Professional Documents
Culture Documents
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
#
# OSSEC Linux Audit - (C) 2014
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: https://www.gnu.org/licenses/gpl.html
#
# [Application name] [any or all] [reference]
# type:<entry name>;
#
# Type can be:
# - f (for file or directory)
# - p (process running)
# - d (any file inside the directory)
#
# Additional values:
# For the registry and for directories, use "->" to look for a specific entry and
another
# "->" to look for the value.
# Also, use " -> r:^\. -> ..." to search all files in a directory
# For files, use "->" to look for a specific value in the file.
#
# Values can be preceded by: =: (for equal) - default
# r: (for ossec regexes)
# >: (for strcmp greater)
# <: (for strcmp lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).
# CIS Checks for Red Hat (RHEL 2.1, 3.0, 4.0 and Fedora Core 1,2,3,4 and 5).
# Based on CIS Benchmark for Red Hat Enterprise Linux v1.0.5
# RC scripts location
$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /home is
not on its own partition] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/fstab -> !r:/home;
[CIS - Red Hat Linux - 1.3 - SSH Configuration - IgnoreRHosts disabled {CIS: 1.3
Red Hat Linux} {PCI_DSS: 4.1}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
[CIS - Red Hat Linux - 1.3 - SSH Configuration - Empty passwords permitted {CIS:
1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
[CIS - Red Hat Linux - 1.3 - SSH Configuration - Host based authentication enabled
{CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
[CIS - Red Hat Linux - 1.3 - SSH Configuration - Root login allowed {CIS: 1.3 Red
Hat Linux} {PCI_DSS: 4.1}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
[CIS - Red Hat Linux - 2.4 - VSFTP enabled on xinetd {CIS: 2.4 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/xinetd.c/vsftpd -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.4 - WU-FTP enabled on xinetd {CIS: 2.4 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/xinetd.c/wu-ftpd -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.5 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.5 Red Hat
Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/xinetd.c/rlogin -> !r:^# && r:disable && r:no;
f:/etc/xinetd.c/rsh -> !r:^# && r:disable && r:no;
f:/etc/xinetd.c/shell -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.6 - tftpd enabled on xinetd {CIS: 2.6 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/xinetd.c/tftpd -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.7 - imap enabled on xinetd {CIS: 2.7 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/xinetd.c/imap -> !r:^# && r:disable && r:no;
f:/etc/xinetd.c/imaps -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.8 - pop3 enabled on xinetd {CIS: 2.8 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/xinetd.c/ipop3 -> !r:^# && r:disable && r:no;
f:/etc/xinetd.c/pop3s -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 3.4 - GUI login enabled {CIS: 3.4 Red Hat Linux} {PCI_DSS:
2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/inittab -> !r:^# && r:id:5;
[CIS - Red Hat Linux - 3.7 - Disable standard boot services - Samba Enabled {CIS:
3.7 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dsamba$;
d:$rc_dirs -> ^S\d\dsmb$;
[CIS - Red Hat Linux - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8
Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dnfs$;
d:$rc_dirs -> ^S\d\dnfslock$;
[CIS - Red Hat Linux - 3.10 - Disable standard boot services - NIS Enabled {CIS:
3.10 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dypbind$;
d:$rc_dirs -> ^S\d\dypserv$;
[CIS - Red Hat Linux - 3.13 - Disable standard boot services - NetFS Enabled {CIS:
3.13 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dnetfs$;
[CIS - Red Hat Linux - 3.15 - Disable standard boot services - Apache web server
Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dapache$;
d:$rc_dirs -> ^S\d\dhttpd$;
[CIS - Red Hat Linux - 3.15 - Disable standard boot services - TUX web server
Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dtux$;
[CIS - Red Hat Linux - 3.16 - Disable standard boot services - SNMPD process
Enabled {CIS: 3.16 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dsnmpd$;
[CIS - Red Hat Linux - 3.17 - Disable standard boot services - DNS server Enabled
{CIS: 3.17 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dnamed$;
[CIS - Red Hat Linux - 3.18 - Disable standard boot services - MySQL server Enabled
{CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dmysqld$;
[CIS - Red Hat Linux - 3.18 - Disable standard boot services - PostgreSQL server
Enabled {CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dpostgresql$;
[CIS - Red Hat Linux - 3.19 - Disable standard boot services - Webmin Enabled {CIS:
3.19 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dwebmin$;
[CIS - Red Hat Linux - 3.20 - Disable standard boot services - Squid Enabled {CIS:
3.20 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dsquid$;
[CIS - Red Hat Linux - 3.21 - Disable standard boot services - Kudzu hardware
detection Enabled {CIS: 3.21 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
d:$rc_dirs -> ^S\d\dkudzu$;
[CIS - Red Hat Linux - 4.1 - Network parameters - ICMP broadcasts accepted {CIS:
4.1 Red Hat Linux}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
[CIS - Red Hat Linux - 4.2 - Network parameters - IP Forwarding enabled {CIS: 4.2
Red Hat Linux}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/proc/sys/net/ipv4/ip_forward -> 1;
f:/proc/sys/net/ipv6/ip_forward -> 1;
# Section 6 - Permissions
[CIS - Red Hat Linux - 6.1 - Partition /var without 'nodev' set {CIS: 6.1 Red Hat
Linux} {PCI_DSS: 2.2.4}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev;
[CIS - Red Hat Linux - 6.1 - Partition /tmp without 'nodev' set {CIS: 6.1 Red Hat
Linux} {PCI_DSS: 2.2.4}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev;
[CIS - Red Hat Linux - 6.1 - Partition /opt without 'nodev' set {CIS: 6.1 Red Hat
Linux} {PCI_DSS: 2.2.4}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev;
[CIS - Red Hat Linux - 6.1 - Partition /home without 'nodev' set {CIS: 6.1 Red Hat
Linux} {PCI_DSS: 2.2.4}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ;
[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nodev' set {CIS:
6.2 Red Hat Linux} {PCI_DSS: 2.2.4}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nosuid' set {CIS:
6.2 Red Hat Linux} {PCI_DSS: 2.2.4}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
[CIS - Red Hat Linux - 6.3 - User-mounted removable partition allowed on the
console {CIS: 6.3 Red Hat Linux} {PCI_DSS: 2.2.4}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
[CIS - Red Hat Linux - 8.2 - Account with empty password present {CIS: 8.2 Red Hat
Linux} {PCI_DSS: 10.2.5}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/shadow -> r:^\w+::;
[CIS - Red Hat Linux - SN.11 - Non-root account with uid 0 {PCI_DSS: 10.2.5}] [any]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
# 1.2
[VMware ESX - VM settings - Paste operation between guest and console enabled]
[any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.paste.disable;
d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.paste.disable && r:false;
# 1.3
[VMware ESX - VM settings - GUI Options enabled] [any]
[http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.setGUIOptions.enable && r:true;
# 1.4
[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not
limited - Rotate size not 100KB] [any]
[http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> !r:^log.rotateSize;
d:/vmfs/volumes -> .vmx$ -> r:^log.rotateSize && !r:"100000";
# 1.5
[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not
limited - Maximum number of logs not 10] [any]
[http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> !r:^log.keepOld;
d:/vmfs/volumes -> .vmx$ -> r:^log.keepOld && r:"10";
# 1.6
[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not
limited - Guests allowed to write SetInfo data to config] [any]
[http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.setinfo.disable;
d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.setinfo.disable && r:false;
# 1.7
[VMware ESX - VM settings - Nonpersistent Disks being used] [any]
[http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> r:^scsi\d:\d.mode && r:!independent-nonpersistent;
# 1.8
[VMware ESX - VM settings - Floppy drive present] [any]
[http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> r:^floppy\d+.present && r:!false;
# 1.9
[VMware ESX - VM settings - Unauthorized Removal or Connection of Devices allowed]
[any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> !r:^Isolation.tools.connectable.disable;
d:/vmfs/volumes -> .vmx$ -> r:^Isolation.tools.connectable.disable && r:false;
# 1.10
[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk
Modification Operations - diskWiper enabled] [any]
[http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.diskWiper.disable;
d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.diskWiper.disable && r:false;