Merge branch 'development' - v1.09

wazuh · May 12, 2016 · ea0cb8f · ea0cb8f
2 parents dce0e14 + 3ecaed6
commit ea0cb8f
Show file tree

Hide file tree

Showing 17 changed files with 301 additions and 200 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,16 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## [v1.09] - 2016-05-12
+### Added
+- Decoders and rules for Amazon
+
+### Changed
+- Amazon directory structure.
+- Minor changes:
+ - Apache and Nginx rules.
+ - RH7 rootchecks.
+
 ## [v1.08] - 2016-05-05
 ### Added
 - Redis decoders and rules.

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.08
+1.09
diff --git a/ossec_ruleset.py b/ossec_ruleset.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # OSSEC Ruleset Update
 
-# v2.3.2 2016/05/05
+# v2.3.3 2016/06/11
 # Created by Wazuh, Inc. <info@wazuh.com>.
 # jesus@wazuh.com
 # This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
@@ -851,23 +851,20 @@ def setup_decoders(decoder):
 
 def setup_rules(rule):
     if rule == "ossec":
-        new_ossec_rules_path = "{0}/ossec/rules/*rules*.xml".format(new_rules_path)
-        ossec_rules = sorted(glob.glob(new_ossec_rules_path))
+        rules_path = "{0}/ossec/rules/*_rules.xml".format(new_rules_path)
+    else:
+        rules_path = "{0}/{1}/*_rules.xml".format(new_rules_path, rule)
 
-        for ossec_rule in ossec_rules:
-            # Do not copy folders or local_rules.xml
-            if os.path.isfile(ossec_rule) and "local_rules.xml" not in ossec_rule:
-                split = ossec_rule.split("/")
-                filename = split[len(split) - 1]
-                dest_file = "{0}/rules/{1}".format(ossec_path, filename)
-                shutil.copyfile(ossec_rule, dest_file)
-                os.chown(dest_file, root_uid, ossec_gid)
+    new_rules = sorted(glob.glob(rules_path))
 
-    else:
-        src_file = "{0}/{1}/{1}_rules.xml".format(new_rules_path, rule)
-        dest_file = "{0}/rules/{1}_rules.xml".format(ossec_path, rule)
-        shutil.copyfile(src_file, dest_file)
-        os.chown(dest_file, root_uid, ossec_gid)
+    for new_rule in new_rules:
+        # Do not copy folders or local_rules.xml
+        if os.path.isfile(new_rule) and "local_rules.xml" not in new_rule:
+            split = new_rule.split("/")
+            filename = split[len(split) - 1]
+            dest_file = "{0}/rules/{1}".format(ossec_path, filename)
+            shutil.copyfile(new_rule, dest_file)
+            os.chown(dest_file, root_uid, ossec_gid)
 
 
 def setup_roochecks(rootcheck):
@@ -885,9 +882,17 @@ def setup_ossec_conf(item, type_item):
         return
 
     if type_item == "rule":
-        if not regex_in_file("\s*<include>{0}_rules.xml</include>".format(item), ossec_conf):
-            logger.log("\t\tNew rule in ossec.conf: '{0}'.".format(item))
-            write_before_line("<include>local_rules.xml</include>", '    <include>{0}_rules.xml</include>'.format(item), ossec_conf)
+
+        if item == "amazon":  # Special case
+            new_items = ["amazon", "amazon-ec2", "amazon-iam"]
+        else:
+            new_items = [item]
+
+        for new_item in new_items:
+            if not regex_in_file("\s*<include>{0}_rules.xml</include>".format(new_item), ossec_conf):
+                logger.log("\t\tNew rule in ossec.conf: '{0}'.".format(new_item))
+                write_before_line("<include>local_rules.xml</include>", '    <include>{0}_rules.xml</include>'.format(new_item), ossec_conf)
+
     elif type_item == "rootcheck":
         if not regex_in_file("<rootcheck>", ossec_conf) or regex_in_file("\s*<rootcheck>\s*\n\s*<disabled>\s*yes", ossec_conf):
             logger.log("\t\tRootchecks disabled in ossec.conf -> no activate rootchecks.")
@@ -1021,7 +1026,7 @@ def clean_directory():
 
 def usage():
     msg = """
-OSSEC Wazuh Ruleset Update v2.3.2
+OSSEC Wazuh Ruleset Update v2.3.3
 Github repository: https://github.com/wazuh/ossec-rules
 Full documentation: http://documentation.wazuh.com/en/latest/ossec_ruleset.html
 

diff --git a/rootcheck/cis_rhel7_linux_rcl.txt b/rootcheck/cis_rhel7_linux_rcl.txt
@@ -26,18 +26,18 @@
 
 
 # CIS Checks for Red Hat / CentOS 6
-# Based on CIS Benchmark for Red Hat Enterprise Linux 6 v1.3.0
+# Based on CIS Benchmark for Red Hat Enterprise Linux 7 v1.1.0
 
 # RC scripts location
 $rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
 
 
-[CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v2.1.0] [any required] [http://www.ossec.net/]
+[CIS - Testing against the CIS Red Hat Enterprise Linux 7 Benchmark v1.1.0] [any required] [http://www.ossec.net/]
 f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 6;
-f:/etc/redhat-release -> r:^CentOS && r:release 6;
-f:/etc/redhat-release -> r:^Cloud && r:release 6;
-f:/etc/redhat-release -> r:^Oracle && r:release 6;
-f:/etc/redhat-release -> r:^Better && r:release 6;
+f:/etc/redhat-release -> r:^CentOS && r:release 7;
+f:/etc/redhat-release -> r:^Cloud && r:release 7;
+f:/etc/redhat-release -> r:^Oracle && r:release 7;
+f:/etc/redhat-release -> r:^Better && r:release 7;
 
 # 1.1.1 /tmp: partition
 [CIS - RHEL7 - Build considerations - Robust partition scheme - /tmp is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL7 -]

diff --git a/rules-decoders/amazon-ec2/amazon-ec2_decoders.xml b/rules-decoders/amazon-ec2/amazon-ec2_decoders.xml
diff --git a/rules-decoders/amazon-ec2/amazon-ec2_instructions.md b/rules-decoders/amazon-ec2/amazon-ec2_instructions.md
diff --git a/rules-decoders/amazon-iam/amazon-iam_instructions.md b/rules-decoders/amazon-iam/amazon-iam_instructions.md