diff --git a/CHANGELOG.md b/CHANGELOG.md index 88740eeb1..8fc9d5ff9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,27 @@ # Change Log All notable changes to this project will be documented in this file. +## [v1.03] - 2016-01-08 +### Added +- Amazon Decoders & Rules: + - EC2 + - IAM +- Auditd Rules +- Shellshock rules +- New rules for sudo +- New rules for system +- New decoder: web-accesslog-iis-default decoder +- Folder tools: + - amazon: Script getawslog.py to download the JSON file from S3 Bucket. + - file-testing: Script file_test.py to check if a log file generates alerts + - rules-testing: Script runtests.py to run unitary tests. Created by OSSEC. + +### Changed +- Auditd Decoders +- Minor changes in some decoders and rules. +- Netscaler updated +- *ossec_ruleset.py* fixes + ## [v1.02] - 2015-12-09 ### Added - Serv-U Decoders & Rules. @@ -27,12 +48,12 @@ All notable changes to this project will be documented in this file. - Compliance mapping with PCI DSS v3.1. - Netscaler Decoders & Rules. - ClamAV: - - New decoder: Extract main fields (path, virus name, hash) when a virus is detected. - - New rule: ClamAV Stopped. - - New rule: Virus detected multiple times. + - New decoder: Extract main fields (path, virus name, hash) when a virus is detected. + - New rule: ClamAV Stopped. + - New rule: Virus detected multiple times. - Sysmon decoders: - - Decoder for the new log format of Event 1 - - Decoders for Events 2 - 8. + - Decoder for the new log format of Event 1 + - Decoders for Events 2 - 8. - Script *ossec_ruleset.py* for installing and updating rules, decoders and rootcheck. ### Changed diff --git a/README.md b/README.md index 455669fda..ad31385f3 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,8 @@ The ruleset includes compliance mapping with PCI DSS v3.1, CIS and additional de | ├── new_software_rules.xml | ├── new_software_instructions.md | + │ ├── tools + | │ ├── README.md │ ├── VERSION │ ├── ossec_ruleset.py # Ruleset installer/updater diff --git a/Ruleset_Reference.ods b/Ruleset_Reference.ods new file mode 100644 index 000000000..dcb385665 Binary files /dev/null and b/Ruleset_Reference.ods differ diff --git a/VERSION b/VERSION index 101047359..f1ad6a77c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.02 +1.03 diff --git a/ossec_ruleset.py b/ossec_ruleset.py index 884055665..0a2a1667b 100755 --- a/ossec_ruleset.py +++ b/ossec_ruleset.py @@ -1,8 +1,9 @@ #!/usr/bin/env python # OSSEC Ruleset Installer and Updater -# v2.0 2015/12/09 +# v2.1 2016/01/07 # Created by Wazuh, Inc. . +# jesus@wazuh.com # This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2 # Requirements: @@ -117,6 +118,45 @@ def write_after_line(line_search, new_text, filepath): fileinput.close() +def swap_lines(line_search_1, line_search_2, filepath): + """ + Swap lines in file, if line_search1 before line_search2 + :param filepath: + :param line_search_2: + :param line_search_1: + """ + count = 0 + count1 = 0 + count2 = 0 + for line in fileinput.input(filepath): + count += 1 + if line_search_1.strip() in line.strip(): + count1 = count + elif line_search_2.strip() in line.strip(): + count2 = count + fileinput.close() + + if 0 < count1 < count2: + for line in fileinput.input(filepath, inplace=True): + if line_search_1.strip() in line.strip(): + print(line_search_2) + elif line_search_2.strip() in line.strip(): + print(line_search_1) + else: + print(line.rstrip("\n")) + fileinput.close() + + +def get_previous_line(line_search, filepath): + previous_line = None + for line in fileinput.input(filepath): + if line_search in line.strip(): + break + previous_line = line + fileinput.close() + return previous_line + + def remove_line(line_search, filepath): for line in fileinput.input(filepath, inplace=True): if line_search in line.strip(): @@ -508,7 +548,7 @@ def get_ruleset_from_update(type_ruleset): rootchecks_dir = "{0}/etc/shared".format(ossec_path) rootchecks_equal = compare_folders(download_rootchecks_dir, rootchecks_dir, "*.txt") - # print("{0}: rc {1} ".format(new_rc, rootchecks_equal)) + # print("{0}: rc ossec {1} ".format(new_rc, rootchecks_equal)) if not rootchecks_equal: rootchecks_update.append(new_rc) restart_ossec = True @@ -554,6 +594,20 @@ def get_ruleset_from_update(type_ruleset): def setup_wazuh_directory_structure(): + """ + Wazuh Directory Structure: + + etc/ossec_decoders + etc/wazuh_decoders + etc/local_decoder.xml + + *_rules.xml + + *_rules.xml + + local_rules.xml + + """ ossec_conf = "{0}/etc/ossec.conf".format(ossec_path) # Check if decoders in wazuh structure @@ -588,6 +642,19 @@ def setup_wazuh_directory_structure(): write_after_line("", " {0}".format(str_decoder), ossec_conf) logger.log("\tNew line in ossec.conf: '{0}'".format(str_decoder)) + # Wazuh decoders + # Create folder for wazuh decoders + wazuh_decoders = "{0}/etc/wazuh_decoders".format(ossec_path) + if not os.path.exists(wazuh_decoders): + os.makedirs(wazuh_decoders) + chown_r(wazuh_decoders, root_uid, ossec_gid) + logger.log("\tNew directory created for WAZUH decoders: '{0}'".format(wazuh_decoders)) + + str_decoder_wazuh = "etc/wazuh_decoders" + if not regex_in_file(str_decoder_wazuh, ossec_conf): + write_after_line(str_decoder, " {0}".format(str_decoder_wazuh), ossec_conf) + logger.log("\tNew line in ossec.conf: '{0}'".format(str_decoder_wazuh)) + # Local decoder path_decoder_local = "{0}/etc/local_decoder.xml".format(ossec_path) # Create Local Decoder @@ -612,22 +679,51 @@ def setup_wazuh_directory_structure(): str_decoder_local = "etc/local_decoder.xml" if not regex_in_file(str_decoder_local, ossec_conf): - write_after_line(str_decoder, " {0}".format(str_decoder_local), ossec_conf) + write_after_line(str_decoder_wazuh, " {0}".format(str_decoder_local), ossec_conf) logger.log("\tNew line in ossec.conf: '{0}'".format(str_decoder_local)) - # Wazuh decoders - # Create folder for wazuh decoders - wazuh_decoders = "{0}/etc/wazuh_decoders".format(ossec_path) - if not os.path.exists(wazuh_decoders): - os.makedirs(wazuh_decoders) - chown_r(wazuh_decoders, root_uid, ossec_gid) - logger.log("\tNew directory created for WAZUH decoders: '{0}'".format(wazuh_decoders)) - - str_decoder_wazuh = "etc/wazuh_decoders" - if not regex_in_file(str_decoder_wazuh, ossec_conf): - write_after_line(str_decoder_local, " {0}".format(str_decoder_wazuh), ossec_conf) - logger.log("\tNew line in ossec.conf: '{0}'".format(str_decoder_wazuh)) - + # Order check: Local decoder -> decoder_local after decoder_wazuh + swap_lines(" {0}".format(str_decoder_local), " {0}".format(str_decoder_wazuh), ossec_conf) + + # Order check: Local rules + previous_end_rules = get_previous_line("", ossec_conf) + local_rules = "local_rules.xml" + + if regex_in_file(local_rules, ossec_conf): + # local_rules.xml always before "" + if local_rules not in previous_end_rules: + remove_line(local_rules, ossec_conf) + write_before_line("", " {0}".format(local_rules), ossec_conf) + logger.log("\tChanged line in ossec.conf: '{0}'".format(local_rules)) + else: # Include local_rules and create local_rules.xml (if necessary) + text = ("\n" + "\n" + "\n" + " \n" + " \n" + " 5711\n" + " falSe_User_xyzabc_123987\n" + " Ignore sshd failed logins for this user.\n" + " \n" + "\n" + "\n" + "\n") + path_local_rules = "{0}/rules/local_rules.xml".format(ossec_path) + + if not os.path.isfile(path_local_rules): + f_local_rules = open(path_local_rules, 'a') + f_local_rules.write(text) + f_local_rules.close() + logger.log("\t{0} created".format(path_local_rules)) + + os.chown(path_local_rules, root_uid, ossec_gid) + + write_before_line("", " {0}".format(local_rules), ossec_conf) + logger.log("\tNew line in ossec.conf: '{0}'".format(local_rules)) + + # OSSEC.CONF os.chown(ossec_conf, root_uid, ossec_gid) except Exception as e: @@ -687,7 +783,7 @@ def setup_roochecks(rootcheck): if rootcheck == "ossec": for new_ossec_rc in os.listdir(src_dir): - if os.path.isfile(new_ossec_rc): + if os.path.isfile("{0}/{1}".format(src_dir, new_ossec_rc)): src_file = "{0}/{1}".format(src_dir, new_ossec_rc) dest_file = "{0}/etc/shared/{1}".format(ossec_path, new_ossec_rc) shutil.copyfile(src_file, dest_file) @@ -710,9 +806,10 @@ def setup_ossec_conf(item, type_item): ossec_conf = "{0}/etc/ossec.conf".format(ossec_path) if type_item == "rule": + # General if not regex_in_file("\s*{0}_rules.xml".format(item), ossec_conf): logger.log("\t\tNew rule in ossec.conf: '{0}'.".format(item)) - write_before_line("", ' {0}_rules.xml'.format(item), ossec_conf) + write_before_line("local_rules.xml", ' {0}_rules.xml'.format(item), ossec_conf) elif type_item == "rootcheck": types_rc = ["rootkit_files", "rootkit_trojans", "system_audit", "win_applications", "win_audit", "win_malware"] @@ -916,6 +1013,12 @@ def setup_ruleset_r(target_rules, r_action): logger.log("\tActivating rules in ossec.conf.") setup_ossec_conf(item, "rule") logger.log("\t\t[Done]") + # special case: update auditd + if r_action == "update" and item == "ossec": + if not regex_in_file("\s*auditd_rules.xml", "{0}/etc/ossec.conf".format(ossec_path)): + logger.log("\tActivating rules in ossec.conf.") + setup_ossec_conf("auditd", "rule") + logger.log("\t\t[Done]") # Info if r_action != "update": @@ -1161,8 +1264,10 @@ def usage(): # Setup ruleset if ruleset_type == "all": - manual_steps = setup_ruleset_r(rules, action) - setup_ruleset_rc(rootchecks, action) + if rules: + manual_steps = setup_ruleset_r(rules, action) + if rootchecks: + setup_ruleset_rc(rootchecks, action) elif ruleset_type == "rules": manual_steps = setup_ruleset_r(ruleset, action) elif ruleset_type == "rootchecks": diff --git a/rules-decoders/amazon-ec2/amazon-ec2_decoders.xml b/rules-decoders/amazon-ec2/amazon-ec2_decoders.xml new file mode 100644 index 000000000..cbcf9badc --- /dev/null +++ b/rules-decoders/amazon-ec2/amazon-ec2_decoders.xml @@ -0,0 +1,28 @@ + + + + + + ^"AmazonAWS"\.+"eventSource":"ec2.amazonaws.com" + + + + AmazonAWS-ec2 + "eventName":"(\S+)"\.+"userIdentity":"{u'\.+': u'(\S+)'\.+'accessKeyId': u'(\S+)' + action,user,id + + + diff --git a/rules-decoders/amazon-ec2/amazon-ec2_instructions.md b/rules-decoders/amazon-ec2/amazon-ec2_instructions.md new file mode 100644 index 000000000..5fc5075e9 --- /dev/null +++ b/rules-decoders/amazon-ec2/amazon-ec2_instructions.md @@ -0,0 +1,6 @@ +#Instructions for Amazon IAM rules +**Created by Wazuh, Inc. ** + +Before manual or automatic installation follow the previous steps [here](http://documentation.wazuh.com/en/latest/ossec_ruleset.html#amazon). + + diff --git a/rules-decoders/amazon-ec2/amazon-ec2_rules.xml b/rules-decoders/amazon-ec2/amazon-ec2_rules.xml new file mode 100644 index 000000000..8ed41744c --- /dev/null +++ b/rules-decoders/amazon-ec2/amazon-ec2_rules.xml @@ -0,0 +1,576 @@ + + + + + + + + AmazonAWS-ec2 + Amazon ec2 alerts. + + + + + + 80300 + RunInstances + Amazon-ec2: Run instance + amazon + + + + 80301 + "errorCode":"Client.InstanceLimitExceeded" + Amazon-ec2: Run instance InstanceLimit Exceeded + amazon + + + + 80301 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Run instance unauthorized + amazon + + + + 80300 + StartInstances + Amazon-ec2: Instance started + amazon + + + + 80304 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Start instance unauthorized + amazon + + + + 80300 + StopInstances + Amazon-ec2: Instance stopped + amazon + + + + 80306 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Stop instance unauthorized + amazon + + + + 80306 + "errorCode":"Client.InvalidInstanceID.NotFound" + Amazon-ec2: Stop instance Invalid Instance ID Not Found + amazon + + + + 80300 + TerminateInstances + Amazon-ec2: Instance terminated + amazon + + + + 80309 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Terminate instance unauthorized + amazon + + + + 80300 + ModifyInstanceAttribute + Amazon-ec2: Modify Instance attribute + amazon + + + + 80311 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Modify Instance attribute unauthorized + amazon + + + + 80311 + "errorCode":"Client.InvalidParameterValue" + Amazon-ec2: Modify Instance Invalid Parameter Value + amazon + + + + 80300 + AttachNetworkInterface + Amazon-ec2: Network Interface Attached + amazon + + + + 80314 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Network Interface Attached Unauthorized + amazon + + + + 80300 + DetachNetworkInterface + Amazon-ec2: Network Interface Detached + amazon + + + + 80316 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Network Interface Detached Unauthorized + amazon + + + + 80300 + DisassociateAddress + Amazon-ec2: Disassociate Address + amazon + + + + 80318 + "errorCode":"Client.MissingParameter" + Amazon-ec2: Disassociate Address Unauthorized + amazon + + + + 80318 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Disassociate Address Unauthorized + amazon + + + + 80300 + MonitorInstances + Amazon-ec2: Monitor Instances + amazon + + + + 80321 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Monitor Instances + amazon + + + + 80300 + UnmonitorInstances + Amazon-ec2: Unmonitor Instances + amazon + + + + 80323 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Unmonitor Instances Unauthorized + amazon + + + + 80300 + ModifyNetworkInterfaceAttribute + Amazon-ec2: Modify Network Interface Attribute + amazon + + + + 80325 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Modify Network Interface Attribute Unauthorized + amazon + + + + 80300 + CreateImage + Amazon-ec2: Create Image + amazon + + + + 80327 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Create Image Unauthorized + amazon + + + + 80300 + RebootInstances + Amazon-ec2: Reboot Instances + amazon + + + + 80329 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Reboot Instances Unauthorized + amazon + + + + + + + 80300 + CreateImage + Amazon-ec2: Create AMI + amazon + + + + 80350 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Create AMI Unauthorized + amazon + + + + 80300 + DeregisterImage + Amazon-ec2: Deregister AMI + amazon + + + + 80352 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Deregister AMI Unauthorized + amazon + + + + 80300 + ModifyImageAttribute + Amazon-ec2: Modify Image Attribute + amazon + + + + 80354 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Modify Image Attribute Unauthorized + amazon + + + + 80300 + RegisterImage + Amazon-ec2: Register Image + amazon + + + + 80356 + "errorCode":"Client.InvalidManifest" + Amazon-ec2: Register Image Invalid Manifest + amazon + + + + 80356 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Register Image Unauthorized + amazon + + + + + + + 80300 + CreateVolume + Amazon-ec2: Create Volume + amazon + + + + 80370 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Create Volume Unauthorized + amazon + + + + 80300 + AttachVolume + Amazon-ec2: Attach Volume + amazon + + + + 80372 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Attach Volume Unauthorized + amazon + + + + 80300 + DetachVolume + Amazon-ec2: Detach Volume + amazon + + + + 80374 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Detach Volume Unauthorized + amazon + + + + 80300 + CreateSnapshot + Amazon-ec2: Create Snapshot + amazon + + + + 80376 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Create Snapshot Unauthorized + amazon + + + + 80300 + ModifyVolumeAttribute + Amazon-ec2: Modify Volume Attribute + amazon + + + + 80378 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Modify Volume Attribute Unauthorized + amazon + + + + 80300 + CreateTags + Amazon-ec2: Create Tags + amazon + + + + 80380 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Create Tags Unauthorized + amazon + + + + 80300 + DeleteTags + Amazon-ec2: Delete Tags + amazon + + + + 80382 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Delete Tags Unauthorized + amazon + + + + 80300 + DeleteVolume + Amazon-ec2: Delete Volume + amazon + + + + 80384 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Delete Volume Unauthorized + amazon + + + + 80300 + ModifySnapshotAttribute + Amazon-ec2: Modify Snapshot Attribute + amazon + + + + 80386 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Modify Snapshot Attribute Unauthorized + amazon + + + + 80300 + CopySnapshot + Amazon-ec2: Copy Snapshot + amazon + + + + 80388 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Copy Snapshot Unauthorized + amazon + + + + 80300 + DeleteSnapshot + Amazon-ec2: Delete Snapshot + amazon + + + + 80390 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Delete Snapshot Unauthorized + amazon + + + + 80390 + "errorCode":"Client.InvalidSnapshot.InUse" + Amazon-ec2: Delete Snapshot Invalid in use + amazon + + + + 80300 + CreateSecurityGroup + Amazon-ec2: Create Security Group + amazon + + + + 80393 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Create Security Group Snapshot Unauthorized + amazon + + + + 80393 + "errorCode":"Client.InvalidParameterValue" + Amazon-ec2: Create Security Group Invalid Parameter Value + amazon + + + + 80300 + DeleteSecurityGroup + Amazon-ec2: Delete Security Group + amazon + + + + 80396 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Delete Security Group Snapshot Unauthorized + amazon + + + + + 80300 + AllocateAddress + Amazon-ec2: Allocate Address + amazon + + + + 80398 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Allocate Address Unauthorized + amazon + + + + 80398 + "errorCode":"Client.AddressLimitExceeded" + Amazon-ec2: Allocate Address Limit Exceeded + amazon + + + + 80300 + DisassociateAddress + Amazon-ec2: Disassociate Address + amazon + + + + 80401 + "errorCode":"Client.MissingParameter" + Amazon-ec2: Disassociate Address Missing Parameter + amazon + + + + 80401 + "errorCode":"Client.InvalidAssociationID.NotFound" + Amazon-ec2: Disassociate Address Invalid Association ID Not Found + amazon + + + + 80401 + "errorCode":"Client.InvalidParameterValue" + Amazon-ec2: Disassociate Address Invalid Parameter Value + amazon + + + + 80300 + CreatePlacementGroup + Amazon-ec2: Create Placement Group + amazon + + + + 80405 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Create Plazament Group Unauthorized Operation + amazon + + + + 80300 + DeletePlacementGroup + Amazon-ec2: Delete Placement Group + amazon + + + + 80407 + "errorCode":"Client.UnauthorizedOperation" + Amazon-ec2: Delete Plazament Group Unauthorized Operation + amazon + + + + + + diff --git a/rules-decoders/amazon-iam/amazon-iam_decoders.xml b/rules-decoders/amazon-iam/amazon-iam_decoders.xml new file mode 100644 index 000000000..2cd2f8a74 --- /dev/null +++ b/rules-decoders/amazon-iam/amazon-iam_decoders.xml @@ -0,0 +1,41 @@ + + + + + + ^"AmazonAWS"\.+"eventSource":"signin.amazonaws.com" + + + + AmazonAWS-signin + "eventName":"ConsoleLogin" + "eventName":"(\S+)"\.+"userIdentity":"{u'\.+': u'(\S+)' + action,user + + + + + ^"AmazonAWS"\.+"eventSource":"iam.amazonaws.com" + + + + AmazonAWS-iam + "eventName":"(\S+)"\.+"userIdentity":"{u'\.+': u'(\S+)'\.+'accessKeyId': u'(\S+)' + action,user,id + + + diff --git a/rules-decoders/amazon-iam/amazon-iam_instructions.md b/rules-decoders/amazon-iam/amazon-iam_instructions.md new file mode 100644 index 000000000..9ac3f0b0d --- /dev/null +++ b/rules-decoders/amazon-iam/amazon-iam_instructions.md @@ -0,0 +1,7 @@ +#Instructions for Amazon IAM rules +**Created by Wazuh, Inc. ** + + +Before manual or automatic installation follow the previous steps [here](http://documentation.wazuh.com/en/latest/ossec_ruleset.html#amazon). + + diff --git a/rules-decoders/amazon-iam/amazon-iam_rules.xml b/rules-decoders/amazon-iam/amazon-iam_rules.xml new file mode 100644 index 000000000..541509c79 --- /dev/null +++ b/rules-decoders/amazon-iam/amazon-iam_rules.xml @@ -0,0 +1,263 @@ + + + + + + + + AmazonAWS-signin + Amazon sign in alerts. + + + + 80250 + ConsoleLogin + Amazon-signin: User Login Success + amazon,authentication_success + + + + 80251 + 'ConsoleLogin': u'Failure' + Amazon-signin: User Login failed + amazon,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, + + + + 80252 + Possible breakin attempt (high number of login attempts). + amazon,authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5, + + + + + AmazonAWS-iam + Amazon IAM alerts. + + + + 80260 + CreateUser + Amazon-iam: User created + amazon + + + + 80261 + "errorCode":"AccessDenied" + Amazon-iam: User creation denied + amazon + + + + 80260 + AddUserToGroup + Amazon-iam: User added to a group + amazon + + + + 80263 + "errorCode":"AccessDenied" + Amazon-iam: User added to a group denied + amazon + + + + 80260 + RemoveUserFromGroup + Amazon-iam: User removed from a group + amazon + + + + 80265 + "errorCode":"AccessDenied" + Amazon-iam: User removed from a group denied + amazon + + + + 80260 + UpdateAccessKey + Amazon-iam: Access key updated + amazon + + + + 80267 + "errorCode":"AccessDenied" + Amazon-iam: Access key updated denied + amazon + + + + 80260 + AttachGroupPolicy + Amazon-iam: Group policy attached to a group + amazon + + + + 80269 + "errorCode":"AccessDenied" + Amazon-iam: Group policy attached to a group denied + amazon + + + + 80260 + DetachGroupPolicy + Amazon-iam: Group policy deattached to a group + amazon + + + + 80271 + "errorCode":"AccessDenied" + Amazon-iam: Group policy deattached to a group denied + amazon + + + + 80260 + AttachUserPolicy + Amazon-iam: User policy attached to a user + amazon + + + + 80273 + "errorCode":"AccessDenied" + Amazon-iam: User policy attached to a user denied + amazon + + + + 80260 + DetachUserPolicy + Amazon-iam: User policy deattached to a user + amazon + + + + 80275 + "errorCode":"AccessDenied" + Amazon-iam: User policy deattached to a user denied + amazon + + + + 80260 + AttachRolePolicy + Amazon-iam: Rule policy attached to a user + amazon + + + + 80277 + "errorCode":"AccessDenied" + Amazon-iam: Rule policy attached to a user denied + amazon + + + + 80260 + DetachRolePolicy + Amazon-iam: Rule policy deattached to a user + amazon + + + + 80279 + "errorCode":"AccessDenied" + Amazon-iam: Rule policy deattached to a user denied + amazon + + + + 80260 + CreateGroup + Amazon-iam: Group created + amazon + + + + 80281 + "errorCode":"AccessDenied" + Amazon-iam: Group creation denied + amazon + + + + 80260 + CreateRole + Amazon-iam: Role created + amazon + + + + 80283 + "errorCode":"AccessDenied" + Amazon-iam: Role creation denied + amazon + + + + 80260 + CreatePolicy + Amazon-iam: Policy created + amazon + + + + 80285 + "errorCode":"AccessDenied" + Amazon-iam: Policy creation denied + amazon + + + + 80260 + UpdateAccountPasswordPolicy + Amazon-iam: Policy password account update + amazon + + + + 80287 + "errorCode":"AccessDenied" + Amazon-iam: Policy password account update denied + amazon + + + + 80260 + CreateAccountAlias + Amazon-iam: Account alias created + amazon + + + + 80260 + DeleteAccountAlias + Amazon-iam: Account alias deleted + amazon + + + + 80260 + UpdateInstanceAlias + Amazon-iam: Account alias updated + amazon + + + + + diff --git a/rules-decoders/netscaler/netscaler_decoders.xml b/rules-decoders/netscaler/netscaler_decoders.xml index ac566dd88..7edd34343 100644 --- a/rules-decoders/netscaler/netscaler_decoders.xml +++ b/rules-decoders/netscaler/netscaler_decoders.xml @@ -1,19 +1,17 @@ - \d\d/\d\d/\d\d\d\d:\s*\d\d:\d\d:\d\d\s+GMT\s+\S+\.+PPE\.+:\s|\d\d/\d\d/\d\d\d\d:\s*\d\d:\d\d:\d\d\s+GMT\s+ns\.+:\s @@ -33,11 +31,12 @@ AAA LOGIN_FAILED netscaler - UI CMD_EXECUTED - (UI) CMD_EXECUTED \.+User (\S+) - Remote_ip (\S+) - Command "(\.+)" - Status "(\.+)" + UI CMD_EXECUTED| API CMD_EXECUTED + (\S+) CMD_EXECUTED \.+User (\S+) - Remote_ip (\S+) - Command "(\.+)" - Status "(\.+)" id,srcuser,srcip,action,status @@ -164,4 +163,3 @@ Generic - diff --git a/rules-decoders/netscaler/netscaler_rules.xml b/rules-decoders/netscaler/netscaler_rules.xml index 01d4e1e88..6c65e15a3 100644 --- a/rules-decoders/netscaler/netscaler_rules.xml +++ b/rules-decoders/netscaler/netscaler_rules.xml @@ -1,22 +1,15 @@ - + - This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2 +--> @@ -44,40 +37,42 @@ id (Decoder): AAA, UI, SSLVPN, EVENT, SSLLOG, APPFW, TCP, ROUTING, SNMP, ACL, TR 80100 - UI CMD_EXECUTED + UI CMD_EXECUTED|API CMD_EXECUTED Success - Netscaler: UI command executed - netscaler-ui, + Netscaler: UI/API command executed + netscaler-cmd, 80100 - UI CMD_EXECUTED + UI CMD_EXECUTED|API CMD_EXECUTED Error - Netscaler: UI command executed failed - netscaler-ui, + Netscaler: UI/API command executed failed + netscaler-cmd, 80104 Netscaler: Multiple commands failed - netscaler-ui,pci_dss_10.2.2,pci_dss_10.6.1, + netscaler-cmd,pci_dss_10.2.2,pci_dss_10.6.1, 80100 - UI CMD_EXECUTED + UI CMD_EXECUTED|API CMD_EXECUTED Command "(\.*delete\.*)" - Netscaler: UI dangerous command - netscaler-ui, + Netscaler: UI/API dangerous command + netscaler-cmd, 80100 - UI CMD_EXECUTED - login + UI CMD_EXECUTED|API CMD_EXECUTED + Command "login Success - Netscaler: UI login succeeds - netscaler-ui,authentication_success,pci_dss_10.2.5, + Netscaler: UI/API login succeeds + netscaler-cmd,authentication_success,pci_dss_10.2.5, 80100 - UI CMD_EXECUTED - login + UI CMD_EXECUTED|API CMD_EXECUTED + Command "login Error - Netscaler: UI login failed - authentication_failed,netscaler-ui,pci_dss_10.2.4,pci_dss_10.2.5, + Netscaler: UI/API login failed + authentication_failed,netscaler-cmd,pci_dss_10.2.4,pci_dss_10.2.5, 80139 - Netscaler: Multiple UI login failed - authentication_failures,netscaler-ui,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4, + Netscaler: Multiple UI/API login failed + authentication_failures,netscaler-cmd,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4, diff --git a/rules-decoders/netscaler/reference.xlsx b/rules-decoders/netscaler/reference.xlsx deleted file mode 100644 index 50365fac7..000000000 Binary files a/rules-decoders/netscaler/reference.xlsx and /dev/null differ diff --git a/rules-decoders/ossec/decoders/auditd_decoders.xml b/rules-decoders/ossec/decoders/auditd_decoders.xml index 1c9d2801e..9bb194e83 100644 --- a/rules-decoders/ossec/decoders/auditd_decoders.xml +++ b/rules-decoders/ossec/decoders/auditd_decoders.xml @@ -1,125 +1,320 @@ - + - - - -type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)' -type=CRED_ACQ msg=audit(1305666154.831:51859): user pid=21250 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="username" : exe="/usr/sbin/sshd" (hostname=lala.example.com, addr=172.16.0.1, terminal=ssh res=success)' -type=CRED_ACQ msg=audit(1273182001.226:148635): user pid=29770 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron -type=USER_AUTH msg=audit(1305666163.690:51871): user pid=21269 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' -type=USER_ACCT msg=audit(1306939201.750:67934): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -type=CRED_ACQ msg=audit(1306939201.751:67935): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -type=USER_START msg=audit(1306939201.756:67937): user pid=4401 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -type=USER_CHAUTHTOK msg=audit(1304523288.952:37394): user pid=7258 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='op=change password id=505 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1 res=success)' - - -type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)' - - -type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp" -type=SYSCALL msg=audit(1307045820.403:151): arch=c000003e syscall=59 success=no exit=-13 a0=de24c8 a1=de2408 a2=dc3008 a3=7fff1db3cc60 items=1 ppid=11719 pid=12347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="bash" exe="/bin/bash" key=(null) -type=SYSCALL msg=audit(1306939143.715:67933): arch=40000003 syscall=94 success=yes exit=0 a0=5 a1=180 a2=8ebd360 a3=8ec4978 items=1 ppid=4383 pid=4388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8038 comm="less" exe="/usr/bin/less" subj=user_u:system_r:unconfined_t:s0 key="perm_mod" -type=USER_ROLE_CHANGE msg=audit(1280266360.845:51): user pid=1978 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' -type=PATH msg=audit(1306967989.163:119): item=0 name="./ls" inode=261813 dev=fb:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 - - -type=PATH msg=audit(1273924468.947:179534): item=0 name=(null) inode=424783 dev=fd:07 mode=0100640 ouid=0 ogid=502 rdev=00:00 obj=user_u:object_r:file_t:s0 - + - Allowed fields: + - location - where the log came from (only on FTS) + - srcuser - extracts the source username + - dstuser - extracts the destination (target) username + - user - an alias to dstuser (only one of the two can be used) + - srcip - source ip + - dstip - dst ip + - srcport - source port + - dstport - destination port + - protocol - protocol + - id - event id + - url - url of the event + - action - event action (deny, drop, accept, etc) + - status - event status (success, failure, etc) + - extra_data - Any extra data --> ^type= - - - auditd - ^AVC - ^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$ - action,id,status,extra_data + + + auditd + ^CONFIG_CHANGE + ^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=(\d+) op="\.+" path="(\.+)" key=\S+ list=\d+ res=(\d+)$ + action,id,url,extra_data,status - - - auditd - ^SYSCALL - ^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)" - action,id,status,extra_data + + auditd + ^DAEMON_ + ^(DAEMON_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): \.+ res=(\S+)$ + action,id,status - - - auditd - ^CONFIG_CHANGE - ^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$ - action,id,extra_data + + + auditd + ^ANOM_PROMISCUOUS + ^(ANOM_PROMISCUOUS) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): dev=(\S+) prom\.+uid=(\d+) gid\.+ses=(\d+) + action,id,extra_data,user,url + + + + + auditd + ^AVC + ^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" + action,id,status,extra_data + + + + auditd + ^MAC_STATUS + ^(MAC_STATUS) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): enforcing=(\d+) old_enforcing\.+ses=(\d+) + action,id,extra_data,url + + + + + auditd + ^SYSCALL + ^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=(\d+) success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=(\d+) comm="\S+" exe="(\.+)" + action,id,protocol,status,user,url,extra_data - + auditd ^PATH - ^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+ + ^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name=(/\S+) inode|^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode|^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): action,id,extra_data - - + + auditd - ^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+| - ^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+ - action,id + ^CRYPTO_SESSION + ^(CRYPTO_SESSION) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): \.+uid=(\d+) \.+rport=(\d+) laddr=(\S+) lport=(\d+) id=\d+ exe="(\S+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)' + action,id,user,dstport,dstip,srcport, extra_data, srcip, status - + + auditd - acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$ - user,extra_data,srcip + ^CWD + ^(CWD) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+cwd="(\S+)"$ + action,id,extra_data - - auditd - ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$ - user,extra_data,srcip,status + + + + auditd + ^USER_\.+ses=\.+acct=|^CRED_\.+ses=\.+acct= + ^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): \.*uid=(\d+) auid=\d+ ses=(\d+) \.+acct="(\S+)" exe="(\.+)"\.+hostname=\S+ addr=(\d+.\d+.\d+.\d+)\p*\sterminal=\S+ res=(\w+)|^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): + action,id,srcuser,url,dstuser,extra_data,srcip,status - - auditd - subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$ - user,extra_data,srcip,status + + auditd + ^USER_\.+acct=|^CRED_\.+acct= + ^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): \.*uid=(\d+) auid\.+acct="(\S+)"\.+exe="(\.+)"\.+hostname=\S+ addr=(\d+.\d+.\d+.\d+)\p*\sterminal=\S+ res=(\w+)|^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): + action,id,srcuser,dstuser,extra_data,srcip,status + auditd + ^USER_|^CRED_ + ^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): \.*uid=(\d+) auid\.+exe="(\.+)"\.+hostname=\S+ addr=(\d+.\d+.\d+.\d+)\p*\sterminal=\S+ res=(\w+)|^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): + action,id,srcuser,extra_data,srcip,status + + + + + auditd - subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$ - extra_data,srcip,status - \ No newline at end of file + ^ANOM_ABEND + ^(ANOM_ABEND) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\.+uid=(\d+) gid\.+ses=(\d+) \.+comm="(\S+)" + action,id,user,url,extra_data + + + + + + auditd + ^ANOM_EXEC + ^(ANOM_EXEC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): \.*uid=(\d+) auid=\.+ ses=(\d+) \.+acct="(\S+)" exe="(\.+)"\.+hostname=\S+, addr=(\S+), terminal=\S+ res=(\w+) + action,id,srcuser,url,dstuser,extra_data,srcip,status + + + + + auditd + ^SERVICE_START + ^(SERVICE_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\.+uid=(\d+) auid=\.+ses=(\d+) msg=' comm="(\S+)" exe="\S+"\.+hostname=\S+ addr=(\d+.\d+.\d+.\d+)\p*\sterminal=\S+ res=(\w+)|^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): + action,id,srcuser,url,extra_data,srcip,status + + + + auditd + ^SERVICE_STOP + ^(SERVICE_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\.+uid=(\d+) auid=\.+ses=(\d+) msg=' comm="(\S+)" exe="\S+"\.+hostname=\S+ addr=(\d+.\d+.\d+.\d+)\p* res=(\w+)|^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): + action,id,srcuser,url,extra_data,srcip,status + + + + + + auditd + ^\S+ msg=audit\.+ses= + ^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): \.+ses=(\d+) + action,id,url + + + + auditd + ^\S+ msg=audit + ^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): + action,id + diff --git a/rules-decoders/ossec/decoders/vsftpd_decoders.xml b/rules-decoders/ossec/decoders/vsftpd_decoders.xml index eafeb6cb5..dad56afac 100644 --- a/rules-decoders/ossec/decoders/vsftpd_decoders.xml +++ b/rules-decoders/ossec/decoders/vsftpd_decoders.xml @@ -23,7 +23,6 @@ - extra_data - Any extra data --> - - @@ -88,4 +85,4 @@ vsftpd Client "(\d+.\d+.\d+.\d+)"$ srcip - + \ No newline at end of file diff --git a/rules-decoders/ossec/decoders/windows_decoders.xml b/rules-decoders/ossec/decoders/windows_decoders.xml index 767a7b4c5..11ebde9a5 100644 --- a/rules-decoders/ossec/decoders/windows_decoders.xml +++ b/rules-decoders/ossec/decoders/windows_decoders.xml @@ -89,6 +89,26 @@ url, srcip, id + + + + windows-date-format + web-log + true + ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ POST + (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+ + url,srcip,id + + + 31101 + "\(\)\s*{\s*:;\s*}\s*; + Shellshock attack attempt + attack,pci_dss_11.4, + + diff --git a/rules-decoders/ossec/rules/attack_rules.xml b/rules-decoders/ossec/rules/attack_rules.xml index 469fdc5a8..0b46662fa 100644 --- a/rules-decoders/ossec/rules/attack_rules.xml +++ b/rules-decoders/ossec/rules/attack_rules.xml @@ -97,7 +97,7 @@ - + adduser diff --git a/rules-decoders/ossec/rules/auditd_rules.xml b/rules-decoders/ossec/rules/auditd_rules.xml new file mode 100644 index 000000000..d80b40c62 --- /dev/null +++ b/rules-decoders/ossec/rules/auditd_rules.xml @@ -0,0 +1,562 @@ + + + + + + + auditd + auditd messages grouped. + + + + + 80700 + DAEMON_RESUME|DAEMON_START + success + Auditd: Start / Resume + + + + 80700 + DAEMON_RESUME|DAEMON_START + failed + Auditd: Start / Resume FAILED + + + + + 80700 + DAEMON_END + success + Auditd: End + + + + + 80700 + DAEMON_ABORT + Auditd: Abort + + + + + 80700 + CONFIG_CHANGE|DAEMON_CONFIG + Auditd: Configuration changed + + + + + 80700 + ANOM_CRYPTO_FAIL + Auditd: failure in the cryptographic system detected + + + + + 80700 + CRYPTO_FAILURE_USER + Auditd: decrypt, encrypt, or randomize cryptographic operation failed + + + + + 80700 + CRYPTO_REPLAY_USER + Auditd: replay attack detected + pci_dss_11.4, + + + + + 80700 + CRYPTO_SESSION + Auditd: TLS session establishment. + + + + + 80700 + ANOM_PROMISCUOUS + prom=256 + Auditd: device enables promiscuous mode + pci_dss_11.4,pci_dss_10.6.1, + + + + + 80700 + ANOM_ABEND + Auditd: process ended abnormally + + + + + 80700 + ANOM_EXEC + Auditd: execution of a file ended abnormally + + + + + 80700 + ANOM_MK_EXEC + Auditd: file is made executable + + + + + 80700 + AVC + Auditd: SELinux permission check + pci_dss_10.6.1, + + + + + 80700 + MAC_STATUS + Auditd: SELinux mode (enforcing, permissive, off) is changed + pci_dss_10.6.1, + + + + + 80700 + SELINUX_ERR|USER_SELINUX_ERR + Auditd: SELinux error + pci_dss_10.6.1, + + + + + 80700 + USER_ROLE_CHANGE + Auditd: user SELinux role changed + + + + + + 80700 + SERVICE_START + Auditd: Service started + + + + 80700 + SERVICE_STOP + Auditd: Service stopped + + + + + 80700 + SYSCALL + Auditd: system call to the kernel + + + + + 80700 + EXECVE + Auditd: arguments of the execve(2) system call + + + + + 80700 + CWD + Auditd: Current working directory + + + + + 80700 + PATH + Auditd: path information + + + + + 80700 + ANOM_ACCESS_FS + Auditd: file or a directory access ended abnormally + + + + + 80700 + ANOM_AMTU_FAIL + Auditd: failure of the Abstract Machine Test Utility (AMTU) detected + + + + + 80700 + ANOM_MAX_DAC|ANOM_MAX_MAC + Auditd: maximum amount of Discretionary Access Control (DAC) or Mandatory Access Control (MAC) failures reached + + + + + 80700 + ANOM_RBAC_FAIL|ANOM_RBAC_INTEGRITY_FAIL + Auditd: Role-Based Access Control (RBAC) failure detected. + + + + + 80700 + USER_AUTH + Auditd: authentication attempt detected + pci_dss_10.2.5, + + + + + 80700 + USER_ACCT + Auditd: user account modified + + + + + 80700 + LOGIN + Auditd: LOGIN information + + + + + 80700 + USER_START + Auditd: session started + pci_dss_10.2.5, + + + + + 80700 + USER_END + Auditd: session terminated + pci_dss_10.2.5, + + + + + 80700 + USER_LOGIN + Auditd: user logged in + pci_dss_10.2.5, + + + + + 80700 + USER_LOGOUT + Auditd: user logged out + pci_dss_10.2.5, + + + + + 80700 + CRED_ACQ + Auditd: user acquires user-space credentials + + + + + 80700 + CRED_REFR + Auditd: user refreshes their user-space credentials + + + + + 80700 + CRED_DISP + Auditd: user disposes of user-space credentials + + + + + 80700 + USER_CMD + Auditd: shell command executed + + + + + 80700 + USER_ERR + Auditd: account state error detected + pci_dss_10.6.1, + + + + + 80700 + CHGRP_ID + Auditd: group ID changed + + + + + 80700 + CHUSER_ID + Auditd: user ID changed + + + + + 80700 + USER_CHAUTHTOK + Auditd: account attribute modified + + + + + 80700 + DEL_GROUP + Auditd: group deleted + pci_dss_10.2.5, + + + + + 80700 + DEL_USER + Auditd: user deleted + pci_dss_10.2.5, + + + + + 80700 + ANOM_ADD_ACCT + Auditd: user-space account addition ended abnormally. + pci_dss_10.6.1, + + + + + 80700 + ANOM_DEL_ACCT + Auditd: user-space account deletion ended abnormally. + pci_dss_10.6.1, + + + + + 80700 + ANOM_MOD_ACCT + Auditd: user-space account modification ended abnormally. + pci_dss_10.6.1, + + + + + 80700 + ANOM_ROOT_TRANS + Auditd: user becomes root + pci_dss_10.6.1, + + + + + 80700 + ANOM_LOGIN_ACCT + Auditd: account login attempt ended abnormally. + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1, + + + + + 80700 + ANOM_LOGIN_FAILURES + Auditd: limit of failed login attempts reached. + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1, + + + + + 80700 + ANOM_LOGIN_LOCATION + Auditd: login attempt from a forbidden location. + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1, + + + + + 80700 + ANOM_LOGIN_SESSIONS + Auditd: login attempt reached the maximum amount of concurrent sessions. + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1, + + + + + 80700 + ANOM_LOGIN_TIME + Auditd: login attempt is made at a time when it is prevented by, for example, pam_time. + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1, + + + + + + + + diff --git a/rules-decoders/ossec/rules/syslog_rules.xml b/rules-decoders/ossec/rules/syslog_rules.xml index 50be9b1ce..9fd96cc33 100644 --- a/rules-decoders/ossec/rules/syslog_rules.xml +++ b/rules-decoders/ossec/rules/syslog_rules.xml @@ -492,18 +492,17 @@ - - + sudo Initial group for sudo messages - + 5400 - 3 incorrect password attempts - Three failed attempts to run sudo + incorrect password attempt + Failed attempt to run sudo pci_dss_10.2.4,pci_dss_10.2.5, @@ -519,7 +518,14 @@ alert_by_email First time user executed sudo. - + + + + 5401 + 3 incorrect password attempts + Three failed attempts to run sudo + pci_dss_10.2.4,pci_dss_10.2.5, + diff --git a/rules-decoders/ossec/rules/systemd_rules.xml b/rules-decoders/ossec/rules/systemd_rules.xml index e27a7eea3..0df6abd3b 100644 --- a/rules-decoders/ossec/rules/systemd_rules.xml +++ b/rules-decoders/ossec/rules/systemd_rules.xml @@ -1,8 +1,8 @@ - ^systemd$ - Uh-oh, someone slipped you systemd! + ^systemd$|^systemctl$ + Systemd rules @@ -11,6 +11,16 @@ Stale file handle. + + 40700 + Failed to get unit file state for + Failed to get unit state for service. This means that the .service file is missing + + + 40700 + entered failed state + Service has entered a failed state, and likely has not started. + diff --git a/rules-decoders/ossec/rules/web_rules.xml b/rules-decoders/ossec/rules/web_rules.xml index a97c1c518..5523c972b 100644 --- a/rules-decoders/ossec/rules/web_rules.xml +++ b/rules-decoders/ossec/rules/web_rules.xml @@ -223,4 +223,20 @@ attack,sqlinjection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1, + + + 31108 + "\(\)\s*{\s*:;\s*}\s*; + Shellshock attack detected + attack,pci_dss_11.4, + + diff --git a/rules-decoders/puppet/puppet_instructions.md b/rules-decoders/puppet/puppet_instructions.md index af31c8aa0..8b86fb7a4 100644 --- a/rules-decoders/puppet/puppet_instructions.md +++ b/rules-decoders/puppet/puppet_instructions.md @@ -5,20 +5,6 @@ Run `ossec_ruleset.py -r` to install Puppet rules. More information about automa If you prefer to install the rules manually follow the instructions listed [here](http://documentation.wazuh.com/en/latest/ossec_ruleset.html#manual-installation). -### Last step -Some rules need to read the output of a command. **To complete the installation you must perform the following step**: -Copy the code below to */var/ossec/etc/shared/agent.conf* in your **OSSEC Manager** to allow OSSEC execute this command and read its output: -```xml - - - full_command - timestamp_puppet=`cat /var/lib/puppet/state/last_run_summary.yaml | grep last_run | cut -d: -f 2 | tr -d '[[:space:]]'`;timestamp_current_date=$(date +"%s");diff_min=$((($timestamp_current_date-$timestamp_puppet)/60));if [ "$diff_min" -le "30" ];then echo "Puppet: OK. It runs in the last 30 minutes";else puppet_date=`date -d @"$timestamp_puppet"`;echo "Puppet: KO. Last run: $puppet_date";fi - 2100 - - -``` - Also you must configure in **every agent** the logcollector option to accept remote commands from the manager. To do this, add the following lines to */var/ossec/etc/internal_options.conf*: +After manual or automatic installation follow the last step [here](http://wazuh-documentation.readthedocs.org/en/latest/ossec_ruleset.html#puppet). - # Logcollector - If it should accept remote commands from the manager - logcollector.remote_commands=1 diff --git a/rules-decoders/puppet/puppet_rules.xml b/rules-decoders/puppet/puppet_rules.xml index d6ebf4a63..a3e049c13 100644 --- a/rules-decoders/puppet/puppet_rules.xml +++ b/rules-decoders/puppet/puppet_rules.xml @@ -85,7 +85,7 @@ *Run error - Sep 30 15:45:30 puppet puppet-master[3400]: Could not run: Address already in use - bind(2) - *Manifiest Errors + *Manifest Errors - Sep 30 15:55:46 puppet puppet-master[3594]: Could not parse for environment production: No file(s) found for import of 'nodes.pp' at /etc/puppet/manifests/site.pp:2 on node ubuntu.localdomain - Sep 30 16:07:13 puppet puppet-master[3594]: You cannot collect exported resources without storeconfigs being set; the collection will be ignored on line 96 in file /etc/puppet/modules/ossec/manifests/server.pp - Oct 1 16:13:38 puppet puppet-master[7879]: too few arguments at /etc/puppet/modules/ossec/manifests/params.pp:71 on node windows.localdomain @@ -121,7 +121,7 @@ 80000 ^Could not|^You cannot|^too few arguments|^Duplicate declaration|^Unrecognised escape sequence|^Invalid parameter|is not|has not been tested|Unknown function|failed|has failure manifests - Puppet Master: Manifiest Error + Puppet Master: Manifest Error @@ -319,7 +319,7 @@ - +