Checksum Changed Again (2nd time) - - - - ossec - 552 - syscheck-registry - syscheck, - Registry Integrity Checksum Changed Again (3rd time) - - - - ossec - 553 - syscheck-registry - syscheck, - Registry Entry Deleted. Unable to Retrieve Checksum - - - - ossec - 554 - syscheck-registry - syscheck, - Registry Entry Added to the System - - - - - - ar_log - Active Response Messages Grouped - active_response, - - - - 600 - firewall-drop.sh - add - Host Blocked by firewall-drop.sh Active Response - active_response, - - - - 600 - firewall-drop.sh - delete - Host Unblocked by firewall-drop.sh Active Response - active_response, - - - - 600 - host-deny.sh - add - Host Blocked by host-deny.sh Active Response - active_response, - - - - 600 - host-deny.sh - delete - Host Unblocked by host-deny.sh Active Response - active_response, - - - - 600 - route-null.sh - add - Host Blocked by route-null.sh Active Response - active_response, - - - - 600 - route-null.sh - delete - Host Unblocked by route-null.sh Active Response - active_response, - - - - ossec - ossec-logcollector - Logcollector Messages Grouped - - - - 700 - INFO: - Ignore informational messages (usually at startup) - - - diff --git a/debian/ossec-hids/var/ossec/rules/owncloud_rules.xml b/debian/ossec-hids/var/ossec/rules/owncloud_rules.xml deleted file mode 100644 index f3b3691..0000000 --- a/debian/ossec-hids/var/ossec/rules/owncloud_rules.xml +++ /dev/null @@ -1,58 +0,0 @@ - - - owncloud - ownCloud messages grouped. - - - - 53300 - Login failed: - ownCloud authentication failed. - authentication_failed, - - - - 53301 - - ownCloud brute force (multiple failed logins). - authentication_failures, - - - - 53300 - Passed filename is not valid, might be malicious - ownCloud possible malicious request. - web,appsec,attack, - - - - 53300 - ^4$ - ownCloud FATAL message. - - - - 53300 - ^3$ - ownCloud ERROR message. - - - - 53300 - ^2$ - ownCloud WARN message. - - - - 53300 - ^1$ - ownCloud INFO message. - - - - 53300 - ^0$ - ownCloud DEBUG message. - - - \ No newline at end of file diff --git a/debian/ossec-hids/var/ossec/rules/pam_rules.xml b/debian/ossec-hids/var/ossec/rules/pam_rules.xml deleted file mode 100644 index 87444e2..0000000 --- a/debian/ossec-hids/var/ossec/rules/pam_rules.xml +++ /dev/null @@ -1,117 +0,0 @@ - - - - - - pam - Grouping of the pam_unix rules. - - - - 5500 - session opened for user - Login session opened. - authentication_success, - - - - 5500 - session closed for user - Login session closed. - - - - 5500 - authentication failure; logname= - User login failed. - authentication_failed, - - - - 5500 - check pass; user unknown|error retrieving information about user - Attempt to login with an invalid user. - invalid_login - - - - - 5501 - ^CRON$ - ^pam_unix(cron:session): session opened for user - Ignoring Annoying Ubuntu/debian cron login events. - - - - 5502 - ^CRON$ - ^pam_unix(cron:session): session closed for user - Ignoring Annoying Ubuntu/debian cron login events. - - - - 5504 - ^pam_unix\S+: check pass; user unknown$ - Ignoring events with a user or a password. - - - - 5503 - - Multiple failed logins in a small period of time. - authentication_failures, - - - - 5500 - gdm:auth): conversation failed - PAM and gdm are not playing nicely. - - - - login - cannot open shared object file: No such file or directory - PAM misconfiguration. - - - - login - illegal module type: - PAM misconfiguration. - - - - : password changed for - User changed password. - - - - unix_chkpwd - unix_chkpwd grouping. - - - - 5556 - password check failed - Password check failed. - authentication_failure - - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/php_rules.xml b/debian/ossec-hids/var/ossec/rules/php_rules.xml deleted file mode 100644 index 8f995e8..0000000 --- a/debian/ossec-hids/var/ossec/rules/php_rules.xml +++ /dev/null @@ -1,111 +0,0 @@ - - - - - - 31301, 30101 - PHP Warning: - PHP Warning message. - - - - 31301, 30101 - PHP Fatal error: - PHP Fatal error. - - - - 31301, 30101 - PHP Parse error: - PHP Parse error. - - - - ^PHP Warning: - PHP Warning message. - - - - ^PHP Fatal error: - PHP Fatal error. - - - - ^PHP Parse error: - PHP Parse error. - - - - - - 31401, 31404 - PHP Warning message. - - - - 31410 - expects parameter 1 to be string, array given in - attack, - PHP web attack. - - - - 31410 - Failed opening|failed to open stream - PHP internal error (missing file). - alert_by_email - - - - 31410 - bytes written, possibly out of free disk space in - PHP internal error (server out of space). - alert_by_email - low_diskspace, - - - - - - 31402, 31405 - PHP Fatal error. - - - - 31420 - Failed opening required |Call to undefined function - PHP internal error (missing file or function). - alert_by_email - - - - - - - 31403, 31406 - PHP Parse error. - alert_by_email - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/pix_rules.xml b/debian/ossec-hids/var/ossec/rules/pix_rules.xml deleted file mode 100644 index ab83089..0000000 --- a/debian/ossec-hids/var/ossec/rules/pix_rules.xml +++ /dev/null @@ -1,237 +0,0 @@ - - - - - - - - - pix - Grouping of PIX rules - - - - 4300 - ^1- - PIX alert message. - - - - 4300 - ^2- - PIX critical message. - - - - 4300 - ^3- - PIX error message. - - - - 4300 - ^4- - PIX warning message. - - - - 4300 - ^5-|^6- - PIX notification/informational message. - - - - 4300 - ^7- - PIX debug message. - - - - 4314 - ^6-605004 - Failed login attempt at the PIX firewall. - authentication_failed, - - - - 4314 - ^5-502103 - Privilege changed in the PIX firewall. - - - - 4314 - ^6-605005 - Successful login to the PIX firewall. - authentication_success, - - - - 4314 - ^6-308001 - Password mismatch while running 'enable' - on the PIX. - authentication_failed, - - - - 4313 - ^4-405001 - ARP collision detected by the PIX. - - - - 4313 - ^4-401004 - Attempt to connect from a blocked (shunned) IP. - access_denied, - - - - 4313 - ^4-710004 - Connection limit exceeded. - - - - 4310 - ^1-106021|^1-106022 - Attack in progress detected by the PIX. - - - - 4311 - ^2-106012|^2-106017|^2-106020 - Attack in progress detected by the PIX. - - - - 4313 - ^4-4000 - Attack in progress detected by the PIX. - - - - - 4330, 4331, 4332 - Attack in progress detected by the PIX. - ids, - - - - 4314 - ^6-113005 - AAA (VPN) authentication failed. - authentication_failed, - - - - 4314 - ^6-113004 - AAA (VPN) authentication successful. - authentication_success, - - - - 4314 - ^6-113006 - AAA (VPN) user locked out. - authentication_failed, - - - - 4312 - ^3-201008 - The PIX is disallowing new connections. - service_availability, - - - - 4310 - ^1-105005|^1-105009|^1-105043 - Failed|Lost Failover - Firewall failover pair communication problem. - service_availability, - - - - 4314 - ^5-111003 - Firewall configuration deleted. - config_changed, - - - - 4314 - ^5-111005|^5-111004|^5-111002|^5-111007 - Firewall configuration changed. - config_changed, - - - - 4314 - ^5-111008|^7-111009 - Firewall command executed (for accounting only). - - - - 4314 - ^5-502101|^5-502102 - User created or modified on the Firewall. - adduser,account_changed, - - - - 4310 - Multiple PIX alert messages. - - - - 4311 - Multiple PIX critical messages. - - - - 4312 - Multiple PIX error messages. - system_error, - - - - 4313 - Multiple PIX warning messages. - - - - 4333 - - Multiple attack in progress messages. - - - - 4334 - Multiple AAA (VPN) authentication failures. - authentication_failures, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/policy_rules.xml b/debian/ossec-hids/var/ossec/rules/policy_rules.xml deleted file mode 100644 index c89818a..0000000 --- a/debian/ossec-hids/var/ossec/rules/policy_rules.xml +++ /dev/null @@ -1,34 +0,0 @@ - - - - - - authentication_success - - Successful login during non-business hours. - login_time, - - - - authentication_success - weekends - Successful login during weekend. - login_day, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/postfix_rules.xml b/debian/ossec-hids/var/ossec/rules/postfix_rules.xml deleted file mode 100644 index 44f9e13..0000000 --- a/debian/ossec-hids/var/ossec/rules/postfix_rules.xml +++ /dev/null @@ -1,162 +0,0 @@ - - -6 - - - - postfix-reject - Grouping of the postfix reject rules. - - - - 3300 - ^554$ - Attempt to use mail server as relay - (client host rejected). - spam, - - - - 3300 - ^550$ - Rejected by access list - (Requested action not taken). - spam, - - - - 3300 - ^450$ - Sender domain is not found - (450: Requested mail action not taken). - spam, - - - - 3300 - ^503$ - Improper use of SMTP command pipelining - (503: Bad sequence of commands). - spam, - - - - 3300 - ^504$ - Recipient address must contain FQDN - (504: Command parameter not implemented). - spam, - - - - 3301, 3302 - blocked using - IP Address deny-listed by anti-spam (blocked). - spam, - - - - postfix - Grouping of the postfix rules. - - - - 3320 - defer service failure|Resource temporarily unavailable| - ^fatal: the Postfix mail system is not running - Postfix process error. - service_availability, - - - - 3320 - authentication failed - Postfix SASL authentication failure. - authentication_failed, - - - - 3300 - ^452 - Postfix insufficient disk space error. - service_availability, - - - - 3320 - ^daemon started - Postfix started. - - - - 3320 - ^terminating on signal - Postfix stopped. - service_availability, - - - - 3301 - - Multiple relaying attempts of spam. - multiple_spam, - - - - 3302 - - Multiple attempts to send e-mail from a - rejected sender IP (access). - multiple_spam, - - - - 3303 - - Multiple attempts to send e-mail from - invalid/unknown sender domain. - multiple_spam, - - - - 3304 - - Multiple misuse of SMTP service - (bad sequence of commands). - multiple_spam, - - - - 3305 - - Multiple attempts to send e-mail to - invalid recipient or from unknown sender domain. - multiple_spam, - - - - 3306 - - Multiple attempts to send e-mail from - deny-listed IP address (blocked). - multiple_spam, - - - - 3332 - - Multiple SASL authentication failures. - authentication_failures, - - - - ^clamsmtpd: - Grouping of the clamsmtpd rules. - - diff --git a/debian/ossec-hids/var/ossec/rules/postgresql_rules.xml b/debian/ossec-hids/var/ossec/rules/postgresql_rules.xml deleted file mode 100644 index 071f265..0000000 --- a/debian/ossec-hids/var/ossec/rules/postgresql_rules.xml +++ /dev/null @@ -1,102 +0,0 @@ - - - - - - - postgresql_log - PostgreSQL messages grouped. - - - - 50500 - ^LOG - PostgreSQL log message. - - - - 50500 - ^NOTICE|INFO - PostgreSQL informational message. - - - - 50500 - ^ERROR - PostgreSQL error message. - - - - 50500 - ^FATAL - PostgreSQL error message. - - - - 50500 - ^DEBUG - PostgreSQL debug message. - - - - 50501 - duration: | statement: - Database query. - - - - 50501 - connection authorized - Database authentication success. - authentication_success, - - - - 50504 - authentication failed - Database authentication failure. - authentication_failed, - - - - 50504 - terminating connection due - Database shutdown message. - service_availability, - - - - 50501 - aborting any active transactions|shutting down - Database shutdown message. - service_availability, - - - - 50504 - Multiple database errors. - service_availability, - - - - 50503 - Multiple database errors. - service_availability, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/proftpd_rules.xml b/debian/ossec-hids/var/ossec/rules/proftpd_rules.xml deleted file mode 100644 index 37189da..0000000 --- a/debian/ossec-hids/var/ossec/rules/proftpd_rules.xml +++ /dev/null @@ -1,195 +0,0 @@ - - - - - - - proftpd - Grouping for the proftpd rules. - - - - 11200 - FTP session opened.$ - FTP session opened. - connection_attempt, - - - - 11200 - FTP session closed.$ - FTP session closed. - - - - 11200 - no such user - Attempt to login using a non-existent user. - invalid_login, - - - - 11200 - Incorrect password.$|Login failed - Login failed accessing the FTP server - authentication_failed, - - - - 11200 - Login successful - FTP Authentication success. - authentication_success, - - - - 11200 - Connection from \S+ [\S+] denied - Connection denied by ProFTPD configuration. - access_denied, - - - - 11200 - refused connect from - Connection refused by TCP Wrappers. - access_denied, - - - - 11200 - unable to find open port in PassivePorts range - Small PassivePorts range in config file. - Server misconfiguration. - - - - 11200 - Refused PORT - Attempt to bypass firewall that can't adequately - keep state of FTP traffic. - http://www.kb.cert.org/vuls/id/328867 - US-Cert Note VU#328867: Multiple vendors' firewalls do not adequately keep state of FTP traffic - - - - 11200 - Maximum login attempts - Multiple failed login attempts. - authentication_failures, - - - - 11200 - host name/name mismatch|host name/address mismatch - Mismatch in server's hostname. - - - - 11200 - warning: can't verify hostname: - Reverse lookup error (bad ISP config). - - - - 11200 - connect from - Remote host connected to FTP server. - connection_attempt, - - - - 11200 - FTP no transfer timeout, disconnected - Remote host disconnected due to inactivity. - - - - 11200 - FTP login timed out, disconnected - Remote host disconnected due to login time out. - - - - 11200 - FTP session idle timeout, disconnected - Remote host disconnected due to time out. - - - - 11200 - Data transfer stall timeout: - Data transfer stalled. - - - - 11200 - ProFTPD terminating (signal 11) - FTP process crashed. - service_availability, - - - - 11200 - Reallocating sreaddir buffer - FTP server Buffer overflow attempt. - - - - 11200 - listen() failed in - Unable to bind to adress. - - - - 11200 - error setting IPV6_V6ONLY: Protocol not available| - - mod_delay/|PAM(setcred): System error| - PAM(close_session): System error|cap_set_proc failed|reverting to normal operation|error retrieving information about user - IPv6 error and mod-delay info (ignored). - - - - 11200 - unable to open incoming connection - Couldn't open the incoming connection. - Check log message for reason. - - - - 11204 - - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11201 - - Multiple connection attempts from same source. - recon, - - - - 11215 - - Multiple timed out logins from same source. - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/proxmox-ve_rules.xml b/debian/ossec-hids/var/ossec/rules/proxmox-ve_rules.xml deleted file mode 100644 index 12fdd2f..0000000 --- a/debian/ossec-hids/var/ossec/rules/proxmox-ve_rules.xml +++ /dev/null @@ -1,28 +0,0 @@ - - - pvedaemon - pvedaemon messages grouped. - - - - 53400 - authentication failure; - Proxmox VE authentication failed. - authentication_failed, - - - - 53401 - - Proxmox VE brute force (multiple failed logins). - authentication_failures, - - - - 53400 - successful auth for user - Proxmox VE authentication succeeded. - authentication_success, - - - \ No newline at end of file diff --git a/debian/ossec-hids/var/ossec/rules/psad_rules.xml b/debian/ossec-hids/var/ossec/rules/psad_rules.xml deleted file mode 100644 index c48c1b4..0000000 --- a/debian/ossec-hids/var/ossec/rules/psad_rules.xml +++ /dev/null @@ -1,51 +0,0 @@ - - - psad - psad - PSAD group - - - - 53700 - scan detected - PSAD group scan detected - - - 53700 - added iptables - PSAD group added iptables - - - - 53701 - DL: 4|DL: 5 - PSAD portscan - - - 53702 - auto-block against - PSAD auto-block - - - - 53701 - DL: 3 - PSAD level 3 warning - - - 53713 - - many PSAD level 3 warnings from same source - - - 53713 - - many PSAD level 3 warnings from same source (slow scan) - - - - 53700 - signature match: - PSAD signature match - - diff --git a/debian/ossec-hids/var/ossec/rules/pure-ftpd_rules.xml b/debian/ossec-hids/var/ossec/rules/pure-ftpd_rules.xml deleted file mode 100644 index 8d9e1ff..0000000 --- a/debian/ossec-hids/var/ossec/rules/pure-ftpd_rules.xml +++ /dev/null @@ -1,90 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] New connection from - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Authentication failed for user - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Logout| [INFO] Timeout - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Can't change directory to - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - 11300 - [INFO] \S+ is now logged in| is now logged in - FTP Authentication success. - authentication_success, - - - - pure-transfer - Rule grouping for pure ftpd transfers. - - - - 11310 - PUT - File added to ftpd. - - - - 11310 - GET - File retrieved from ftpd. - - - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/racoon_rules.xml b/debian/ossec-hids/var/ossec/rules/racoon_rules.xml deleted file mode 100644 index 49f9d80..0000000 --- a/debian/ossec-hids/var/ossec/rules/racoon_rules.xml +++ /dev/null @@ -1,71 +0,0 @@ - - - - - - - - racoon - Grouping of racoon rules. - - - - racoon-failed - VPN authentication failed. - authentication_failed, - - - - 14100 - INFO - Racoon informational message. - - - - 14100 - ERROR - Racoon error message. - - - - 14100 - WARNING - Racoon warning message. - - - - 14110 - ISAKMP-SA established - authentication_success - VPN established. - - - - 14111 - such policy does not already exist - Roadwarrior configuration (ignored error). - - - - 14112 - ignore INITIAL-CONTACT notification - Roadwarrior configuration (ignored warning). - - - - 14111 - ERROR: invalid attribute|ERROR: rejected - Invalid configuration settings (ignored error). - - - - 14101 - - Multiple failed VPN logins. - - diff --git a/debian/ossec-hids/var/ossec/rules/roundcube_rules.xml b/debian/ossec-hids/var/ossec/rules/roundcube_rules.xml deleted file mode 100644 index bfa56f5..0000000 --- a/debian/ossec-hids/var/ossec/rules/roundcube_rules.xml +++ /dev/null @@ -1,44 +0,0 @@ - - - - - roundcube - Roundcube messages grouped. - - - - 9400 - failed (LOGIN)| Login failed | Authentication failed| Failed login - Roundcube authentication failed. - authentication_failed, - - - - 9400 - Successful login - Roundcube authentication succeeded. - authentication_success, - - - - 9401 - - Roundcube brute force (multiple failed logins). - authentication_failures, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/rules_config.xml b/debian/ossec-hids/var/ossec/rules/rules_config.xml deleted file mode 100644 index 0ff9961..0000000 --- a/debian/ossec-hids/var/ossec/rules/rules_config.xml +++ /dev/null @@ -1,69 +0,0 @@ - - - - - - syslog - Generic template for all syslog rules. - - - - - - firewall - Generic template for all firewall rules. - - - - - - ids - Generic template for all ids rules. - - - - - - web-log - Generic template for all web rules. - - - - - - squid - Generic template for all web proxy rules. - - - - - - windows - Generic template for all windows rules. - - - - - - ossec - Generic template for all ossec rules. - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/sendmail_rules.xml b/debian/ossec-hids/var/ossec/rules/sendmail_rules.xml deleted file mode 100644 index 91b4f4f..0000000 --- a/debian/ossec-hids/var/ossec/rules/sendmail_rules.xml +++ /dev/null @@ -1,150 +0,0 @@ - - - - - - sendmail-reject - Grouping of the sendmail rules. - - - - 3100 - reject= - Grouping of the sendmail reject rules. - - - - 3101 - reject=451 4.1.8 - Sender domain does not have any valid - MX record (Requested action aborted). - spam, - - - - 3101 - reject=550 5.0.0 |reject=553 5.3.0 - Rejected by access list - (55x: Requested action not taken). - spam, - - - - 3101 - reject=550 5.7.1 - Attempt to use mail server as relay - (550: Requested action not taken). - spam, - - - - 3101 - reject=553 5.1.8 - Sender domain is not found - (553: Requested action not taken). - spam, - - - - 3101 - reject=553 5.5.4 - Sender address does not have domain - (553: Requested action not taken). - spam, - - - - 3101 - Sendmail rejected message. - - - - 3100 - rejecting commands from - Sendmail rejected due to pre-greeting. - spam, - - - - 3100 - savemail panic - Sendmail save mail panic. - system_error, - - - - 3102 - - Sender domain has bogus MX record. - It should not be sending e-mail. - multiple_spam, - - - - 3103 - - Multiple attempts to send e-mail from a - previously rejected sender (access). - multiple_spam, - - - - 3104 - - Multiple relaying attempts of spam. - multiple_spam, - - - - 3105 - - Multiple attempts to send e-mail - from invalid/unknown sender domain. - multiple_spam, - - - - 3106 - - Multiple attempts to send e-mail from - invalid/unknown sender. - multiple_spam, - - - - 3107 - - Multiple rejected e-mails from same source ip. - multiple_spam, - - - - 3108 - - Multiple pre-greetings rejects. - multiple_spam, - - - - - - smf-sav-reject - Grouping of the smf-sav sendmail milter rules. - smf-sav, - - - - 3190 - ^sender check failed|^sender check tempfailed - SMF-SAV sendmail milter unable to verify - address (REJECTED). - smf-sav,spam, - - - diff --git a/debian/ossec-hids/var/ossec/rules/smbd_rules.xml b/debian/ossec-hids/var/ossec/rules/smbd_rules.xml deleted file mode 100644 index 87ddf3d..0000000 --- a/debian/ossec-hids/var/ossec/rules/smbd_rules.xml +++ /dev/null @@ -1,98 +0,0 @@ - - - - - - - smbd - Grouping for the smbd rules. - - - - 13100 - getpeername failed. Error was Transport endpoint - Samba network problems. - - - - 13100 - Denied connection from|Connection denied from - Samba connection denied. - access_denied, - - - - 13100 - Connection reset by peer - Samba network problems. - - - - 13100 - Permission denied-- - User action denied by configuration. - access_denied, - - - - 13100 - Unable to connect to CUPS server - Samba network problems (unable to connect). - - - - nmbd - - - - 13100 - smbd is already running - An attempt has been made to start smbd but the process is already running. - - - - 13106 - nmbd is already running - An attempt has been made to start nmbd but the process is already running. - - - - 13100 - Connection denied from - Connection was denied. - - - - 13100 - Socket is not connected - Socket is not connected, write failed. - - - - iptables - gvfsd-smb - segfault at \S+ ip \S+ sp \S+ error \d+ in - Segfault in gvfs-smb. - - - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/solaris_bsm_rules.xml b/debian/ossec-hids/var/ossec/rules/solaris_bsm_rules.xml deleted file mode 100644 index 2df7842..0000000 --- a/debian/ossec-hids/var/ossec/rules/solaris_bsm_rules.xml +++ /dev/null @@ -1,65 +0,0 @@ - - - - - - - solaris_bsm - Solaris BSM Auditing messages grouped. - - - - 6100 - ^failed - Auditing session failed. - - - - 6100 - ^ok - Auditing session succeeded. - - - - 6102 - ^login - Login session succeeded. - authentication_success, - - - - 6101 - ^login - Login session failed. - authentication_failed, - - - - 6102 - ^su - User successfully changed UID. - authentication_success, - - - - 6103 - ^su - User failed to change UID (user id). - authentication_failed, - - - - diff --git a/debian/ossec-hids/var/ossec/rules/sonicwall_rules.xml b/debian/ossec-hids/var/ossec/rules/sonicwall_rules.xml deleted file mode 100644 index b6a5951..0000000 --- a/debian/ossec-hids/var/ossec/rules/sonicwall_rules.xml +++ /dev/null @@ -1,93 +0,0 @@ - - - - - - - sonicwall - SonicWall messages grouped. - - - - 4800 - ^1 - SonicWall critical message. - - - - 4800 - ^2 - SonicWall critical message. - - - - 4800 - ^3 - SonicWall error message. - - - - 4800 - ^4 - SonicWall warning message. - - - - 4800 - ^5 - SonicWall notice message. - - - - 4800 - ^6 - SonicWall informational message. - - - - 4800 - ^7 - SonicWall debug message. - - - - 4806 - ^236$ - Firewall administrator login. - authentication_success, - - - - 4801 - ^30$|^32$ - Firewall authentication failure. - authentication_failed, - - - - 4804 - Multiple firewall warning messages. - service_availability, - - - - 4803 - Multiple firewall error messages. - service_availability, - - - - diff --git a/debian/ossec-hids/var/ossec/rules/spamd_rules.xml b/debian/ossec-hids/var/ossec/rules/spamd_rules.xml deleted file mode 100644 index 369a01d..0000000 --- a/debian/ossec-hids/var/ossec/rules/spamd_rules.xml +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - ^spamd - Grouping for the spamd rules - - - - 3500 - : result: - SPAMD result message (not very usefull here). - - - - 3500 - checking message | processing message - Spamd debug event (reading message). - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/squid_rules.xml b/debian/ossec-hids/var/ossec/rules/squid_rules.xml deleted file mode 100644 index d74ef2e..0000000 --- a/debian/ossec-hids/var/ossec/rules/squid_rules.xml +++ /dev/null @@ -1,212 +0,0 @@ - - - - - - - -8 - - - - - squid - Squid messages grouped. - - - - - - 35000 - ^4|^5|^6 - Squid generic error codes. - - - - 35002 - ^400 - Bad request/Invalid syntax. - - - - 35002 - ^401 - Unauthorized: Failed attempt to access - authorization-required file or directory. - - - - 35002 - ^403 - Forbidden: Attempt to access forbidden file - or directory. - - - - 35002 - ^404 - Not Found: Attempt to access non-existent - file or directory. - - - - 35002 - ^407 - Proxy Authentication Required: User is not - authorized to use proxy. - - - - 35002 - ^4 - Squid 400 error code (request failed). - - - - 35002 - ^5|^6 - Squid 500/600 error code (server error). - - - - 35009 - ^503 - Squid 503 error code (server unavailable). - - - - - 35006 - blst.php|xxx3.php|ngr7.php|ngr2.php|/nul.php$|/mul.php$|/444.php - Attempt to access a Beagle worm (or variant) - file. - http://www.symantec.com/avcenter/venc/data/w32.beagle.dp.html - W32.Beagle.DP is a Worm that drops Trojan.Lodear and opens a back door on the compromised computer. - automatic_attack, - - - - - 35006 - /jk/exp.wmf$|/PopupSh.ocx$ - Attempt to access a worm/trojan related site. - automatic_attack, - - - - - 35004, 35005, 35006, 35009 - .jpg|.gif|favicon.ico$|.png$|.swf|.txt$|.zip|.css|.xml|.js|.bmp$| - windowsupdate/redir/wuredir.cab| - ^http://codecs.microsoft.com/isapi/ocget.dll| - ^http://activex.microsoft.com/objects/ocget.dll| - ^http://webmessenger.msn.com/session/null| - ^http://sqm.msn.com/sqm/wmp/sqmserver.dll| - ^http://config.messenger.msn.com/Config/MsgrConfig.asmx| - kaspersky-labs.com/| - ^http://liveupdate.symantecliveupdate.com/| - _vti_bin/owssvr.dll|MSOffice/cltreq.asp| - google.com/mt?| - google.com/kh?| - ^http://kh.google.com/flatfile - - - - Ignored files on a 40x error. - - - - - 35005 - - - Multiple attempts to access forbidden file - or directory from same source ip. - - - - 35007 - - Multiple unauthorized attempts to use proxy. - - - - 35003 - - - Multiple Bad requests/Invalid syntax. - - - - 35021 - - Infected machine with W32.Beagle.DP. - http://www.symantec.com/avcenter/venc/data/w32.beagle.dp.html - W32.Beagle.DP is a Worm that drops Trojan.Lodear and opens a back door on the compromised computer. - - - - 35006 - - - Multiple attempts to access a non-existent file. - - - - 35022 - - Multiple attempts to access a worm/trojan/virus - related web site. System probably infected. - - - - 35008 - - - Multiple 400 error codes (requests failed). - - - - 35009 - - - Multiple 500/600 error codes (server error). - - - - 35055 - - Ignoring multiple attempts from same source ip - (alert only once). - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/sshd_rules.xml b/debian/ossec-hids/var/ossec/rules/sshd_rules.xml deleted file mode 100644 index 06d7dc9..0000000 --- a/debian/ossec-hids/var/ossec/rules/sshd_rules.xml +++ /dev/null @@ -1,405 +0,0 @@ - - - - - - - sshd - SSHD messages grouped. - - - - 5700 - Bad protocol version identification - Possible attack on the ssh server - (or version gathering). - - - - 5700 - ^reverse mapping - failed - POSSIBLE BREAK - Reverse lookup error (bad ISP or attack). - - - - 5702 - Possible breakin attempt - (high number of reverse lookup errors). - - - - 5700 - fatal: Timeout before authentication for - Timeout while logging in (sshd). - - - - 5704 - Possible scan or breakin attempt - (high number of login timeouts). - - - - 5700 - Did not receive identification string from - SSH insecure connection attempt (scan). - recon, - - - - 5700 - fatal: buffer_get_string: bad string - OpenSSH challenge-response exploit. - exploit_attempt, - - - - 5700 - error: Could not get shadow information for NOUSER| - fatal: Read from socket failed: |error: ssh_msg_send: write| - ^syslogin_perform_logout: |^pam_succeed_if(sshd:auth): error retrieving information about user|can't verify hostname: getaddrinfo - Useless SSHD message without an user/ip and context. - - - - 5700 - illegal user|invalid user - Attempt to login using a non-existent user - invalid_login,authentication_failed, - - - - 5700 - authentication failure; logname= uid=0 euid=0 tty=ssh| - input_userauth_request: invalid user| - PAM: User not known to the underlying authentication module for illegal user| - error retrieving information about user - Useless/Duplicated SSHD message without a user/ip. - - - - 5710 - SSHD brute force trying to get access to - the system. - - authentication_failures, - - - - 5700 - Corrupted check bytes on - Corrupted bytes on SSHD. - - - - 5713 - Local: crc32 compensation attack - SSH CRC-32 Compensation attack - 2001-0144 - http://www.securityfocus.com/bid/2347/info/ - exploit_attempt, - - - - 5700 - ^Accepted|authenticated.$ - SSHD authentication success. - authentication_success, - - - - 5700 - ^Failed|^error: PAM: Authentication - SSHD authentication failed. - authentication_failed, - - - - 5700 - error: Bad prime description in line - SSHD configuration error (moduli). - - - - 5700 - not allowed because - Attempt to login using a denied user. - invalid_login, - - - - 5718 - Multiple access attempts using a denied user. - invalid_login, - - - - 5716 - - Multiple SSHD authentication failures. - authentication_failures, - - - - 5700 - Received disconnect from - System disconnected from sshd. - - - - 5700 - Connection closed - ssh connection closed. - - - - 5700 - error: buffer_get_bignum2_ret: negative numbers not supported - This maybe a bad key in authorized_keys. - SSHD key error. - - - - 5700 - fatal: buffer_get_bignum2: buffer error - This error may relate to ssh key handling. - SSHD key error. - - - - 5700 - fatal: Write failed: Host is down - Host ungracefully disconnected. - - - - 5700 - error: PAM: Module is unknown for - Unknown PAM module, PAM misconfiguration. - - - - 5700 - failed: Address already in use. - Attempt to start sshd when something already bound to the port. - - - - 5700 - Authentication service cannot retrieve user credentials - May be related to PAM module errors. - Authentication services were not able to retrieve user credentials. - authentication_failed - - - - 5700 - debug1: attempt - Debug message. - - - - 5700 - error: connect to \S+ port \d+ failed: Connection refused - SSHD is not accepting connections. - - - - 5700 - AKASSH_Version_Mapper1. - SSH Scanning. - recon, - - - - 5700 - error: connect_to - Possible port forwarding failure. - - - - 5700 - Invalid credentials - User entered incorrect password. - authentication_failures, - - - - 5700 - Could not load host key - sshd could not load one or more host keys. - This may be related to an upgrade to OpenSSH. - - - - 5700 - Write failed: Broken pipe - Failed write due to one host disappearing. - - - - 5700 - ^error: setsockopt SO_KEEPALIVE: Connection reset by peer$| - ^error: accept: Software caused connection abort$ - Connection reset or aborted. - - - - 5700 - ^fatal: Cannot bind any address.$ - sshd cannot bind to configured address. - - - - 5700 - set_loginuid failed opening loginuid$ - pam_loginuid could not open loginuid. - authentication_failed, - - - - 5700 - ^error: Could not stat AuthorizedKeysCommand - SSHD configuration error (AuthorizedKeysCommand) - - - - 5700 - Connection reset by peer$ - ssh connection reset by peer - - - - 5700 - Connection refused$ - ssh connection refused - - - - 5700 - Connection timed out$ - ssh connection timed out - - - - 5700 - No route to host$ - ssh no route to host - - - - 5700 - failure direct-tcpip$ - ssh port forwarding issue - - - - 5700 - Transport endpoint is not connected$ - ssh transport endpoint is not connected - - - - 5700 - get_remote_port failed$ - ssh get_remote_port failed - - - - - 5700 - bad client public DH value - ssh bad client public DH value - - - - - 5700 - Corrupted MAC on input. - ssh corrupted MAC on input - - - - 5700 - ^Bad packet length - ssh bad packet length - - - - sshd - 5700 - Unable to negotiate with |Unable to negotiate a key - sshd could not negotiate with client. - - - - sshd - 5700 - no hostkey alg [preauth] - No hostkey alg. - - - - 5750 - no matching key exchange method found.|Unable to negotiate a key exchange method - Client did not offer an acceptable key exchange method. - - - - 5750 - no matching cipher found. - sshd could not negotiate with client, no matching cipher. - - - - 5700 - Failed to create session: - sshd failed to create a session. - - - - 5700 - bad ownership or modes for file - Authentication refused due to owner/permissions of authorized_keys. - authentication_failed, - - - - 5700 - failed, subsystem not found$ - sshd subsystem request failed. - - - - sshd - but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!$ - Bad DNS mapping. - - - - sshd - ^error: maximum authentication attempts exceeded - Maximum authentication attempts exceeded. - authentication_failed, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/symantec-av_rules.xml b/debian/ossec-hids/var/ossec/rules/symantec-av_rules.xml deleted file mode 100644 index 27318e9..0000000 --- a/debian/ossec-hids/var/ossec/rules/symantec-av_rules.xml +++ /dev/null @@ -1,51 +0,0 @@ - - - - - - - - - symantec-av - Grouping of Symantec AV rules. - - - - windows - ^Symantec AntiVirus - Grouping of Symantec AV rules from eventlog. - - - - 7300, 7301 - ^5$|^17$ - virus - Virus detected. - - - - 7300, 7301 - ^2$|^3$|^4$|^13$ - Virus scan updated,started or stopped. - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/symantec-ws_rules.xml b/debian/ossec-hids/var/ossec/rules/symantec-ws_rules.xml deleted file mode 100644 index 8c71c96..0000000 --- a/debian/ossec-hids/var/ossec/rules/symantec-ws_rules.xml +++ /dev/null @@ -1,64 +0,0 @@ - - - - - - - - - - symantec-websecurity - Grouping of Symantec Web Security rules. - - - - 7400 - ^3=2,2=1 - Login failed accessing the web proxy. - authentication_failed, - - - - 7400 - ^3=1,2=1 - Login success accessing the web proxy. - authentication_success, - - - - 7415 - virtadmin - Admin Login success to the web proxy. - authentication_success, - - - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/syslog_rules.xml b/debian/ossec-hids/var/ossec/rules/syslog_rules.xml deleted file mode 100644 index 24b0b5f..0000000 --- a/debian/ossec-hids/var/ossec/rules/syslog_rules.xml +++ /dev/null @@ -1,725 +0,0 @@ - - - - - - -core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted - - - - - - ^Couldn't open /etc/securetty - File missing. Root access unrestricted. - - - - $BAD_WORDS - alert_by_email - Unknown problem somewhere in the system. - - - - Non standard syslog message (size too large). - - - - ^exiting on signal - Syslogd exiting (logging stopped). - - - - syslogd - ^restart - Syslogd restarted. - - - - ^syslogd \S+ restart - Syslogd restarted. - - - - file system full|No space left on device - File system full. - low_diskspace, - - - - killed by SIGTERM - Process exiting (killed). - service_availability, - - - - 1002 - terminated without error|can't verify hostname: getaddrinfo| - PPM exceeds tolerance - Ignoring known false positives on rule 1002.. - - - - segfault at - Process segfaulted. - service_availability, - - - - - - - - - - ^automount|^mount - NFS rules grouped. - - - - 2100 - nfs: mount failure - Unable to mount the NFS share. - - - - 2100 - reason given by server: Permission denied - Unable to mount the NFS directory. - - - - ^rpc.mountd: refused mount request from - Unable to mount the NFS directory. - - - - 2100 - lookup for \S+ failed - Automount informative message - - - - - - - - - ^Deactivating service - Excessive number connections to a service. - - - - - - - - - FAILED LOGIN |authentication failure| - Authentication failed for|invalid password for| - LOGIN FAILURE|auth failure: |authentication error| - authinternal failed|Failed to authorize| - Wrong password given for|login failed|Auth: Login incorrect| - Failed to authenticate user - authentication_failed, - User authentication failure. - - - - more authentication failures;|REPEATED login failures - User missed the password more than one time - authentication_failed, - - - - ^refused connect from| - ^libwrap refused connection| - Connection from \S+ denied - Connection blocked by Tcp Wrappers. - access_denied, - - - - ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED - Illegal root login. - invalid_login, - - - - ^ROOT LOGIN on - Physical root login. - - - - ^Authentication passed - Pop3 Authentication passed. - - - - openldap - OpenLDAP group. - - - - 2507 - ACCEPT from - OpenLDAP connection open. - - - - 2507 - 2508 - - RESULT tag=97 err=49 - OpenLDAP authentication failed. - - - - - - - - - - rshd - rshd messages grouped. - - - - 2550 - ^Connection from \S+ on illegal port$ - Connection to rshd from unprivileged port. Possible network scan. - connection_attempt, - - - - - - - - - ^procmail - Ignoring procmail messages. - - - - - - - - - ^smart - Pre-match rule for smartd. - - - - 2800 - No configuration file /etc/smartd.conf found - Smartd Started but not configured - - - - 2800 - Unable to register ATA device - Smartd configuration problem - - - - 2800 - No such device or address - Device configured but not available to Smartd - - - - - - - - - ^kernel - Pre-match rule for kernel messages - - - - 5100 - PCI: if you experience problems, try using option - Informative message from the kernel. - - - - 5100 - modprobe: Can't locate module sound - Informative message from the kernel - - - - 5100 - Oversized packet received from - Error message from the kernel. - Ping of death attack. - - - - 5100 - Promiscuous mode enabled| - device \S+ entered promiscuous mode - Interface entered in promiscuous(sniffing) mode. - promisc, - - - - 5100 - end_request: I/O error, dev fd0, sector 0| - Buffer I/O error on device fd0, logical block 0 - Invalid request to /dev/fd0 (bug on the kernel). - - - - 5100 - svc: unknown program 100227 (me 100003) - NFS incompatibility between Linux and Solaris. - - - - 5100 - svc: bad direction - NFS incompatibility between Linux and Solaris. - - - - 5100 - Out of Memory: - System running out of memory. - Availability of the system is in risk. - service_availability, - - - - 5100 - I/O error: dev |end_request: I/O error, dev - Kernel Input/Output error - - - - 5100 - Forged DCC command from - IRC misconfiguration - - - - 5100 - ipw2200: Firmware error detected.| ACPI Error - Kernel device error. - - - - 5100 - usbhid: probe of - Kernel usbhid probe error (ignored). - - - - 5100 - Kernel log daemon terminating - system_shutdown, - System is shutting down. - - - - 5100 - ADSL line is down - Monitor ADSL line is down. - - - - 5100 - ADSL line is up - Monitor ADSL line is up. - - - - ^hpiod: unable to ParDevice - Ignoring hpiod for producing useless logs. - - - - - - - - - crond|crontab - Crontab rule group. - - - - 2830 - ^unable to exec - Wrong crond configuration - - - - 2830 - BEGIN EDIT - Crontab opened for editing. - - - - 2830 - REPLACE - Crontab entry changed. - - - - 2832 - ^(root) - Root's crontab entry changed. - - - - - - - - - - su - Initial grouping for su messages. - - - - 5300 - authentication failure; |failed|BAD su|^- - User missed the password to change UID (user id). - authentication_failed, - - - - 5301 - ^root - User missed the password to change UID to root. - authentication_failed, - - - - 5300 - session opened for user root|^'su root'| - ^+ \S+ \S+\proot$|^\S+ to root on|^SU \S+ \S+ + \S+ \S+-root$ - User successfully changed UID to root. - authentication_success, - - - - 5300 - session opened for user|succeeded for| - ^+|^\S+ to |^SU \S+ \S+ + - User successfully changed UID. - authentication_success, - - - - 5303, 5304 - - alert_by_email - First time (su) is executed by user. - - - - 5300 - unknown class - OpenBSD uses login classes, and an inappropriate login class was used. - A user has attempted to su to an unknown class. - - - - - - - - - - Integrity Check failed: File could not - Problems with the tripwire checking - - - - - - - - - ^new group - New group added to the system - - - - ^new user|^new account added - New user added to the system - - - - ^delete user|^account deleted|^remove group - Group (or user) deleted from the system - - - - ^changed user - Information from the user was changed - - - - useradd - failed adding user - useradd failed. - - - - - - - - - - sudo - Initial group for sudo messages - - - - 5400 - incorrect password attempt - Failed attempt to run sudo - - - - 5400 - ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND= - Successful sudo to ROOT executed - - - - 5400 - alert_by_email - - First time user executed sudo. - - - - 5401 - 3 incorrect password attempts - Three failed attempts to run sudo - - - - 5400 - user NOT in sudoers - Unauthorized user attempted to use sudo. - - - - - - - - - ^pptpd - PPTPD messages grouped - - - - 9100 - ^GRE: \S+ from \S+ failed: status = -1 - PPTPD failed message (communication error) - http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml - - - - 9100 - ^tcflush failed: Bad file descriptor - PPTPD communication error - - - - - - - - - authentication_success - alert_by_email - - authentication_success - First time user logged in. - - - - - - - ^squid - Squid syslog messages grouped - - - - 9200 - ^ctx: enter level|^sslRead|^urlParse: Illegal | - ^httpReadReply: Request not yet |^httpReadReply: Excess data - Squid debug message - - - - - - - windows-date-format - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d startup | - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status | - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove | - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d configure | - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install | - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge | - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d trigproc | - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d conffile | - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade - Dpkg (Debian Package) log. - - - - 2900 - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install - New dpkg (Debian Package) requested to install. - - - - 2900 - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status installed - New dpkg (Debian Package) installed. - config_changed, - - - - 2900 - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove| - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge - Dpkg (Debian Package) removed. - config_changed, - - - - - - - ^yum - Yum logs. - - - - yum.log$ - ^Installed|^Updated|^Erased - Yum logs. - - - - 2930,2931 - ^Installed - config_changed, - New Yum package installed. - - - - 2930,2931 - ^Updated - config_changed, - Yum package updated. - - - - 2930,2931 - ^Erased - config_changed, - Yum package deleted. - - - - - 5100 - mptscsih - Grouping for the mptscrih rules. - - - - 5100 - mptbase - Grouping for the mptbase rules. - - - - 2935 - FAILED - Possible Disk failure. SCSI controller error. - - - - 2936 - failed - SCSI RAID ARRAY ERROR, drive failed. - - - - 2936 - degraded - SCSI RAID is now in a degraded status. - - - - ^NetworkManager - NetworkManager grouping. - - - - 2940 - No chain/target/match by that name.$ - Incorrect chain/target/match. - - - - 1002 - g_slice_set_config: assertion `sys_page_size == 0' failed - Uninteresting gnome error. - - - - ^nouveau - nouveau driver grouping - - - - 2943 - DATA_ERROR BEGIN_END_ACTIVE$| DATA_ERROR$ - Uninteresting nouveau error. - - - - ^rsyslogd - ^imuxsock begins to drop messages - https://isc.sans.edu/diary/Are+you+losing+system+logging+information+%28and+don%27t+know+it%29%3F/15106 - rsyslog may be dropping messages due to rate-limiting. - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/sysmon_rules.xml b/debian/ossec-hids/var/ossec/rules/sysmon_rules.xml deleted file mode 100644 index 3271498..0000000 --- a/debian/ossec-hids/var/ossec/rules/sysmon_rules.xml +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - - 18100 - svchost.exe - Sysmon - Suspicious Process - svchost.exe - - - - 18501 - \services.exe - Sysmon - Legitimate Parent Image - svchost.exe - - - - - 18100 - lsm.exe - Sysmon - Suspicious Process - lsm.exe - - - - 18511 - wininit.exe - Sysmon - Legitimate Parent Image - lsm.exe - - - - 18100 - lsm.exe - Sysmon - Suspicious Process - lsm.exe is a Parent Image - - - - - 18100 - csrss.exe - Sysmon - Suspicious Process - csrss.exe - - - - 18521 - smss.exe - Sysmon - Legitimate Parent Image - csrss.exe - - - - - 18100 - lsass.exe - Sysmon - Suspicious Process - lsass - - - - 18531 - wininit.exe - Sysmon - Legitimate Parent Image - lsass.exe - - - - 18100 - lsass.exe - Sysmon - Suspicious Process - lsass.exe is a Parent Image - - - - - 18100 - winlogon.exe - Sysmon - Suspicious Process - winlogon.exe - - - - 18541 - smss.exe - Sysmon - Legitimate Parent Image - winlogon.exe - - - - - 18100 - wininit.exe - Sysmon - Suspicious Process - wininit - - - - 18551 - smss.exe - Sysmon - Legitimate Parent Image - wininit.exe - - - - - 18100 - smss.exe - Sysmon - Suspicious Process - smss.exe - - - - 18561 - system - Sysmon - Legitimate Parent Image - smss.exe - - - - - 18100 - taskhost.exe - Sysmon - Suspicious Process - taskhost.exe - - - - 18571 - services.exe|svchost.exe - Sysmon - Legitimate Parent Image - taskhost.exe - - - - - 18100 - /services.exe - Sysmon - Suspicious Process - services.exe - - - - 18581 - wininit.exe - Sysmon - Legitimate Parent Image - services.exe - - - - - 18100 - dllhost.exe - Sysmon - Suspicious Process - dllhost.exe - - - - 18591 - svchost.exe|services.exe - Sysmon - Legitimate Parent Image - dllhost.exe - - - - - 18100 - \explorer.exe - Sysmon - Suspicious Process - explorer.exe - - - - 18601 - userinit.exe - Sysmon - Legitimate Parent Image - explorer.exe - - - - diff --git a/debian/ossec-hids/var/ossec/rules/systemd_rules.xml b/debian/ossec-hids/var/ossec/rules/systemd_rules.xml deleted file mode 100644 index 3ad0967..0000000 --- a/debian/ossec-hids/var/ossec/rules/systemd_rules.xml +++ /dev/null @@ -1,27 +0,0 @@ - - - - ^systemd$|^systemctl$ - Systemd rules - - - - 40700 - Stale file handle$ - Stale file handle. - - - - 40700 - Failed to get unit file state for - Failed to get unit state for service. This means that the .service file is missing - - - - 40700 - entered failed state - Service has entered a failed state, and likely has not started. - - - - diff --git a/debian/ossec-hids/var/ossec/rules/telnetd_rules.xml b/debian/ossec-hids/var/ossec/rules/telnetd_rules.xml deleted file mode 100644 index f35e216..0000000 --- a/debian/ossec-hids/var/ossec/rules/telnetd_rules.xml +++ /dev/null @@ -1,45 +0,0 @@ - - - - - - telnetd - Grouping for the telnetd rules - - - - 5600 - refused connect from - Connection refused by TCP Wrappers. - - - - 5600 - : connect from - Remote host established a telnet connection. - - - - ttloop: peer died:|ttloop: read: - 5602 - Remote host invalid connection. - - - - warning: can't verify hostname: - Reverse lookup error (bad hostname config). - - - - 5602 - - Multiple connection attempts from same source - (possible scan). - - - diff --git a/debian/ossec-hids/var/ossec/rules/topleveldomain_rules.xml b/debian/ossec-hids/var/ossec/rules/topleveldomain_rules.xml deleted file mode 100644 index 247314d..0000000 --- a/debian/ossec-hids/var/ossec/rules/topleveldomain_rules.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - - - - 31100 - .top:|.to:|.gq:|.cf:|.men:|.loan:|.ml:|.work:|.click:|.tk:|.country:|.pw:|.party:|.trade:|.review:|.club:|.bid:|.country:|.stream:|.download:|.xin:|.gdn:|.racing:|.jetzt:|.win:|.vip:|.ren:|.kim:|.mom:|.date:|.wang:|.accountants:|.science:|.work:|.ninja:|.xyz:|.faith:|.zip:|.racing:|.cricket:|.space:|.realtor:|.christmas:|.gdn:|.pro: - Maybe critical URL access attempt - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_da.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_da.xml deleted file mode 100644 index 664d532..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_da.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Ny forbindelse fra - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Godkendelse mislykkedes for - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Logout| [INFO] Timeout - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Kan ikke ændre mappen til - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ er logget pÃ¥ nu - FTP Authentication success. - authentication_success, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_de.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_de.xml deleted file mode 100644 index 9e30e9d..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_de.xml +++ /dev/null @@ -1,69 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Neue Verbindung von - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Authentifizierung fehlgeschlagen - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Logout | [INFO] Zeitüberschreitung - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Kann nicht ins Verzeichnis \S+ wechseln - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ ist jetzt eingeloggt - FTP Authentication success. - authentication_success, - - - - - \ No newline at end of file diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_en.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_en.xml deleted file mode 100644 index ccd49bf..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_en.xml +++ /dev/null @@ -1,69 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] New connection from - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Authentication failed for user - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Logout| [INFO] Timeout - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Can't change directory to - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ is now logged in - FTP Authentication success. - authentication_success, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_es.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_es.xml deleted file mode 100644 index a1a1439..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_es.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Nueva conexión desde - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Autentificación fallida para el usuario - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Fin de sesión.| [INFO] Timeout - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] No puedo cambiar al directorio - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ está ahora dentro del sistema - FTP Authentication success. - authentication_success, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr.xml deleted file mode 100644 index db07590..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Nouvelle connexion de - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Erreur d'authentification pour l'utilisateur - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Deloggue.| [INFO] Temps de reponse depasse - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Ne peut changer le repertoire en - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ est maintenant loggue - FTP Authentication success. - authentication_success, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr_funny.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr_funny.xml deleted file mode 100644 index 1b78f90..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr_funny.xml +++ /dev/null @@ -1,69 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] \S+ ramene son cul - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] \S+ c'est un batard, il connait pas son code - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Cassos | [INFO] Putain mais achete-toi des doigts - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] C'est quoi ce delire, je peux pas aller dans - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ vient de debarquer - FTP Authentication success. - authentication_success, - - - - - \ No newline at end of file diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_it.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_it.xml deleted file mode 100644 index 589612e..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_it.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Nuova connessione da - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Autenticazione falita per l'utente - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Logout.| [INFO] Timeout - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Impossibile cambiare la directory in - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ è ora loggato - FTP Authentication success. - authentication_success, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_nl.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_nl.xml deleted file mode 100644 index 27a179e..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_nl.xml +++ /dev/null @@ -1,69 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Nieuwe verbinding vanaf - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Autorisatie faalde voor gebruiker - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Logout | [INFO] Onderbreking - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Kan de directory niet veranderen naar - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ is nu ingelogd - FTP Authentication success. - authentication_success, - - - - - \ No newline at end of file diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_no.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_no.xml deleted file mode 100644 index 8c0f406..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_no.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Ny tilkobling fra - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Godkjennelse mislyktes for - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Logg ut.| [INFO] Timeout - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Kan ikke skifte katalog til - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ er nÃ¥ logget inn - FTP Authentication success. - authentication_success, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_pt_br.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_pt_br.xml deleted file mode 100644 index ada59f5..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_pt_br.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Nova conexão a partir de - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Autenticação falhou para usuário - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Fim de sessão.| [INFO] Tempo expirado - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Não foi possível entrar no diretório - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ agora está logado - FTP Authentication success. - authentication_success, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_ro.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_ro.xml deleted file mode 100644 index f5308f2..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_ro.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Conexiune noua de la - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Autentificare esuata pentru utilizatorul - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Iesire.| [INFO] Temporizare expirata - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Nu pot intra in directorul - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ este acum logat - FTP Authentication success. - authentication_success, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sk.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sk.xml deleted file mode 100644 index 5e27bd4..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sk.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Nove spojenie z - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Autentifikacia uzivatela zlyhala - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Logout.| [INFO] Cas vyprsal - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Nemozem prejst do adresara - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ je prave prihlaseny - FTP Authentication success. - authentication_success, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml deleted file mode 100644 index 2ace0bc..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] Nyanslutning frÃ¥n - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] Behörighetskontroll misslyckas för användare - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Logout| [INFO] Timeout - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Kan ej ändra bibliotek till - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ har loggat in - FTP Authentication success. - authentication_success, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_tr.xml b/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_tr.xml deleted file mode 100644 index 6211ce2..0000000 --- a/debian/ossec-hids/var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_tr.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - pure-ftpd - Grouping for the pure-ftpd rules. - - - - 11300 - [INFO] \S+ den yeni baðlantý - New FTP connection. - connection_attempt, - - - - 11300 - [WARNING] \S+ kullanýcýsý için giriþ hatalý - FTP Authentication failed. - authentication_failed, - - - - 11300 - [INFO] Çýkýþ.| [INFO] Zaman Aþýmý - FTP user logout/timeout - - - - 11300 - [NOTICE] - FTP notice messages - - - - 11300 - [INFO] Klasör deðiþtirilemedi - Attempt to access invalid directory - - - - 11302 - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11301 - - Multiple connection attempts from same source. - recon, - - - - [INFO] \S+ giriþ yaptý - FTP Authentication success. - authentication_success, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/trend-osce_rules.xml b/debian/ossec-hids/var/ossec/rules/trend-osce_rules.xml deleted file mode 100644 index 8c1d4b2..0000000 --- a/debian/ossec-hids/var/ossec/rules/trend-osce_rules.xml +++ /dev/null @@ -1,56 +0,0 @@ - - - - - - - - - trend-osce - Grouping of Trend OSCE rules. - - - - 7600 - ^0|$|^1$|^2$|^33|^10$|^11$|^12$ - virus - Virus detected and cleaned/quarantined/removed - - - - 7600 - ^5$|^6$|^7$|^8$|^14$|^15$|^16$ - virus - Virus detected and unable to clean up. - - - - 7600 - ^4$|^13$ - Virus scan completed with no errors detected. - - - - 7600 - ^25$ - Virus scan passed by found potential security risk. - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/unbound_rules.xml b/debian/ossec-hids/var/ossec/rules/unbound_rules.xml deleted file mode 100644 index 327b75e..0000000 --- a/debian/ossec-hids/var/ossec/rules/unbound_rules.xml +++ /dev/null @@ -1,53 +0,0 @@ - - - - - - unbound - Unbound grouping. - - - - 53760 - notice: - Notice grouping. - - - - 53760 - info: - Info grouping. - - - - 53761 - sendto failed: Can't assign requested address - Can't assign requested address. - - - - 53762 - A IN$ - DNS A request. - - - - 53762 - AAAA IN$ - DNS AAAA request. - - - - 53771,53772 - .top.|.to.|.gq.|.cf.|.men.|.loan.|.ml.|.work.|.click.|.tk.|.country.|.pw.|.party.|.trade.|.review.|.club.|.bid.|.country.|.stream.|.download.|.xin.|.gdn.|.racing.|.jetzt.|.win.|.vip.|.ren.|.kim.|.mom.|.date.|.wang.|.accountants.|.science.|.work.|.ninja.|.xyz.|.faith.|.zip.|.racing.|.cricket.|.space.|.realtor.|.christmas.|.gdn.|.pro. - Maybe critical URL requested - - - diff --git a/debian/ossec-hids/var/ossec/rules/vmpop3d_rules.xml b/debian/ossec-hids/var/ossec/rules/vmpop3d_rules.xml deleted file mode 100644 index 58bac6a..0000000 --- a/debian/ossec-hids/var/ossec/rules/vmpop3d_rules.xml +++ /dev/null @@ -1,32 +0,0 @@ - - - - - - vm-pop3d - Grouping for the vm-pop3d rules. - - - - 9800 - failed auth - authentication_failed, - Login failed accessing the pop3 server. - - - - 9801 - - POP3 brute force (multiple failed logins). - authentication_failures, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/vmware_rules.xml b/debian/ossec-hids/var/ossec/rules/vmware_rules.xml deleted file mode 100644 index 1b49b50..0000000 --- a/debian/ossec-hids/var/ossec/rules/vmware_rules.xml +++ /dev/null @@ -1,157 +0,0 @@ - - - - - - - vmware - VMWare messages grouped. - - - - vmware-syslog - VMWare ESX syslog messages grouped. - - - - 19100 - ^crit|^fatal - VMware ESX critical message. - - - - 19100 - ^error - VMware ESX error message. - - - - 19100 - ^warn - VMware ESX warning message. - - - - 19100 - ^notice - VMware ESX notice message. - - - - 19100 - ^info - VMware ESX informational message. - - - - 19100 - ^verbose - VMware ESX verbose message. - - - - - - - 19106 - logged in$ - VMWare ESX authentication success. - authentication_success, - - - - 19106 - Failed login attempt for - VMWare ESX authentication failure. - authentication_failed, - - - - 19101 - vmware-hostd|vmware-authd - Accepted password for|login from - VMWare ESX user login. - authentication_success, - - - - 19101 - vmware-hostd|vmware-authd - Rejected password for - VMWare ESX user authentication failure. - authentication_failed, - - - - - - 19106 - -> VM_STATE_OFF - Virtual machine state changed to OFF. - service_availability, - - - - 19106 - -> VM_STATE_POWERING_ON - Virtual machine being turned ON. - - - - 19106 - -> VM_STATE_ON - Virtual machine state changed to ON. - alert_by_email - - - - 19106 - -> VM_STATE_RECONFIGURING - Virtual machine being reconfigured. - config_changed, - alert_by_email - - - - - - - 19104 - Multiple VMWare ESX warning messages. - service_availability, - - - - 19103 - Multiple VMWare ESX error messages. - service_availability, - - - - 19111 - Multiple VMWare ESX authentication failures. - authentication_failures, - - - - 19113 - Multiple VMWare ESX user authentication failures. - authentication_failures, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/vpn_concentrator_rules.xml b/debian/ossec-hids/var/ossec/rules/vpn_concentrator_rules.xml deleted file mode 100644 index aab0d98..0000000 --- a/debian/ossec-hids/var/ossec/rules/vpn_concentrator_rules.xml +++ /dev/null @@ -1,60 +0,0 @@ - - - - - - - - - cisco-vpn-concentrator - Grouping of Cisco VPN concentrator rules - - - - 14200 - ^IKE/52$ - VPN authentication successful. - authentication_success, - - - - 14200 - ^AUTH/5$|^AUTH/9$|^IKE/167$|^PPP/9$|^SSH/33$|^PSH/23$ - VPN authentication failed. - authentication_failed, - - - - 14200 - ^HTTP/47$|^SSH/16$ - alert_by_email - VPN Admin authentication successful. - authentication_success, - - - - 14202 - - Multiple VPN authentication failures. - authentication_failures, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/vpopmail_rules.xml b/debian/ossec-hids/var/ossec/rules/vpopmail_rules.xml deleted file mode 100644 index 0440e20..0000000 --- a/debian/ossec-hids/var/ossec/rules/vpopmail_rules.xml +++ /dev/null @@ -1,68 +0,0 @@ - - - - - - vpopmail - Grouping for the vpopmail rules. - - - - 9900 - password fail - authentication_failed, - Login failed for vpopmail. - - - - 9900 - vpopmail user not found - invalid_login, - Attempt to login to vpopmail with invalid username. - - - - 9900 - null password given - authentication_failed, - Attempt to login to vpopmail with empty password. - - - - 9900 - login success - authentication_success, - Vpopmail successful login. - - - - - 9901 - - Vpopmail brute force (multiple failed logins). - authentication_failures, - - - - 9902 - - Vpopmail brute force (email harvesting). - authentication_failures, - - - - 9903 - - VPOPMAIL brute force (empty password). - authentication_failures, - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/vsftpd_rules.xml b/debian/ossec-hids/var/ossec/rules/vsftpd_rules.xml deleted file mode 100644 index 250b26a..0000000 --- a/debian/ossec-hids/var/ossec/rules/vsftpd_rules.xml +++ /dev/null @@ -1,62 +0,0 @@ - - - - - - vsftpd - Grouping for the vsftpd rules. - - - - 11400 - CONNECT: Client - connection_attempt - FTP session opened. - - - - 11400 - OK LOGIN: - FTP Authentication success. - authentication_success, - - - - 11400 - FAIL LOGIN: - Login failed accessing the FTP server. - authentication_failed, - - - - 11400 - OK UPLOAD: - FTP server file upload. - - - - 11403 - - FTP brute force (multiple failed logins). - authentication_failures, - - - - 11401 - - Multiple FTP connection attempts from - same source IP. - recon, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/web_appsec_rules.xml b/debian/ossec-hids/var/ossec/rules/web_appsec_rules.xml deleted file mode 100644 index 6448db2..0000000 --- a/debian/ossec-hids/var/ossec/rules/web_appsec_rules.xml +++ /dev/null @@ -1,191 +0,0 @@ - - - - - - - - - - - 31100 - POST / - /wp-comments-post.php - Googlebot|MSNBot|BingBot - WordPress Comment Spam (coming from a fake search engine UA). - - - - - 31100 - thumb.php|timthumb.php - "GET \S+thumb.php?src=\S+.php - TimThumb vulnerability exploit attempt. - - - - - 31100 - login.php - "POST /\S+.php/login.php?cPath= - osCommerce login.php bypass attempt. - - - - - 31100 - login.php - /admin/\w+.php/login.php - osCommerce file manager login.php bypass attempt. - - - - - 31100 - /cache/external - "GET /\S+/cache/external\S+.php - TimThumb backdoor access attempt. - - - - - 31100 - cart.php - "GET /\S+cart.php?\S+templatefile=../ - Cart.php directory transversal attempt. - - - - - 31100 - DECLARE%20@S%20CHAR|%20AS%20CHAR - MSSQL Injection attempt (ur.php, urchin.js). - - - - - 31100 - "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af.sourceforge.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s - Blacklisted user agent (known malicious user agent). - - - - - 31108 - wp-login.php|/administrator - ] "POST \S+wp-login.php| "POST /administrator - CMS (WordPress or Joomla) login attempt. - - - - - 31509 - - CMS (WordPress or Joomla) brute force attempt. - - - - - 31100 - " "Wget/ - Blacklisted user agent (wget). - - - - - 31100 - uploadify.php - "GET /\S+/uploadify.php?src=http://\S+.php - Uploadify vulnerability exploit attempt. - - - - - 31100 - delete.php - "GET \S+/delete.php?board_skin_path=http://\S+.php - BBS delete.php exploit attempt. - - - - - 31100 - shell.php - "GET \S+/shell.php?cmd= - Simple shell.php command execution. - - - - - 31100 - phpMyAdmin/scripts/setup.php - PHPMyAdmin scans (looking for setup.php). - - - - - 31100 - .swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat - Suspicious URL access. - - - - - 31100 - ] "POST - no_log - POST request received. - - - - 31530 - /wp-admin/|/administrator/|/admin/ - Ignoring often post requests inside /wp-admin and /admin. - - - - 31530 - - High amount of POST requests in a small period of time (likely bot). - - - - - 31100 - %00 - "GET /\S+.php?\S+%00 - Anomaly URL query (attempting to pass null termination). - - - - diff --git a/debian/ossec-hids/var/ossec/rules/web_rules.xml b/debian/ossec-hids/var/ossec/rules/web_rules.xml deleted file mode 100644 index 6d40e60..0000000 --- a/debian/ossec-hids/var/ossec/rules/web_rules.xml +++ /dev/null @@ -1,225 +0,0 @@ - - - - - - web-log - Access log messages grouped. - - - - 31100 - ^2|^3 - is_simple_http_request - Ignored URLs (simple queries). - - - - 31100 - ^4 - Web server 400 error code. - - - - 31101 - .jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$|.jpeg$ - is_simple_http_request - Ignored extensions on 400 error codes. - - - - 31100,31108 - =select%20|select+|insert%20|%20from%20|%20where%20|union%20| - union+|where+|null,null|xp_cmdshell - SQL injection attempt. - attack,sql_injection, - - - - 31100 - - - %027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;| - cmd.exe|root.exe|_mem_bin|msadc|/winnt/|/boot.ini| - /x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20| - exec%20|../..//|%5C../%5C|././././|2e%2e%5c%2e|\x5C\x5C - Common web attack. - attack, - - - - 31100 - %3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20| - %20ONLOAD=|INPUT%20|iframe%20 - XSS (Cross Site Scripting) attempt. - attack, - - - - 31103, 31104, 31105 - ^200 - A web attack returned code 200 (success). - attack, - - - - 31100 - ?-d|?-s|?-a|?-b|?-w - PHP CGI-bin vulnerability attempt. - attack, - - - - 31100 - +as+varchar - %2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\) - MSSQL Injection attempt (/ur.php, urchin.js) - attack, - - - - - - 31103, 31104, 31105 - ^/search.php?search=|^/index.php?searchword= - Ignored URLs for the web attacks - - - - 31100 - URL too long. Higher than allowed on most - browsers. Possible attack. - invalid_access, - - - - - - 31100 - ^50 - Web server 500 error code (server error). - - - - 31120 - ^501 - Web server 501 error code (Not Implemented). - - - - 31120 - ^500 - alert_by_email - Web server 500 error code (Internal Error). - system_error, - - - - 31120 - ^503 - alert_by_email - Web server 503 error code (Service unavailable). - - - - - - 31101 - is_valid_crawler - Ignoring google/msn/yahoo bots. - - - - - 31101 - ^499 - Ignored 499's on nginx. - - - - - 31101 - - Multiple web server 400 error codes - from same source ip. - web_scan,recon, - - - - 31103 - - Multiple SQL injection attempts from same - source ip. - attack,sql_injection, - - - - 31104 - - Multiple common web attacks from same source ip. - attack, - - - - 31105 - - Multiple XSS (Cross Site Scripting) attempts - from same source ip. - attack, - - - - 31121 - - Multiple web server 501 error code (Not Implemented). - web_scan,recon, - - - - 31122 - - Multiple web server 500 error code (Internal Error). - system_error, - - - - 31123 - - Multiple web server 503 error code (Service unavailable). - web_scan,recon, - - - - 31100 - =%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B - SQL injection attempt. - attack,sqlinjection, - - - - 31100 - %EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045 - SQL injection attempt. - attack,sqlinjection, - - - diff --git a/debian/ossec-hids/var/ossec/rules/wordpress_rules.xml b/debian/ossec-hids/var/ossec/rules/wordpress_rules.xml deleted file mode 100644 index edbb837..0000000 --- a/debian/ossec-hids/var/ossec/rules/wordpress_rules.xml +++ /dev/null @@ -1,69 +0,0 @@ - - - - - wordpress - Wordpress messages grouped. - - - - 9500 - User authentication failed - Wordpress authentication failed. - authentication_failed, - - - - 9500 - User logged in - Wordpress authentication succeeded. - authentication_success, - - - - 9500 - WPsyslog was successfully initiali - WPsyslog was successfully initialized. - - - - 9500 - Plugin deactivated - Wordpress plugin deactivated. - - - - 9500 - Warning: Comment flood attempt - Wordpress Comment Flood Attempt. - - - - 9500 - Warning: IDS: - Attack against Wordpress detected. - - - - 9501 - - Multiple wordpress authentication failures. - authentication_failures, - - - - - - diff --git a/debian/ossec-hids/var/ossec/rules/zeus_rules.xml b/debian/ossec-hids/var/ossec/rules/zeus_rules.xml deleted file mode 100644 index 96c66d0..0000000 --- a/debian/ossec-hids/var/ossec/rules/zeus_rules.xml +++ /dev/null @@ -1,75 +0,0 @@ - - - - - - - - - zeus - Grouping of Zeus rules. - - - - 31200 - ^[\S+ \S+] INFO:|^[\S+ \S+] SSL: - Grouping of Zeus informational logs. - - - - 31200 - ^[\S+ \S+] WARN: - Zeus warning log. - - - - 31200 - ^[\S+ \S+] SERIOUS: - Zeus serious log. - - - - 31200 - ^[\S+ \S+] FATAL: - Zeus fatal log. - - - - 31202 - admin:Authentication failure - Admin authentication failed. - authentication_failed, - - - - 31202 - Unknown directive - Configuration warning (ignored). - - - - 31202 - Multiple Zeus warnings. - - - - -