Permalink
Browse files

Import commits from ossec ruleset (#94)

* Add files via upload

New mysql rootcheck-files.

* Add bitcoin wallet scans to suspicious URL's

* Named rules improvement

Protection against a host that don't has recursion permission and/or authorization to local cache query. there is a different between allow-query and allow-query-cache.

ref:
* https://kb.isc.org/article/AA-00503/0/Whats-the-difference-between-allow-query-cache-and-allow-recursion.html
* http://www.zytrax.com/books/dns/ch7/queries.html#allow-query-cache

* Add support for wordpress log format wp2syslog plugin.

* removing CIS bad path

* Fix leftover space

* Add support for wordpress log format wp2syslog plugin.

* Add support for wordpress log format wp2syslog plugin.
  • Loading branch information...
PSanchezR authored and jesuslinares committed Jan 10, 2018
1 parent fc10e7a commit 3042209e721c894d5eb068072c9bd66e9503c488
@@ -14,7 +14,7 @@
- WPsyslog[14382]: [127.0.0.1 na] Info: User logged in. User name: admin (admin).
-->
<decoder name="wordpress">
<program_name>^WPsyslog</program_name>
<program_name>^WPsyslog|^wpcore</program_name>
<prematch>^[</prematch>
<regex offset="after_prematch">^(\S+) </regex>
<order>srcip</order>
@@ -0,0 +1,45 @@
<!--
- Exim decoders
- Author: Alexandr Garaga.
- Copyright (C) 2009 Trend Micro Inc.
- Updated by Wazuh, Inc. <support@wazuh.com>.
- This program is a free software; you can redistribute it and/or modif$
-->
<!-- Exim
- Examples:
- 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user)
- 2017-01-24 05:22:29 dovecot_plain authenticator failed for (test) [::1]:39454: 535 Incorrect authentication data (set_id=test)
- 2017-01-24 03:09:46 SMTP connection from [10.101.1.10]:55010 (TCP/IP connection count = 1)
- 2017-01-24 02:53:13 SMTP connection from (hydra) [10.101.1.10]:53682 lost
- 2017-01-24 05:36:23 SMTP call from (000000) [::1]:39480 dropped: too many syntax or protocol errors (last command was "123")
-->
<decoder name="exim-authfailed">
<parent>windows-date-format</parent>
<prematch offset="after_parent">authenticator failed</prematch>
<regex offset="after_prematch">[(\S+)]:\d+: \d+ Incorrect authentication data \(set_id=(\w+)\)</regex>
<order>srcip,user</order>
</decoder>
<decoder name="exim-connect">
<parent>windows-date-format</parent>
<prematch offset="after_parent">^SMTP connection from </prematch>
<regex offset="after_prematch">[(\S+)]:\d+ \(TCP/IP connection count</regex>
<order>srcip</order>
</decoder>
<decoder name="exim-disconnect">
<parent>windows-date-format</parent>
<prematch offset="after_parent">^SMTP connection from </prematch>
<regex offset="after_prematch">[(\S+)]:\d+ lost</regex>
<order>srcip</order>
</decoder>
<decoder name="exim-syntax-errors">
<parent>windows-date-format</parent>
<prematch offset="after_parent">^SMTP call from </prematch>
<regex offset="after_prematch">[(\S+)]:\d+ dropped: too many syntax or protocol errors</regex>
<order>srcip</order>
</decoder>
@@ -0,0 +1,158 @@
# OSSEC Linux Audit - (C) 2017
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
#
# [Application name] [any or all] [reference]
# type:<entry name>;
#
# Type can be:
# - f (for file or directory)
# - p (process running)
# - d (any file inside the directory)
#
# Additional values:
# For the registry , use "->" to look for a specific entry and another
# "->" to look for the value.
# For files, use "->" to look for a specific value in the file.
#
# Values can be preceeded by: =: (for equal) - default
# r: (for ossec regexes)
# >: (for strcmp greater)
# <: (for strcmp lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).
# CIS Checks for MYSQL
# Based on Center for Internet Security Benchmark for MYSQL v1.1.0
#
$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/;
$enviroment_files=/*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile;
$mysql-cnfs=/etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf;
#
#
#1.3 Disable MySQL Command History
[CIS - MySQL Configuration - 1.3: Disable MySQL Command History] [any] [https://workbench.cisecurity.org/files/1310/download]
d:$home_dirs -> ^.mysql_history$;
#
#
#1.5 Disable Interactive Login
[CIS - MySQL Configuration - 1.5: Disable Interactive Login] [any] [https://workbench.cisecurity.org/files/1310/download]
f:/etc/passwd -> r:^mysql && !r:\.*/bin/false$|/sbin/nologin$;
#
#
#1.6 Verify That 'MYSQL_PWD' Is Not In Use
[CIS - MySQL Configuration - 1.6: 'MYSQL_PWD' Is in Use] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$enviroment_files -> r:\.*MYSQL_PWD\.*;
#
#
#4.3 Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'
[CIS - MySQL Configuration - 4.3: 'allow-suspicious-udfs' Is Set in my.cnf'] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:allow-suspicious-udfs\.+true;
f:$mysql-cnfs -> r:allow-suspicious-udfs\s*$;
#
#
#4.4 Ensure 'local_infile' Is Disabled
[CIS - MySQL Configuration - 4.4: local_infile is not forbidden in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:local-infile\s*=\s*1;
f:$mysql-cnfs -> r:local-infile\s*$;
#
#
#4.5 Ensure 'mysqld' Is Not Started with '--skip-grant-tables'
[CIS - MySQL Configuration - 4.5: skip-grant-tables is set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:skip-grant-tables\s*=\s*true;
f:$mysql-cnfs -> !r:skip-grant-tables\s*=\s*false;
f:$mysql-cnfs -> r:skip-grant-tables\s*$;
#
#
#4.6 Ensure '--skip-symbolic-links' Is Enabled
[CIS - MySQL Configuration - 4.6: skip_symbolic_links is not enabled in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:skip_symbolic_links\s*=\s*no;
f:$mysql-cnfs -> !r:skip_symbolic_links\s*=\s*yes;
f:$mysql-cnfs -> r:skip_symbolic_links\s*$;
#
#
#4.8 Ensure 'secure_file_priv' is not empty
[CIS - MySQL Configuration - 4.8: Ensure 'secure_file_priv' is not empty] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> r:^# && r:secure_file_priv=\s*\S+\s*;
f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*;
f:$mysql-cnfs -> r:secure_file_priv\s*$;
#
#
#4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'
[CIS - MySQL Configuration - 4.9: strict_all_tables is not set at sql_mode section of my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:strict_all_tables\s*$;
#
#
#6.1 Ensure 'log_error' is not empty
[CIS - MySQL Configuration - 6.1: log-error is not set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> r:^# && r:log_error\s*=\s*\S+\s*;
f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*;
f:$mysql-cnfs -> r:log_error\s*$;
#
#
#6.2 Ensure Log Files are not Stored on a non-system partition
[CIS - MySQL Configuration - 6.2: log files are maybe stored on systempartition] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/\S*\s*;
f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/var/\S*\s*;
f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/usr/\S*\s*;
f:$mysql-cnfs -> r:log_bin\s*$;
#
#
#6.3 Ensure 'log_warning' is set to 2 at least
[CIS - MySQL Configuration - 6.3: log warnings is set low] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*0;
f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*1;
f:$mysql-cnfs -> !r:log_warnings\s*=\s*\d+;
f:$mysql-cnfs -> r:log_warnings\s*$;
#
#
#6.5 Ensure 'log_raw' is set to 'off'
[CIS - MySQL Configuration - 6.5: log_raw is not set to off] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:log-raw\s*=\s*on;
f:$mysql-cnfs -> r:log-raw\s*$;
#
#
#7.1 Ensure 'old_password' is not set to '1' or 'On'
[CIS - MySQL Configuration - 7.1:Ensure 'old_passwords' is not set to '1' or 'on'] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1;
f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on;
f:$mysql-cnfs -> !r:old_passwords\s*=\s*2;
f:$mysql-cnfs -> r:old_passwords\s*$;
#
#
#7.2 Ensure 'secure_auth' is set to 'ON'
[CIS - MySQL Configuration - 7.2: Ensure 'secure_auth' is set to 'ON'] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:secure_auth\s*=\s*off;
f:$mysql-cnfs -> !r:secure_auth\s*=\s*on;
f:$mysql-cnfs -> r:secure_auth\s*$;
#
#
#7.3 Ensure Passwords Are Not Stored in the Global Configuration
[CIS - MySQL Configuration - 7.3: Passwords are stored in global configuration] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:^\s*password\.*;
#
#
#7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'
[CIS - MySQL Configuration - 7.4: Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:no_auto_create_user\s*$;
f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$;
#
#
#7.6 Ensure Password Policy is in Place
[CIS - MySQL Configuration - 7.6: Ensure Password Policy is in Place ] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:plugin-load\s*=\s*validate_password.so\s*$;
f:$mysql-cnfs -> !r:validate-password\s*=\s*force_plus_permanent\s*$;
f:$mysql-cnfs -> !r:validate_password_length\s*=\s*14\s$;
f:$mysql-cnfs -> !r:validate_password_mixed_case_count\s*=\s*1\s*$;
f:$mysql-cnfs -> !r:validate_password_number_count\s*=\s*1\s*$;
f:$mysql-cnfs -> !r:validate_password_special_char_count\s*=\s*1;
f:$mysql-cnfs -> !r:validate_password_policy\s*=\s*medium\s*;
#
#
#9.2 Ensure 'master_info_repository' is set to 'Table'
[CIS - MySQL Configuration - 9.2: Ensure 'master_info_repositrory' is set to 'Table'] [any] [https://workbench.cisecurity.org/files/1310/download]
f:$mysql-cnfs -> !r:^# && r:master_info_repository\s*=\s*file;
f:$mysql-cnfs -> !r:master_info_repository\s*=\s*table;
f:$mysql-cnfs -> r:master_info_repository\s*$;
Oops, something went wrong.

0 comments on commit 3042209

Please sign in to comment.