From 5cde0e0520c72804b6eac8f08d976db777d7ba04 Mon Sep 17 00:00:00 2001
From: Dominik Lisiak <dominik.lisiak@bemsoft.pl>
Date: Fri, 26 Oct 2018 18:45:19 +0200
Subject: Added CIS benchmarks. Improved profiles.

---
 .../files/template-logs-default.xml.in             | 68 ----------------------
 .../files/template-logs-system.xml.in              | 68 ++++++++++++++++++++++
 .../files/template-rootcheck-basic.xml.in          | 22 +++++++
 .../files/template-rootcheck-cis-l1.xml.in         |  9 +++
 .../files/template-rootcheck-cis-l2.xml.in         |  9 +++
 .../files/template-rootcheck-cis.xml.in            |  9 +++
 .../files/template-rootcheck-default.xml.in        | 23 --------
 .../files/template-syscheck-basic.xml.in           | 18 ++++++
 .../files/template-syscheck-default.xml.in         | 18 ------
 .../files/template-syscheck-hostdeny.xml.in        |  4 +-
 .../files/template-syscheck-newfiles.xml.in        |  4 +-
 .../files/template-syscheck-noauto.xml.in          |  4 +-
 .../files/template-syscheck-ossec.xml.in           |  4 +-
 13 files changed, 143 insertions(+), 117 deletions(-)
 delete mode 100644 security/ossec-hids-local-config/files/template-logs-default.xml.in
 create mode 100644 security/ossec-hids-local-config/files/template-logs-system.xml.in
 create mode 100644 security/ossec-hids-local-config/files/template-rootcheck-basic.xml.in
 create mode 100644 security/ossec-hids-local-config/files/template-rootcheck-cis-l1.xml.in
 create mode 100644 security/ossec-hids-local-config/files/template-rootcheck-cis-l2.xml.in
 create mode 100644 security/ossec-hids-local-config/files/template-rootcheck-cis.xml.in
 delete mode 100644 security/ossec-hids-local-config/files/template-rootcheck-default.xml.in
 create mode 100644 security/ossec-hids-local-config/files/template-syscheck-basic.xml.in
 delete mode 100644 security/ossec-hids-local-config/files/template-syscheck-default.xml.in

(limited to 'security/ossec-hids-local-config/files')

diff --git a/security/ossec-hids-local-config/files/template-logs-default.xml.in b/security/ossec-hids-local-config/files/template-logs-default.xml.in
deleted file mode 100644
index 47b9a77..0000000
--- a/security/ossec-hids-local-config/files/template-logs-default.xml.in
+++ /dev/null
@@ -1,68 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<template_config os="FreeBSD" profile="%%LOGS_DEFAULT_PROFILE%%">
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/auth.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/maillog</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/messages</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/security</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/userlog</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/xferlog</location>
-  </localfile>
-
-</template_config>
-
-<template_config os="Linux" profile="%%LOGS_DEFAULT_PROFILE%%">
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/auth.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/dpkg.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/kern.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/mail.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/messages</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/syslog</location>
-  </localfile>
-
-</template_config>
diff --git a/security/ossec-hids-local-config/files/template-logs-system.xml.in b/security/ossec-hids-local-config/files/template-logs-system.xml.in
new file mode 100644
index 0000000..eee09aa
--- /dev/null
+++ b/security/ossec-hids-local-config/files/template-logs-system.xml.in
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<template_config os="FreeBSD" profile="%%LOGS_SYSTEM_PROFILE%%">
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/maillog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/messages</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/security</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/userlog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/xferlog</location>
+  </localfile>
+
+</template_config>
+
+<template_config os="Linux" profile="%%LOGS_SYSTEM_PROFILE%%">
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/mail.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/messages</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+</template_config>
diff --git a/security/ossec-hids-local-config/files/template-rootcheck-basic.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-basic.xml.in
new file mode 100644
index 0000000..37c2166
--- /dev/null
+++ b/security/ossec-hids-local-config/files/template-rootcheck-basic.xml.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<template_config os="FreeBSD" profile="%%ROOTCHECK_BASIC_PROFILE%%">
+
+  <rootcheck>
+    <rootkit_files>%%OSSEC_HOME%%/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>%%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+    <system_audit>%%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt</system_audit>
+    <system_audit>%%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt</system_audit>
+  </rootcheck>
+
+</template_config>
+
+<template_config os="Linux" profile="%%ROOTCHECK_BASIC_PROFILE%%">
+
+  <rootcheck>
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
+  </rootcheck>
+
+</template_config>
diff --git a/security/ossec-hids-local-config/files/template-rootcheck-cis-l1.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-cis-l1.xml.in
new file mode 100644
index 0000000..1b2f20c
--- /dev/null
+++ b/security/ossec-hids-local-config/files/template-rootcheck-cis-l1.xml.in
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<template_config os="Linux" profile="%%ROOTCHECK_CIS_L1_PROFILE%%">
+
+  <rootcheck>
+    <system_audit>/var/ossec/etc/shared/cis_debianlinux7-8_L1_rcl.txt</system_audit>
+  </rootcheck>
+
+</template_config>
diff --git a/security/ossec-hids-local-config/files/template-rootcheck-cis-l2.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-cis-l2.xml.in
new file mode 100644
index 0000000..d156887
--- /dev/null
+++ b/security/ossec-hids-local-config/files/template-rootcheck-cis-l2.xml.in
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<template_config os="Linux" profile="%%ROOTCHECK_CIS_L2_PROFILE%%">
+
+  <rootcheck>
+    <system_audit>/var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt</system_audit>
+  </rootcheck>
+
+</template_config>
diff --git a/security/ossec-hids-local-config/files/template-rootcheck-cis.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-cis.xml.in
new file mode 100644
index 0000000..0640be7
--- /dev/null
+++ b/security/ossec-hids-local-config/files/template-rootcheck-cis.xml.in
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<template_config os="Linux" profile="%%ROOTCHECK_CIS_PROFILE%%">
+
+  <rootcheck>
+    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
+  </rootcheck>
+
+</template_config>
diff --git a/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in
deleted file mode 100644
index 63e5f1e..0000000
--- a/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in
+++ /dev/null
@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<template_config os="FreeBSD" profile="%%ROOTCHECK_PROFILE%%">
-
-  <rootcheck>
-    <rootkit_files>%%OSSEC_HOME%%/etc/shared/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>%%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt</rootkit_trojans>
-    <system_audit>%%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt</system_audit>
-    <system_audit>%%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt</system_audit>
-  </rootcheck>
-
-</template_config>
-
-<template_config os="Linux" profile="%%ROOTCHECK_PROFILE%%">
-
-  <rootcheck>
-    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
-    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
-    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
-    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
-  </rootcheck>
-
-</template_config>
diff --git a/security/ossec-hids-local-config/files/template-syscheck-basic.xml.in b/security/ossec-hids-local-config/files/template-syscheck-basic.xml.in
new file mode 100644
index 0000000..516b921
--- /dev/null
+++ b/security/ossec-hids-local-config/files/template-syscheck-basic.xml.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<template_config os="FreeBSD" profile="%%SYSCHECK_BASIC_PROFILE%%">
+
+  <syscheck>
+    <directories realtime="yes" check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,%%PREFIX%%/bin,%%PREFIX%%/sbin</directories>
+    <directories realtime="yes" check_all="yes">/etc,%%PREFIX%%/etc</directories>
+  </syscheck>
+
+</template_config>
+
+<template_config os="Linux" profile="%%SYSCHECK_BASIC_PROFILE%%">
+
+  <syscheck>
+    <directories realtime="yes" check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin</directories>
+    <directories realtime="yes" check_all="yes">/etc,/usr/local/etc</directories>
+  </syscheck>
+
+</template_config>
diff --git a/security/ossec-hids-local-config/files/template-syscheck-default.xml.in b/security/ossec-hids-local-config/files/template-syscheck-default.xml.in
deleted file mode 100644
index 78ae8f8..0000000
--- a/security/ossec-hids-local-config/files/template-syscheck-default.xml.in
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%">
-
-  <syscheck>
-    <directories realtime="yes" check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,%%PREFIX%%/bin,%%PREFIX%%/sbin</directories>
-    <directories realtime="yes" check_all="yes">/etc,%%PREFIX%%/etc</directories>
-  </syscheck>
-
-</template_config>
-
-<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%">
-
-  <syscheck>
-    <directories realtime="yes" check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin</directories>
-    <directories realtime="yes" check_all="yes">/etc,/usr/local/etc</directories>
-  </syscheck>
-
-</template_config>
diff --git a/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in b/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in
index f35f4d5..07f278d 100644
--- a/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in
+++ b/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%">
+<template_config os="FreeBSD">
 
   <syscheck>
     <ignore>/etc/hosts.allow</ignore>
@@ -7,7 +7,7 @@
 
 </template_config>
 
-<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%">
+<template_config os="Linux">
 
   <syscheck>
     <ignore>/etc/hosts.deny</ignore>
diff --git a/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in b/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in
index 7a303e5..eee5915 100644
--- a/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in
+++ b/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%">
+<template_config os="FreeBSD">
 
   <syscheck>
     <alert_new_files>yes</alert_new_files>
@@ -7,7 +7,7 @@
 
 </template_config>
 
-<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%">
+<template_config os="Linux">
 
   <syscheck>
     <alert_new_files>yes</alert_new_files>
diff --git a/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in b/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in
index 03f5943..b71e1ae 100644
--- a/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in
+++ b/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%">
+<template_config os="FreeBSD">
 
   <syscheck>
     <auto_ignore>no</auto_ignore>
@@ -7,7 +7,7 @@
 
 </template_config>
 
-<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%">
+<template_config os="Linux">
 
   <syscheck>
     <auto_ignore>no</auto_ignore>
diff --git a/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in b/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in
index 8342f63..42911ef 100644
--- a/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in
+++ b/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%">
+<template_config os="FreeBSD" profile="%%SYSCHECK_OSSEC_PROFILE%%">
 
   <syscheck>
     <directories realtime="yes" check_all="yes">%%OSSEC_SYSCHECK_BIN_DIRS%%</directories>
@@ -8,7 +8,7 @@
 
 </template_config>
 
-<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%">
+<template_config os="Linux" profile="%%SYSCHECK_OSSEC_PROFILE%%">
 
   <syscheck>
     <directories realtime="yes" check_all="yes">/var/ossec/bin,/var/ossec/active-response,/var/ossec/agentless</directories>
-- 
cgit v1.2.3