Merge pull request #3 from wazuh/development

Ruleset v1.04

CHANGELOG.md

@@ -1,6 +1,23 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## [v1.04] - 2016-01-25
+### Added
+- New Rootcheck: SSH Hardening
+- New rules: *ossec_ruleset.py* rules
+  - Alerts related to the execution of script *ossec_ruleset.py*
+- New rules and PCI Tagging for:
+  - Amazon IAM
+  - Amazon EC2
+
+### Changed
+- *ossec_ruleset.py*:
+  - New format for *ossec_ruleset.log*
+  - New path: */var/ossec/updater/ruleset*
+     - All files generated by the script are stored in this directory.
+     - We recommend this path to the script: /var/ossec/updater/ruleset/ossec_ruleset.py
+
+
 ## [v1.03] - 2016-01-08
 ### Added
 - Amazon Decoders & Rules:
@@ -61,4 +78,4 @@ All notable changes to this project will be documented in this file.
 - Sysmon Decoder for Event 1 modified (It allows use the new decoder added for this event).
 
 ## [v0.00] - 2015-08-24
-- Inital version: OSSEC out-of-the-box rules, decoders and rootchecks.
+- Inital version: OSSEC out-of-the-box rules, decoders and rootchecks.

VERSION

@@ -1 +1 @@
-1.03
+1.04

rootcheck/ssh/system_audit_ssh.txt

@@ -0,0 +1,81 @@
+#  SSH Rootcheck
+#
+#  v1.0 2016/01/20
+#  Created by Wazuh, Inc. <[email protected]>.
+#  [email protected]
+#  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
+#
+
+
+$sshd_file=/etc/ssh/sshd_config;
+
+
+# Listen PORT != 22
+# The option Port specifies on which port number ssh daemon listens for incoming connections.
+# Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port.
+[SSH Hardening - 1: Port 22] [any] [1]
+f:$sshd_file -> !r:^# && r:Port\.+22;
+
+
+# Protocol 2
+# The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use.
+# Version 1 of the SSH protocol has weaknesses. 
+[SSH Hardening - 2: Protocol 1] [any] [2]
+f:$sshd_file -> !r:^# && r:Protocol\.+1;
+
+
+# PermitRootLogin no
+# The option PermitRootLogin specifies whether root can log in using ssh.
+# If you want log in as root, you should use the option "Match" and restrict it to a few IP addresses.
+[SSH Hardening - 3: Root can log in] [any] [3]
+f:$sshd_file -> !r:^# && r:PermitRootLogin\.+yes;
+f:$sshd_file -> r:^#\s*PermitRootLogin;
+
+
+# PubkeyAuthentication yes
+# Access only by public key
+# Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password.
+[SSH Hardening - 4: No Public Key autentication] [any] [4]
+f:$sshd_file -> !r:^# && r:PubkeyAuthentication\.+no;
+f:$sshd_file -> r:^#\s*PubkeyAuthentication;
+
+
+# PasswordAuthentication no
+# The option PasswordAuthentication specifies whether we should use password-based authentication.
+# Use public key authentication instead of passwords
+[SSH Hardening - 5: Password Authentication] [any] [5]
+f:$sshd_file -> !r:^# && r:PasswordAuthentication\.+yes;
+f:$sshd_file -> r:^#\s*PasswordAuthentication;
+
+
+# PermitEmptyPasswords no
+# The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password
+# Accounts with null passwords are a bad practice.
+[SSH Hardening - 6: Empty passwords allowed] [any] [6]
+f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\.+yes;
+f:$sshd_file -> r:^#\s*PermitEmptyPasswords;
+
+
+# IgnoreRhosts yes
+# The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication.
+# For security reasons it is recommended to no use rhosts or shosts files for authentication.
+[SSH Hardening - 7: Rhost or shost used for authentication] [any] [7]
+f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no;
+f:$sshd_file -> r:^#\s*IgnoreRhosts;
+
+
+# LoginGraceTime 30
+# The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in.
+# 30 seconds is the recommended time for avoiding open connections without authenticate
+[SSH Hardening - 8: Wrong Grace Time] [any] [8]
+f:$sshd_file -> !r:^# && r:LoginGraceTime && !r:30\s*$;
+f:$sshd_file -> r:^#\s*LoginGraceTime;
+
+
+# MaxAuthTries 3
+# The MaxAuthTries parameter specifices the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
+# This should be set to 3.
+[SSH Hardening - 9: Wrong Maximum number of authentication attempts] [any] [9]
+f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$;
+f:$sshd_file -> r:^#\s*MaxAuthTries;
+f:$sshd_file -> !r:MaxAuthTries;

rules-decoders/amazon-ec2/amazon-ec2_decoders.xml

@@ -16,7 +16,7 @@ AmazonAWS-ec2-fields:
 -->
 
 <decoder name="AmazonAWS-ec2">
-    <prematch>^"AmazonAWS"\.+"eventSource":"ec2.amazonaws.com"</prematch>
+    <prematch>^"AmazonAWS"\.+"eventSource":"ec2.amazonaws.com"|\.+"eventSource":"elasticloadbalancing.amazonaws.com"</prematch>
 </decoder>
 
 <decoder name="AmazonAWS-ec2-fields">

rules-decoders/amazon-ec2/amazon-ec2_instructions.md

@@ -2,5 +2,3 @@
 **Created by Wazuh, Inc. <[email protected]>**
 
 Before manual or automatic installation follow the previous steps [here](http://documentation.wazuh.com/en/latest/ossec_ruleset.html#amazon).
-
-