# OSSEC Linux Audit - (C) 2018
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
#
# [Application name] [any or all] [reference]
# type:<entry name>;
#
# Type can be:
#             - f (for file or directory)
#             - p (process running)
#             - d (any file inside the directory)
#
# Additional values:
# For the registry , use "->" to look for a specific entry and another
# "->" to look for the value.
# For files, use "->" to look for a specific value in the file.
#
# Values can be preceeded by: =: (for equal) - default
#                             r: (for ossec regexes)
#                             >: (for strcmp greater)
#                             <: (for strcmp  lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).
#
# Checks for Password Security on Linux Systems
#
#1 Set Default Algorithm for Password Encryption to SHA256 or SHA 512
[Password Hardening - 1: Set Default Algorithm for Password Encryption to SHA256 or SHA 512] [any] [https://security.stackexchange.com/questions/77349/how-can-i-find-out-the-password-hashing-schemes-used-by-the-specific-unix-accoun, https://docs.oracle.com/cd/E26505_01/html/E27224/secsystask-42.html]
f:/etc/security/policy.conf -> !r:^# && r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__;
f:/etc/security/policy.conf -> !r:^CRYPT_DEFAULT=\d;
f:/etc/login.defs -> !r:^# && r:^ENCRYPT_METHOD\s+MD5|^ENCRYPT_METHOD\s+DES;
f:/etc/login.defs -> !r:^ENCRYPT_METHOD\s+SHA512|^ENCRYPT_METHOD\s+SHA256;
f:/etc/pam.d/common-password -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
f:/etc/pam.d/common-password -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
f:/etc/pam.d/password-auth -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
f:/etc/pam.d/password-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
f:/etc/pam.d/system-auth -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
f:/etc/pam.d/system-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
f:/etc/pam.d/system-auth-ac -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
f:/etc/pam.d/system-auth-ac -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
#
#
#2 Passwords in /etc/shadow not hashed with SHA-256 or SHA-512
[Password Hardening - 2: Not all Passwords in /etc/shadow are hashed with SHA-256 or SHA-512] [any] [https://linux-audit.com/password-security-with-linux-etc-shadow-file/, https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html]
f:/etc/shadow -> !r:^# && !r:^\w+:NP:\d+:\d*:\d*:\d*:\d*:\d*:\d*$ && r:^\w+:\w\.*:\d+:\d*:\d*:\d*:\d*:\d*:\d*$;
f:/etc/shadow -> !r:^# && r:\w+:\$1\$\.+;
f:/etc/shadow -> !r:^# && r:\w+:\$2\$\.+;
f:/etc/shadow -> !r:^# && r:\w+:\$2a\$\.+;
f:/etc/shadow -> !r:^# && r:\w+:\$2x\$\.+;
f:/etc/shadow -> !r:^# && r:\w+:\$2y\$\.+;
f:/etc/shadow -> !r:^# && r:\w+:\$md5\$\.+;
f:/etc/shadow -> !r:^# && r:\w+:\$__unix__\$\.+;
#
#
#3 Set Password Creation Requirement Parameters
[Password Hardening - 3: Set Password Creation Requirement Parameters] [any] [https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/, https://workbench.cisecurity.org]
f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass|^@include\s+common-password;
f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+|^@include\s+common-password;
f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:minlen=\d\d+;
f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:minlen=\d\d+;
f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:minlen=\d\d+;
f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:minlen=\d\d+;
f:/etc/security/pwquality.conf -> !r:^minlen=\d\d+;
f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
f:/etc/security/pwquality.conf -> !r:^dcredit=\p*\d+;
f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
f:/etc/security/pwquality.conf -> !r:^lcredit=\p*\d+;
f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
f:/etc/security/pwquality.conf -> !r:^ocredit=\p*\d+;
f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
f:/etc/security/pwquality.conf -> !r:^ucredit=\p*\d+;
#
#
#4 Set default password expiration / aging parameters
[Password Hardening - 4: Set password expiration / aging parameters] [any] [https://www.thegeekdiary.com/understanding-etclogin-defs-file, https://workbench.cisecurity.org/sections/26024/recommendations/63001]
f:/etc/default/passwd -> !r:^MAXWEEKS=\d\d$;
f:/etc/default/passwd -> !r:^MINWEEKS=\d;
f:/etc/default/passwd -> !r:^WARNWEEKS=\d;
f:/etc/login.defs -> !r:^PASS_MAX_DAYS\s*\t*\d\d$;
f:/etc/login.defs -> !r:^PASS_MIN_DAYS\s*\t*\d;
f:/etc/login.defs -> !r:^PASS_WARN_AGE\s*\t*\d;
