From edf5c82b8bda5405defb9aa63ee3592ef9579b3e Mon Sep 17 00:00:00 2001 From: Guido Modarelli <38738725+guidomodarelli@users.noreply.github.com> Date: Fri, 20 Sep 2024 13:01:06 -0300 Subject: [PATCH] Re-design the Malware detection dashboard with and without a pinned agent (#6980) * style: Update .gitignore formatting * Revert "style: Update .gitignore formatting" This reverts commit 31ce19c890b1d8814179fed5e94525a251f14f1f. * Add Random class for generating random values * Add DateFormatter class for date formatting * Add NumberFormatter class with pads method * Add new alert generation types and configurations * Rename common.js to common.ts, update common data and add DECODER.- Add type definitions for IPs, USERS, PORTS, WIN_HOSTNAMES, PATHS, AGENTS, GEO_LOCATION, and DECODER * Add constants for alert and rule generation * Delete old regulatory compliance data and add new one * Create RuleGenerator class for generating random rules * Rename file extension to TypeScript and update script with new data types and structure * Change to Typescript * Rename Random.ts to Random.js, update Random class methods. Add Yara module with rule generation functionality.- Add Yara module for rule generation * Delete unused regulatory compliance rules and modules * Update import statements to require() in web.js file. Modifying exports to use module.exports * Update require statements to use const and module.exports * Update audit data file to export variables as CommonJS * Rename file from .ts to .js, update exports * Update AWS sample data to use CommonJS module exports * Rename file ciscat.ts to ciscat.js, update exports * Refactor docker.js to use require instead of import * Update gcp.js with module.exports for constants * Update module exports in sample data for GitHub alerts * Refactor integrity monitoring data structure to use module.exports * Rename mitre.ts to mitre.js and update exports * Update office data exports to use module.exports * Rename file extension from .ts to .js and update imports. * Convert osquery.ts to osquery.js and export dataOsquery * Convert import/export statements to require/module.exports * Update sample data export to use module.exports * Rename virustotal.ts to virustotal.js, change exports to module.exports. * Convert data export to module.exports in vulnerabilities.js * Update array fill method in generate-alerts sample data file * Add DateFormatter class for date formatting function * Add NumberFormatter class for padding numbers with zeros * Add rule generator for alert system * Add function to generate YARA alerts * Add common data for generating alerts * Add regulatory compliance sample data * Add constants for alert and rule generation * Change path to plugins/main/server/lib/generate-alerts * Delete common data generation script * Refactor imports and exports for generate-alerts-script * Rename types.ts to types.d.ts for generate-alerts module * Refactor alert generation script into separate module * Add interpolateAlertProps function for alert props interpolation * Add number formatting tests for NumberFormatter * Refactor number padding method in NumberFormatter class * Refactor date formatting methods and add unit tests * Add unit tests for Random helper functions * Add test for date function in random helper * Update sample data variables with constants * Update YARA parameter to lowercase in generateAlerts script * Add visualization panels for agent-related data * Add visualization for agents' evolution * Update visualization functions and add new top 10 agents * Refactor date formatting methods for readability * Update dashboard panel titles for clarity and consistency * Update uiState with vis columnsWidth in dashboard-panels.ts * Add new dashboard panels for malware detection * Update dashboard panels UI state with column width settings * Update frequency values to numeric type for alerts data * Update instance profile ID generation with character set * Update trojans signatures to escape special characters * Update frequency value to integer in sample data for web.js * Add Random.ALPHABET to Random.createHash call in aws.js * Update alert rule frequency to be a number * Fix typo in loop condition length comparison * Add test case for verifying unique values within length * Add tests for rule-generator and regulatory-compliance * Rename number-format.test.js to number-formatter.test.js * Update test functions to use arrow functions * Update trojans signatures in policy-monitoring.js * Refactor trojan signatures in policy monitoring data * Add tests for month name formatting in DateFormatter * Add sample data and update dashboard visualizations * fix typo in CHANGELOG --- CHANGELOG.md | 2 + plugins/main/common/constants.ts | 1 + .../dashboard/dashboard-panels.ts | 1269 +++++- .../server/lib/generate-alerts/constants.js | 21 + .../generate-alerts/generate-alerts-script.js | 858 ++-- .../generate-alerts/helpers/date-formatter.js | 107 + .../helpers/date-formatter.test.js | 320 ++ .../helpers/interpolate-alert-props.js | 24 + .../helpers/number-formatter.js | 21 + .../helpers/number-formatter.test.js | 21 + .../lib/generate-alerts/helpers/random.js | 166 + .../generate-alerts/helpers/random.test.js | 92 + .../generate-alerts/helpers/rule-generator.js | 33 + .../helpers/rule-generator.test.js | 132 + .../lib/generate-alerts/sample-data/apache.js | 46 +- .../lib/generate-alerts/sample-data/audit.js | 209 +- .../sample-data/authentication.js | 66 +- .../lib/generate-alerts/sample-data/aws.js | 736 +-- .../lib/generate-alerts/sample-data/ciscat.js | 21 +- .../lib/generate-alerts/sample-data/common.js | 87 +- .../lib/generate-alerts/sample-data/docker.js | 585 ++- .../lib/generate-alerts/sample-data/gcp.js | 133 +- .../lib/generate-alerts/sample-data/github.js | 1246 ++++- .../sample-data/integrity-monitoring.js | 199 +- .../lib/generate-alerts/sample-data/mitre.js | 893 +++- .../lib/generate-alerts/sample-data/office.js | 90 +- .../generate-alerts/sample-data/openscap.js | 2879 ++++++------ .../generate-alerts/sample-data/osquery.js | 462 +- .../sample-data/policy-monitoring.js | 142 +- .../sample-data/regulatory-compliance.js | 164 +- .../sample-data/regulatory-compliance.test.js | 7 + .../lib/generate-alerts/sample-data/ssh.js | 117 +- .../generate-alerts/sample-data/virustotal.js | 24 +- .../sample-data/vulnerabilities.js | 2 +- .../lib/generate-alerts/sample-data/web.js | 104 +- .../lib/generate-alerts/sample-data/yara.js | 85 + .../server/lib/generate-alerts/types.d.ts | 221 + plugins/wazuh-core/common/constants.ts | 1 + scripts/wazuh-alerts-generator/cli.js | 1 + scripts/wazuh-alerts-generator/lib/common.js | 213 - scripts/wazuh-alerts-generator/lib/index.js | 1306 +----- .../lib/modules/apache.js | 42 - .../lib/modules/audit.js | 301 -- .../lib/modules/authentication.js | 274 -- .../wazuh-alerts-generator/lib/modules/aws.js | 495 -- .../lib/modules/ciscat.js | 18 - .../lib/modules/docker.js | 490 -- .../wazuh-alerts-generator/lib/modules/gcp.js | 91 - .../lib/modules/github.js | 97 - .../lib/modules/integrity-monitoring.js | 136 - .../lib/modules/mitre.js | 1787 -------- .../lib/modules/office.js | 1597 ------- .../lib/modules/openscap.js | 1509 ------- .../lib/modules/osquery.js | 390 -- .../lib/modules/policy-monitoring.js | 82 - .../lib/modules/regulatory-compliance.js | 19 - .../wazuh-alerts-generator/lib/modules/ssh.js | 92 - .../lib/modules/virustotal.js | 16 - .../lib/modules/vulnerabilities.js | 4003 ----------------- .../wazuh-alerts-generator/lib/modules/web.js | 106 - 60 files changed, 7937 insertions(+), 16714 deletions(-) create mode 100644 plugins/main/server/lib/generate-alerts/constants.js create mode 100644 plugins/main/server/lib/generate-alerts/helpers/date-formatter.js create mode 100644 plugins/main/server/lib/generate-alerts/helpers/date-formatter.test.js create mode 100644 plugins/main/server/lib/generate-alerts/helpers/interpolate-alert-props.js create mode 100644 plugins/main/server/lib/generate-alerts/helpers/number-formatter.js create mode 100644 plugins/main/server/lib/generate-alerts/helpers/number-formatter.test.js create mode 100644 plugins/main/server/lib/generate-alerts/helpers/random.js create mode 100644 plugins/main/server/lib/generate-alerts/helpers/random.test.js create mode 100644 plugins/main/server/lib/generate-alerts/helpers/rule-generator.js create mode 100644 plugins/main/server/lib/generate-alerts/helpers/rule-generator.test.js create mode 100644 plugins/main/server/lib/generate-alerts/sample-data/regulatory-compliance.test.js create mode 100644 plugins/main/server/lib/generate-alerts/sample-data/yara.js create mode 100644 plugins/main/server/lib/generate-alerts/types.d.ts delete mode 100644 scripts/wazuh-alerts-generator/lib/common.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/apache.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/audit.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/authentication.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/aws.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/ciscat.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/docker.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/gcp.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/github.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/integrity-monitoring.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/mitre.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/office.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/openscap.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/osquery.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/policy-monitoring.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/regulatory-compliance.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/ssh.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/virustotal.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/vulnerabilities.js delete mode 100644 scripts/wazuh-alerts-generator/lib/modules/web.js diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d20cc0624..775e6c1f77 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,11 +7,13 @@ All notable changes to the Wazuh app project will be documented in this file. ### Added - Support for Wazuh 4.10.0 +- Added sample data for YARA [#6964](https://github.com/wazuh/wazuh-dashboard-plugins/issues/6964) ### Changed - Update malware detection group values in data sources [#6963](https://github.com/wazuh/wazuh-dashboard-plugins/issues/6963) - Changed the registration id of the Settings application for compatibility with Opensearch Dashboard 2.16.0 [#6938](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6938) +- Changed Malware detection dashboard visualizations [#6964](https://github.com/wazuh/wazuh-dashboard-plugins/issues/6964) ### Removed diff --git a/plugins/main/common/constants.ts b/plugins/main/common/constants.ts index 26fc95c5c4..33e6bac766 100644 --- a/plugins/main/common/constants.ts +++ b/plugins/main/common/constants.ts @@ -81,6 +81,7 @@ export const WAZUH_SAMPLE_ALERTS_CATEGORIES_TYPE_ALERTS = { { audit: true }, { openscap: true }, { ciscat: true }, + { yara: true }, ], [WAZUH_SAMPLE_ALERTS_CATEGORY_THREAT_DETECTION]: [ { vulnerabilities: true }, diff --git a/plugins/main/public/components/overview/malware-detection/dashboard/dashboard-panels.ts b/plugins/main/public/components/overview/malware-detection/dashboard/dashboard-panels.ts index f5b863f14c..a6548c2ae6 100644 --- a/plugins/main/public/components/overview/malware-detection/dashboard/dashboard-panels.ts +++ b/plugins/main/public/components/overview/malware-detection/dashboard/dashboard-panels.ts @@ -702,6 +702,1145 @@ const getVisStateAgentEveentsPerAgentEvolution = (indexPatternId: string) => { }; }; +const getVisStateRuleGroupPie = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Rule-group', + title: 'Rule group', + type: 'pie', + params: { + type: 'pie', + addTooltip: true, + addLegend: true, + legendPosition: 'right', + isDonut: true, + labels: { + show: false, + values: true, + last_level: true, + truncate: 100, + }, + }, + uiState: {}, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'count', + params: {}, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'terms', + params: { + field: 'rule.groups', + orderBy: '1', + order: 'desc', + size: 5, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + }, + schema: 'segment', + }, + ], + }, + }; +}; + +const getVisStateSourceFilePie = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Source-file', + title: 'Source file', + type: 'pie', + params: { + type: 'pie', + addTooltip: true, + addLegend: true, + legendPosition: 'right', + isDonut: true, + labels: { + show: false, + values: true, + last_level: true, + truncate: 100, + }, + }, + uiState: {}, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'count', + params: {}, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'terms', + params: { + field: 'data.virustotal.source.file', + orderBy: '1', + order: 'desc', + size: 5, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + customLabel: 'Virustotal source file', + }, + schema: 'segment', + }, + ], + }, + }; +}; + +const getVisStateEventsByRuleGroup = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Events-by-rule-group', + title: 'Events by rule group', + type: 'line', + params: { + type: 'line', + grid: { + categoryLines: false, + }, + categoryAxes: [ + { + id: 'CategoryAxis-1', + type: 'category', + position: 'bottom', + show: true, + style: {}, + scale: { + type: 'linear', + }, + labels: { + show: true, + filter: true, + truncate: 100, + }, + title: {}, + }, + ], + valueAxes: [ + { + id: 'ValueAxis-1', + name: 'LeftAxis-1', + type: 'value', + position: 'left', + show: true, + style: {}, + scale: { + type: 'linear', + mode: 'normal', + }, + labels: { + show: true, + rotate: 0, + filter: false, + truncate: 100, + }, + title: { + text: 'Count', + }, + }, + ], + seriesParams: [ + { + show: true, + type: 'line', + mode: 'normal', + data: { + label: 'Count', + id: '1', + }, + valueAxis: 'ValueAxis-1', + drawLinesBetweenPoints: true, + lineWidth: 2, + interpolate: 'linear', + showCircles: true, + }, + ], + addTooltip: true, + addLegend: true, + legendPosition: 'right', + times: [], + addTimeMarker: false, + labels: {}, + thresholdLine: { + show: false, + value: 10, + width: 1, + style: 'full', + color: '#E7664C', + }, + }, + uiState: {}, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'count', + params: {}, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'date_histogram', + params: { + field: 'timestamp', + timeRange: { + from: '2024-09-11T15:24:45.444Z', + to: '2024-09-19T20:00:00.000Z', + }, + useNormalizedOpenSearchInterval: true, + scaleMetricValues: false, + interval: 'auto', + drop_partials: false, + min_doc_count: 1, + extended_bounds: {}, + }, + schema: 'segment', + }, + { + id: '3', + enabled: true, + type: 'terms', + params: { + field: 'rule.groups', + orderBy: '1', + order: 'desc', + size: 5, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + }, + schema: 'group', + }, + ], + }, + }; +}; + +const getVisStateYaraScannedFilesPie = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Yara-scanned-files', + title: 'Yara scanned files', + type: 'pie', + params: { + type: 'pie', + addTooltip: true, + addLegend: true, + legendPosition: 'right', + isDonut: true, + labels: { + show: false, + values: true, + last_level: true, + truncate: 100, + }, + }, + uiState: {}, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'count', + params: {}, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'terms', + params: { + field: 'data.YARA.scanned_file', + orderBy: '1', + order: 'desc', + size: 5, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + }, + schema: 'segment', + }, + ], + }, + }; +}; + +const getVisStateRootcheckDataTitlePie = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Rootcheck-data-title', + title: 'Rootcheck data title', + type: 'pie', + params: { + type: 'pie', + addTooltip: true, + addLegend: true, + legendPosition: 'right', + isDonut: true, + labels: { + show: false, + values: true, + last_level: true, + truncate: 100, + }, + }, + uiState: {}, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'count', + params: {}, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'terms', + params: { + field: 'data.title', + orderBy: '1', + order: 'desc', + size: 5, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + }, + schema: 'segment', + }, + ], + }, + }; +}; + +const getVisStateRuleDescription = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Rule-description', + title: 'Rule description', + type: 'table', + params: { + perPage: 10, + showPartialRows: false, + showMetricsAtAllLevels: false, + showTotal: false, + totalFunc: 'sum', + percentageCol: '', + }, + uiState: { + vis: { + columnsWidth: [ + { + colIndex: 1, + width: 150, + }, + ], + }, + }, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'count', + params: {}, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'terms', + params: { + field: 'rule.description', + orderBy: '1', + order: 'desc', + size: 100, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + }, + schema: 'bucket', + }, + { + id: '3', + enabled: false, + type: 'terms', + params: { + field: 'rule.level', + orderBy: '1', + order: 'desc', + size: 16, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + }, + schema: 'bucket', + }, + ], + }, + }; +}; + +const getVisStateAgentsEvolution = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Agents-evolution', + title: 'Agents evolution', + type: 'line', + params: { + type: 'line', + grid: { + categoryLines: false, + }, + categoryAxes: [ + { + id: 'CategoryAxis-1', + type: 'category', + position: 'bottom', + show: true, + style: {}, + scale: { + type: 'linear', + }, + labels: { + show: true, + filter: true, + truncate: 100, + }, + title: {}, + }, + ], + valueAxes: [ + { + id: 'ValueAxis-1', + name: 'LeftAxis-1', + type: 'value', + position: 'left', + show: true, + style: {}, + scale: { + type: 'linear', + mode: 'normal', + }, + labels: { + show: true, + rotate: 0, + filter: false, + truncate: 100, + }, + title: { + text: 'Count', + }, + }, + ], + seriesParams: [ + { + show: true, + type: 'histogram', + mode: 'stacked', + data: { + label: 'Count', + id: '1', + }, + valueAxis: 'ValueAxis-1', + drawLinesBetweenPoints: true, + lineWidth: 2, + interpolate: 'linear', + showCircles: true, + }, + ], + addTooltip: true, + addLegend: true, + legendPosition: 'right', + times: [], + addTimeMarker: false, + labels: {}, + thresholdLine: { + show: false, + value: 10, + width: 1, + style: 'full', + color: '#E7664C', + }, + }, + uiState: {}, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'count', + params: {}, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'date_histogram', + params: { + field: 'timestamp', + timeRange: { + from: '2024-09-11T15:24:45.444Z', + to: '2024-09-19T20:00:00.000Z', + }, + useNormalizedOpenSearchInterval: true, + scaleMetricValues: false, + interval: 'auto', + drop_partials: false, + min_doc_count: 1, + extended_bounds: {}, + }, + schema: 'segment', + }, + { + id: '3', + enabled: true, + type: 'terms', + params: { + field: 'agent.name', + orderBy: '1', + order: 'desc', + size: 10, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + }, + schema: 'group', + }, + ], + }, + }; +}; + +const getVisStateTop10AgentsByRuleGroup = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Top-10-agents-by-rule-group', + title: 'Top 10 agents by rule group', + type: 'horizontal_bar', + params: { + type: 'histogram', + grid: { + categoryLines: false, + }, + categoryAxes: [ + { + id: 'CategoryAxis-1', + type: 'category', + position: 'left', + show: true, + style: {}, + scale: { + type: 'linear', + }, + labels: { + show: true, + rotate: 0, + filter: false, + truncate: 200, + }, + title: {}, + }, + ], + valueAxes: [ + { + id: 'ValueAxis-1', + name: 'LeftAxis-1', + type: 'value', + position: 'bottom', + show: true, + style: {}, + scale: { + type: 'linear', + mode: 'normal', + }, + labels: { + show: true, + rotate: 75, + filter: true, + truncate: 100, + }, + title: { + text: 'Count', + }, + }, + ], + seriesParams: [ + { + show: true, + type: 'histogram', + mode: 'stacked', + data: { + label: 'Count', + id: '1', + }, + valueAxis: 'ValueAxis-1', + drawLinesBetweenPoints: true, + lineWidth: 2, + showCircles: true, + }, + ], + addTooltip: true, + addLegend: true, + legendPosition: 'right', + times: [], + addTimeMarker: false, + labels: {}, + thresholdLine: { + show: false, + value: 10, + width: 1, + style: 'full', + color: '#E7664C', + }, + }, + uiState: {}, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'count', + params: {}, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'terms', + params: { + field: 'agent.name', + orderBy: '1', + order: 'desc', + size: 10, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + }, + schema: 'segment', + }, + { + id: '3', + enabled: true, + type: 'terms', + params: { + field: 'rule.groups', + orderBy: '1', + order: 'desc', + size: 5, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + }, + schema: 'group', + }, + ], + }, + }; +}; + +const getVisStateRuleLevelHistogram = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Rule-level-histogram', + title: 'Rule level histogram', + type: 'line', + params: { + type: 'line', + grid: { + categoryLines: false, + }, + categoryAxes: [ + { + id: 'CategoryAxis-1', + type: 'category', + position: 'bottom', + show: true, + style: {}, + scale: { + type: 'linear', + }, + labels: { + show: true, + filter: true, + truncate: 100, + }, + title: {}, + }, + ], + valueAxes: [ + { + id: 'ValueAxis-1', + name: 'LeftAxis-1', + type: 'value', + position: 'left', + show: true, + style: {}, + scale: { + type: 'linear', + mode: 'normal', + }, + labels: { + show: true, + rotate: 0, + filter: false, + truncate: 100, + }, + title: { + text: 'Count', + }, + }, + ], + seriesParams: [ + { + show: true, + type: 'histogram', + mode: 'stacked', + data: { + label: 'Count', + id: '1', + }, + valueAxis: 'ValueAxis-1', + drawLinesBetweenPoints: true, + lineWidth: 2, + interpolate: 'linear', + showCircles: true, + }, + ], + addTooltip: true, + addLegend: true, + legendPosition: 'right', + times: [], + addTimeMarker: false, + labels: {}, + thresholdLine: { + show: false, + value: 10, + width: 1, + style: 'full', + color: '#E7664C', + }, + }, + uiState: {}, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'count', + params: {}, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'date_histogram', + params: { + field: 'timestamp', + timeRange: { + from: 'now-7d', + to: 'now', + }, + useNormalizedOpenSearchInterval: true, + scaleMetricValues: false, + interval: 'auto', + drop_partials: false, + min_doc_count: 1, + extended_bounds: {}, + }, + schema: 'segment', + }, + { + id: '3', + enabled: true, + type: 'terms', + params: { + field: 'rule.level', + orderBy: '_key', + order: 'desc', + size: 15, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + customLabel: 'Rule level', + }, + schema: 'group', + }, + ], + }, + }; +}; + +const getVisStateLatestVirustotalFiles = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Latest-virustotal-files', + title: 'Latest virustotal files', + type: 'table', + params: { + perPage: 10, + showPartialRows: false, + showMetricsAtAllLevels: false, + showTotal: false, + totalFunc: 'sum', + percentageCol: '', + }, + uiState: { + vis: { + columnsWidth: [ + { + colIndex: 1, + width: 213, + }, + ], + }, + }, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'max', + params: { + field: 'timestamp', + customLabel: 'Timestamp', + }, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'terms', + params: { + field: 'data.virustotal.source.file', + orderBy: '1', + order: 'desc', + size: 5, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + customLabel: 'Virustotal file', + }, + schema: 'bucket', + }, + ], + }, + }; +}; + +const getVisStateLatestYaraScannedFiles = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Latest-yara-scanned-files', + title: 'Latest yara scanned files', + type: 'table', + params: { + perPage: 5, + showPartialRows: false, + showMetricsAtAllLevels: false, + showTotal: false, + totalFunc: 'sum', + percentageCol: '', + }, + uiState: { + vis: { + columnsWidth: [ + { + colIndex: 1, + width: 213, + }, + ], + }, + }, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'max', + params: { + field: 'timestamp', + customLabel: 'Timestamp', + }, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'terms', + params: { + field: 'data.YARA.scanned_file', + orderBy: '1', + order: 'desc', + size: 10, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + customLabel: 'Yara scanned files', + }, + schema: 'bucket', + }, + ], + }, + }; +}; + +const getVisStateLatestRootcheckFile = (indexPatternId: string) => { + return { + id: 'Wazuh-App-Agents-PM-Latest-rootcheck-file', + title: 'Latest rootcheck file', + type: 'table', + params: { + perPage: 10, + showPartialRows: false, + showMetricsAtAllLevels: false, + showTotal: false, + totalFunc: 'sum', + percentageCol: '', + }, + uiState: { + vis: { + columnsWidth: [ + { + colIndex: 1, + width: 213, + }, + ], + }, + }, + data: { + searchSource: { + query: { + language: 'kuery', + query: '', + }, + filter: [], + index: indexPatternId, + }, + references: [ + { + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + id: indexPatternId, + }, + ], + aggs: [ + { + id: '1', + enabled: true, + type: 'max', + params: { + field: 'timestamp', + customLabel: 'Timestamp', + }, + schema: 'metric', + }, + { + id: '2', + enabled: true, + type: 'terms', + params: { + field: 'data.file', + orderBy: '1', + order: 'desc', + size: 5, + otherBucket: false, + otherBucketLabel: 'Other', + missingBucket: false, + missingBucketLabel: 'Missing', + customLabel: 'Rootcheck file', + }, + schema: 'bucket', + }, + ], + }, + }; +}; + export const getDashboardPanels = ( indexPatternId: string, isPinnedAgent: boolean, @@ -714,7 +1853,7 @@ export const getDashboardPanels = ( g1: { gridData: { w: 24, - h: 10, + h: 14, x: 0, y: 0, i: 'g1', @@ -722,13 +1861,13 @@ export const getDashboardPanels = ( type: 'visualization', explicitInput: { id: 'g1', - savedVis: getVisStateEmotetMalwareActivity(indexPatternId), + savedVis: getVisStateAgentsEvolution(indexPatternId), }, }, g2: { gridData: { w: 24, - h: 10, + h: 14, x: 24, y: 0, i: 'g2', @@ -736,21 +1875,91 @@ export const getDashboardPanels = ( type: 'visualization', explicitInput: { id: 'g2', - savedVis: getVisStateRootkitsActivityOverTime(indexPatternId), + savedVis: getVisStateEventsByRuleGroup(indexPatternId), }, }, g3: { gridData: { - w: 48, - h: 10, + w: 12, + h: 9, x: 0, - y: 10, + y: 14, i: 'g3', }, type: 'visualization', explicitInput: { id: 'g3', - savedVis: getVisStateSecurityAlerts(indexPatternId), + savedVis: getVisStateRuleGroupPie(indexPatternId), + }, + }, + g4: { + gridData: { + w: 12, + h: 9, + x: 12, + y: 14, + i: 'g4', + }, + type: 'visualization', + explicitInput: { + id: 'g4', + savedVis: getVisStateSourceFilePie(indexPatternId), + }, + }, + g5: { + gridData: { + w: 12, + h: 9, + x: 24, + y: 14, + i: 'g5', + }, + type: 'visualization', + explicitInput: { + id: 'g5', + savedVis: getVisStateYaraScannedFilesPie(indexPatternId), + }, + }, + g6: { + gridData: { + w: 12, + h: 9, + x: 36, + y: 14, + i: 'g6', + }, + type: 'visualization', + explicitInput: { + id: 'g6', + savedVis: getVisStateRootcheckDataTitlePie(indexPatternId), + }, + }, + g7: { + gridData: { + w: 24, + h: 14, + x: 0, + y: 23, + i: 'g7', + }, + type: 'visualization', + explicitInput: { + id: 'g7', + savedVis: getVisStateTop10AgentsByRuleGroup(indexPatternId), + }, + }, + g8: { + gridData: { + w: 24, + h: 14, + x: 24, + y: 23, + i: 'g8', + }, + type: 'visualization', + explicitInput: { + id: 'g8', + savedVis: getVisStateRuleDescription(indexPatternId), }, }, }; @@ -759,7 +1968,7 @@ export const getDashboardPanels = ( a1: { gridData: { w: 24, - h: 10, + h: 12, x: 0, y: 0, i: 'a1', @@ -767,13 +1976,13 @@ export const getDashboardPanels = ( type: 'visualization', explicitInput: { id: 'a1', - savedVis: getVisStateAgentAlertsOverTime(indexPatternId), + savedVis: getVisStateRuleLevelHistogram(indexPatternId), }, }, a2: { gridData: { w: 24, - h: 10, + h: 12, x: 24, y: 0, i: 'a2', @@ -781,21 +1990,49 @@ export const getDashboardPanels = ( type: 'visualization', explicitInput: { id: 'a2', - savedVis: getVisStateAgentRuleDistribution(indexPatternId), + savedVis: getVisStateEventsByRuleGroup(indexPatternId), }, }, a3: { gridData: { - w: 48, - h: 11, + w: 16, + h: 13, x: 0, - y: 10, + y: 12, i: 'a3', }, type: 'visualization', explicitInput: { id: 'a3', - savedVis: getVisStateAgentEveentsPerAgentEvolution(indexPatternId), + savedVis: getVisStateLatestVirustotalFiles(indexPatternId), + }, + }, + a4: { + gridData: { + w: 16, + h: 13, + x: 16, + y: 12, + i: 'a4', + }, + type: 'visualization', + explicitInput: { + id: 'a4', + savedVis: getVisStateLatestYaraScannedFiles(indexPatternId), + }, + }, + a5: { + gridData: { + w: 16, + h: 13, + x: 32, + y: 12, + i: 'a5', + }, + type: 'visualization', + explicitInput: { + id: 'a5', + savedVis: getVisStateLatestRootcheckFile(indexPatternId), }, }, }; diff --git a/plugins/main/server/lib/generate-alerts/constants.js b/plugins/main/server/lib/generate-alerts/constants.js new file mode 100644 index 0000000000..4818810c45 --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/constants.js @@ -0,0 +1,21 @@ +/* + ┌─────────────────────────────────────────────────────────────────────────┐ + │ ALERT │ + └─────────────────────────────────────────────────────────────────────────┘ + */ +module.exports.ALERT_ID_MAX = 6000; + +/* + ┌─────────────────────────────────────────────────────────────────────────┐ + │ RULE │ + └─────────────────────────────────────────────────────────────────────────┘ + */ +module.exports.RULE_DESCRIPTION = [ + 'Sample alert 1', + 'Sample alert 2', + 'Sample alert 3', + 'Sample alert 4', + 'Sample alert 5', +]; +module.exports.RULE_MAX_LEVEL = 15; +module.exports.RULE_MAX_FIREDTIMES = 5000; diff --git a/plugins/main/server/lib/generate-alerts/generate-alerts-script.js b/plugins/main/server/lib/generate-alerts/generate-alerts-script.js index ca8e09f009..6b1155d4d1 100644 --- a/plugins/main/server/lib/generate-alerts/generate-alerts-script.js +++ b/plugins/main/server/lib/generate-alerts/generate-alerts-script.js @@ -11,91 +11,60 @@ */ // General -import { +const { IPs, - Users, - Ports, - Paths, - Win_Hostnames, - GeoLocation, - Agents, - randomElements, - randomArrayItem, -} from './sample-data/common'; -import { + USERS, + PORTS, + PATHS, + WIN_HOSTNAMES, + GEO_LOCATION, + AGENTS, + DECODER, +} = require('./sample-data/common'); +const { PCI_DSS, GDPR, HIPAA, GPG13, NIST_800_53, tsc, -} from './sample-data/regulatory-compliance'; - -import * as Audit from './sample-data/audit'; -import * as Authentication from './sample-data/authentication'; -import * as AWS from './sample-data/aws'; -import * as IntegrityMonitoring from './sample-data/integrity-monitoring'; -import * as CISCAT from './sample-data/ciscat'; -import * as GCP from './sample-data/gcp'; -import * as Docker from './sample-data/docker'; -import * as Mitre from './sample-data/mitre'; -import * as Osquery from './sample-data/osquery'; -import * as OpenSCAP from './sample-data/openscap'; -import * as PolicyMonitoring from './sample-data/policy-monitoring'; -import * as Virustotal from './sample-data/virustotal'; -import * as Vulnerability from './sample-data/vulnerabilities'; -import * as SSH from './sample-data/ssh'; -import * as Apache from './sample-data/apache'; -import * as Web from './sample-data/web'; -import * as GitHub from './sample-data/github'; -import * as Office from './sample-data/office'; - -//Alert -const alertIDMax = 6000; - -// Rule -const ruleDescription = [ - 'Sample alert 1', - 'Sample alert 2', - 'Sample alert 3', - 'Sample alert 4', - 'Sample alert 5', -]; -const ruleMaxLevel = 15; +} = require('./sample-data/regulatory-compliance'); +const Audit = require('./sample-data/audit'); +const Authentication = require('./sample-data/authentication'); +const AWS = require('./sample-data/aws'); +const IntegrityMonitoring = require('./sample-data/integrity-monitoring'); +const CISCAT = require('./sample-data/ciscat'); +const GCP = require('./sample-data/gcp'); +const Docker = require('./sample-data/docker'); +const Mitre = require('./sample-data/mitre'); +const Osquery = require('./sample-data/osquery'); +const OpenSCAP = require('./sample-data/openscap'); +const PolicyMonitoring = require('./sample-data/policy-monitoring'); +const Virustotal = require('./sample-data/virustotal'); +const Vulnerability = require('./sample-data/vulnerabilities'); +const SSH = require('./sample-data/ssh'); +const Apache = require('./sample-data/apache'); +const Web = require('./sample-data/web'); +const GitHub = require('./sample-data/github'); +const Office = require('./sample-data/office'); +const Yara = require('./sample-data/yara'); +const { + ALERT_ID_MAX, + RULE_DESCRIPTION, + RULE_MAX_LEVEL, +} = require('./constants'); +const { Random } = require('./helpers/random'); +const { DateFormatter } = require('./helpers/date-formatter'); +const { interpolateAlertProps } = require('./helpers/interpolate-alert-props'); /** * Generate a alert - * @param {any} params - params to configure the alert - * @param {boolean} params.aws - if true, set aws fields - * @param {boolean} params.audit - if true, set System Auditing fields - * @param {boolean} params.office - if true, set office fields - * @param {boolean} params.ciscat - if true, set CIS-CAT fields - * @param {boolean} params.gcp - if true, set GCP fields - * @param {boolean} params.docker - if true, set Docker fields - * @param {boolean} params.mitre - if true, set Mitre att&ck fields - * @param {boolean} params.openscap - if true, set OpenSCAP fields - * @param {boolean} params.osquery - if true, set Osquery fields - * @param {boolean} params.rootcheck - if true, set Policy monitoring fields - * @param {boolean} params.syscheck - if true, set integrity monitoring fields - * @param {boolean} params.virustotal - if true, set VirusTotal fields - * @param {boolean} params.vulnerabilities - if true, set vulnerabilities fields - * @param {boolean} params.pci_dss - if true, set pci_dss fields - * @param {boolean} params.gdpr - if true, set gdpr fields - * @param {boolean} params.gpg13 - if true, set gpg13 fields - * @param {boolean} params.hipaa - if true, set hipaa fields - * @param {boolean} params.nist_800_53 - if true, set nist_800_53 fields - * @param {boolean} params.nist_800_53 - if true, set nist_800_53 fields - * @param {boolean} params.win_authentication_failed - if true, add win_authentication_failed to rule.groups - * @param {number} params.probability_win_authentication_failed - probability to add win_authentication_failed to rule.groups. Example: 20 will be 20% of probability to add this to rule.groups - * @param {boolean} params.authentication_failed - if true, add win_authentication_failed to rule.groups - * @param {number} params.probability_authentication_failed - probability to add authentication_failed to rule.groups - * @param {boolean} params.authentication_failures - if true, add win_authentication_failed to rule.groups - * @param {number} params.probability_authentication_failures - probability to add authentication_failures to rule.groups - * @return {any} - Alert generated - */ + * @param {import('./types').Params} params + * @returns {import('./types').SampleAlert} + **/ function generateAlert(params) { + /** @type {import('./types').Alert} */ let alert = { - ['@sampledata']: true, timestamp: '2020-01-27T11:08:47.777+0000', rule: { level: 3, @@ -120,12 +89,15 @@ function generateAlert(params) { data: {}, location: '', }; - alert.agent = randomArrayItem(Agents); - alert.rule.description = randomArrayItem(ruleDescription); - alert.rule.id = `${randomIntervalInteger(1, alertIDMax)}`; - alert.rule.level = randomIntervalInteger(1, ruleMaxLevel); - - alert.timestamp = randomDate(); + alert.agent = Random.arrayItem(AGENTS); + alert.rule.description = Random.arrayItem(RULE_DESCRIPTION); + alert.rule.id = `${Random.number(1, ALERT_ID_MAX)}`; + alert.rule.level = Random.number(1, RULE_MAX_LEVEL); + + alert.timestamp = DateFormatter.format( + Random.date(), + DateFormatter.DATE_FORMAT.ISO_TIMESTAMP, + ); if (params.manager) { if (params.manager.name) { @@ -143,7 +115,7 @@ function generateAlert(params) { } if (params.aws) { - let randomType = randomArrayItem([ + const randomType = Random.arrayItem([ 'guarddutyPortProbe', 'apiCall', 'networkConnection', @@ -151,7 +123,7 @@ function generateAlert(params) { ]); const beforeDate = new Date( - new Date(alert.timestamp) - 3 * 24 * 60 * 60 * 1000, + new Date(alert.timestamp).getTime() - 3 * 24 * 60 * 60 * 1000, ); switch (randomType) { case 'guarddutyPortProbe': { @@ -159,47 +131,51 @@ function generateAlert(params) { alert.data = { ...typeAlert.data }; alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); + alert.data.aws.region = Random.arrayItem(AWS.region); alert.data.aws.resource.instanceDetails = { - ...randomArrayItem(AWS.instanceDetails), + ...Random.arrayItem(AWS.instanceDetails), }; alert.data.aws.resource.instanceDetails.iamInstanceProfile.arn = interpolateAlertProps( - typeAlert.data.aws.resource.instanceDetails.iamInstanceProfile.arn, + typeAlert.data.aws.resource?.instanceDetails?.iamInstanceProfile + ?.arn, alert, ); alert.data.aws.title = interpolateAlertProps( alert.data.aws.title, alert, ); - alert.data.aws.accountId = randomArrayItem(AWS.accountId); - alert.data.aws.service.eventFirstSeen = formatDate( + alert.data.aws.accountId = Random.arrayItem(AWS.accountId); + alert.data.aws.service.eventFirstSeen = DateFormatter.format( beforeDate, - 'Y-M-DTh:m:s.lZ', + DateFormatter.DATE_FORMAT.ISO_FULL, ); - alert.data.aws.service.eventLastSeen = formatDate( + alert.data.aws.service.eventLastSeen = DateFormatter.format( new Date(alert.timestamp), - 'Y-M-DTh:m:s.lZ', + DateFormatter.DATE_FORMAT.ISO_FULL, ); alert.data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails = { - ...randomArrayItem(AWS.remoteIpDetails), + ...Random.arrayItem(AWS.remoteIpDetails), }; alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `guardduty/${formatDate( + s3bucket: Random.arrayItem(AWS.buckets), + log_file: `guardduty/${DateFormatter.format( new Date(alert.timestamp), - 'Y/M/D/h', - )}/firehose_guardduty-1-${formatDate( + DateFormatter.DATE_FORMAT.SHORT_DATE_TIME_SLASH, + )}/firehose_guardduty-1-${DateFormatter.format( new Date(alert.timestamp), - 'Y-M-D-h-m-s-l', + DateFormatter.DATE_FORMAT.FULL_HYPHENATED, )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, }; - alert.data.aws.service.count = `${randomIntervalInteger(400, 4000)}`; - alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + alert.data.aws.service.count = `${Random.number(400, 4000)}`; + alert.data.aws.createdAt = DateFormatter.format( + beforeDate, + DateFormatter.DATE_FORMAT.ISO_FULL, + ); alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 50); + alert.rule.firedtimes = Random.number(1, 50); alert.rule.description = interpolateAlertProps( typeAlert.rule.description, alert, @@ -214,32 +190,35 @@ function generateAlert(params) { alert.data = { ...typeAlert.data }; alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); + alert.data.aws.region = Random.arrayItem(AWS.region); alert.data.aws.resource.accessKeyDetails.userName = - randomArrayItem(Users); + Random.arrayItem(USERS); alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `guardduty/${formatDate( + s3bucket: Random.arrayItem(AWS.buckets), + log_file: `guardduty/${DateFormatter.format( new Date(alert.timestamp), - 'Y/M/D/h', - )}/firehose_guardduty-1-${formatDate( + DateFormatter.DATE_FORMAT.SHORT_DATE_TIME_SLASH, + )}/firehose_guardduty-1-${DateFormatter.format( new Date(alert.timestamp), - 'Y-M-D-h-m-s-l', + DateFormatter.DATE_FORMAT.FULL_HYPHENATED, )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, }; - alert.data.aws.accountId = randomArrayItem(AWS.accountId); + alert.data.aws.accountId = Random.arrayItem(AWS.accountId); alert.data.aws.service.action.awsApiCallAction.remoteIpDetails = { - ...randomArrayItem(AWS.remoteIpDetails), + ...Random.arrayItem(AWS.remoteIpDetails), }; - alert.data.aws.service.eventFirstSeen = formatDate( + alert.data.aws.service.eventFirstSeen = DateFormatter.format( beforeDate, - 'Y-M-DTh:m:s.lZ', + DateFormatter.DATE_FORMAT.ISO_FULL, ); - alert.data.aws.service.eventLastSeen = formatDate( + alert.data.aws.service.eventLastSeen = DateFormatter.format( new Date(alert.timestamp), - 'Y-M-DTh:m:s.lZ', + DateFormatter.DATE_FORMAT.ISO_FULL, + ); + alert.data.aws.createdAt = DateFormatter.format( + beforeDate, + DateFormatter.DATE_FORMAT.ISO_FULL, ); - alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); alert.data.aws.title = interpolateAlertProps( alert.data.aws.title, alert, @@ -248,12 +227,12 @@ function generateAlert(params) { alert.data.aws.description, alert, ); - const count = `${randomIntervalInteger(400, 4000)}`; + const count = `${Random.number(400, 4000)}`; alert.data.aws.service.additionalInfo.recentApiCalls.count = count; alert.data.aws.service.count = count; alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 50); + alert.rule.firedtimes = Random.number(1, 50); alert.rule.description = interpolateAlertProps( typeAlert.rule.description, alert, @@ -268,18 +247,18 @@ function generateAlert(params) { alert.data = { ...typeAlert.data }; alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); + alert.data.aws.region = Random.arrayItem(AWS.region); alert.data.aws.resource.instanceDetails = { - ...randomArrayItem(AWS.instanceDetails), + ...Random.arrayItem(AWS.instanceDetails), }; alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `guardduty/${formatDate( + s3bucket: Random.arrayItem(AWS.buckets), + log_file: `guardduty/${DateFormatter.format( new Date(alert.timestamp), - 'Y/M/D/h', - )}/firehose_guardduty-1-${formatDate( + DateFormatter.DATE_FORMAT.SHORT_DATE_TIME_SLASH, + )}/firehose_guardduty-1-${DateFormatter.format( new Date(alert.timestamp), - 'Y-M-D-h-m-s-l', + DateFormatter.DATE_FORMAT.FULL_HYPHENATED, )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, }; alert.data.aws.description = interpolateAlertProps( @@ -290,27 +269,30 @@ function generateAlert(params) { alert.data.aws.title, alert, ); - alert.data.aws.accountId = randomArrayItem(AWS.accountId); - alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + alert.data.aws.accountId = Random.arrayItem(AWS.accountId); + alert.data.aws.createdAt = DateFormatter.format( + beforeDate, + DateFormatter.DATE_FORMAT.ISO_FULL, + ); alert.data.aws.service.action.networkConnectionAction.remoteIpDetails = { - ...randomArrayItem(AWS.remoteIpDetails), + ...Random.arrayItem(AWS.remoteIpDetails), }; - alert.data.aws.service.eventFirstSeen = formatDate( + alert.data.aws.service.eventFirstSeen = DateFormatter.format( beforeDate, - 'Y-M-DTh:m:s.lZ', + DateFormatter.DATE_FORMAT.ISO_FULL, ); - alert.data.aws.service.eventLastSeen = formatDate( + alert.data.aws.service.eventLastSeen = DateFormatter.format( new Date(alert.timestamp), - 'Y-M-DTh:m:s.lZ', + DateFormatter.DATE_FORMAT.ISO_FULL, ); alert.data.aws.service.additionalInfo = { - localPort: `${randomArrayItem(Ports)}`, - outBytes: `${randomIntervalInteger(1000, 3000)}`, - inBytes: `${randomIntervalInteger(1000, 10000)}`, - unusual: `${randomIntervalInteger(1000, 10000)}`, + localPort: `${Random.arrayItem(PORTS)}`, + outBytes: `${Random.number(1000, 3000)}`, + inBytes: `${Random.number(1000, 10000)}`, + unusual: `${Random.number(1000, 10000)}`, }; - alert.data.aws.service.count = `${randomIntervalInteger(400, 4000)}`; + alert.data.aws.service.count = `${Random.number(400, 4000)}`; alert.data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4 = alert.data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress; alert.data.aws.arn = interpolateAlertProps( @@ -318,7 +300,7 @@ function generateAlert(params) { alert, ); alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 50); + alert.rule.firedtimes = Random.number(1, 50); alert.rule.description = interpolateAlertProps( typeAlert.rule.description, alert, @@ -333,25 +315,28 @@ function generateAlert(params) { alert.data = { ...typeAlert.data }; alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); - alert.data.aws.summary.Timestamps = formatDate( + alert.data.aws.region = Random.arrayItem(AWS.region); + alert.data.aws.summary.Timestamps = DateFormatter.format( beforeDate, - 'Y-M-DTh:m:s.lZ', + DateFormatter.DATE_FORMAT.ISO_FULL, ); alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `macie/${formatDate( + s3bucket: Random.arrayItem(AWS.buckets), + log_file: `macie/${DateFormatter.format( new Date(alert.timestamp), - 'Y/M/D/h', - )}/firehose_macie-1-${formatDate( + DateFormatter.DATE_FORMAT.SHORT_DATE_TIME_SLASH, + )}/firehose_macie-1-${DateFormatter.format( new Date(alert.timestamp), - 'Y-M-D-h-m-s', - )}-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-${formatDate( + DateFormatter.DATE_FORMAT.COMPACT_DATE_TIME_HYPHENATED, + )}-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-${DateFormatter.format( new Date(alert.timestamp), - 'Y-M-D-h-m-s-l', + DateFormatter.DATE_FORMAT.FULL_HYPHENATED, )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, }; - alert.data.aws['created-at'] = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + alert.data.aws['created-at'] = DateFormatter.format( + beforeDate, + DateFormatter.DATE_FORMAT.ISO_FULL, + ); alert.data.aws.url = interpolateAlertProps( typeAlert.data.aws.url, alert, @@ -362,17 +347,18 @@ function generateAlert(params) { ); alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 50); + alert.rule.firedtimes = Random.number(1, 50); alert.decoder = { ...typeAlert.decoder }; alert.location = typeAlert.location; break; } default: { + /* empty */ } } alert.input = { type: 'log' }; - alert.GeoLocation = randomArrayItem(GeoLocation); + alert.GeoLocation = Random.arrayItem(GEO_LOCATION); } if (params.office) { @@ -387,45 +373,48 @@ function generateAlert(params) { } const beforeDate = new Date( - new Date(alert.timestamp) - 3 * 24 * 60 * 60 * 1000, + new Date(alert.timestamp).getTime() - 3 * 24 * 60 * 60 * 1000, ); - const IntraID = randomArrayItem(Office.arrayUuidOffice); - const OrgID = randomArrayItem(Office.arrayUuidOffice); - const objID = randomArrayItem(Office.arrayUuidOffice); - const userKey = randomArrayItem(Office.arrayUuidOffice); - const userID = randomArrayItem(Office.arrayUserId); - const userType = randomArrayItem([0, 2, 4]); - const resultStatus = randomArrayItem([ + const IntraID = Random.arrayItem(Office.arrayUuidOffice); + const OrgID = Random.arrayItem(Office.arrayUuidOffice); + const objID = Random.arrayItem(Office.arrayUuidOffice); + const userKey = Random.arrayItem(Office.arrayUuidOffice); + const userID = Random.arrayItem(Office.arrayUserId); + const userType = Random.arrayItem([0, 2, 4]); + const resultStatus = Random.arrayItem([ 'Succeeded', 'PartiallySucceeded', 'Failed', ]); - const log = randomArrayItem(Office.arrayLogs); + const log = Random.arrayItem(Office.arrayLogs); const ruleData = Office.officeRules[log.RecordType]; alert.agent.id = '000'; alert.rule = ruleData.rule; - alert.decoder = randomArrayItem(Office.arrayDecoderOffice); - alert.GeoLocation = randomArrayItem(GeoLocation); + alert.decoder = Random.arrayItem(Office.arrayDecoderOffice); + alert.GeoLocation = Random.arrayItem(GEO_LOCATION); alert.data.integration = 'Office365'; alert.location = Office.arrayLocationOffice; alert.data.office365 = { ...log, ...ruleData.data.office365, Id: IntraID, - CreationTime: formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'), + CreationTime: DateFormatter.format( + beforeDate, + DateFormatter.DATE_FORMAT.ISO_FULL, + ), OrganizationId: OrgID, UserType: userType, UserKey: userKey, ResultStatus: resultStatus, ObjectId: objID, UserId: userID, - ClientIP: randomArrayItem(Office.arrayIp), + ClientIP: Random.arrayItem(Office.arrayIp), }; } if (params.gcp) { - alert.rule = randomArrayItem(GCP.arrayRules); + alert.rule = Random.arrayItem(GCP.arrayRules); alert.data.integration = 'gcp'; alert.data.gcp = { insertId: 'uk1zpe23xcj', @@ -482,15 +471,15 @@ function generateAlert(params) { timestamp: '2019-11-11T02:42:04.34921449Z', }; - alert.GeoLocation = randomArrayItem(GeoLocation); + alert.GeoLocation = Random.arrayItem(GEO_LOCATION); } if (params.audit) { - let dataAudit = randomArrayItem(Audit.dataAudit); + const dataAudit = Random.arrayItem(Audit.dataAudit); alert.data = dataAudit.data; alert.data.audit.file ? alert.data.audit.file.name === '' - ? (alert.data.audit.file.name = randomArrayItem(Audit.fileName)) + ? (alert.data.audit.file.name = Random.arrayItem(Audit.fileName)) : null : null; alert.rule = dataAudit.rule; @@ -500,39 +489,39 @@ function generateAlert(params) { alert.rule.groups.push('ciscat'); alert.data.cis = {}; - alert.data.cis.group = randomArrayItem(CISCAT.group); - alert.data.cis.fail = randomIntervalInteger(0, 100); - alert.data.cis.rule_title = randomArrayItem(CISCAT.ruleTitle); - alert.data.cis.notchecked = randomIntervalInteger(0, 100); - alert.data.cis.score = randomIntervalInteger(0, 100); - alert.data.cis.pass = randomIntervalInteger(0, 100); - alert.data.cis.timestamp = new Date(randomDate()); - alert.data.cis.error = randomIntervalInteger(0, 1); - alert.data.cis.benchmark = randomArrayItem(CISCAT.benchmark); - alert.data.cis.unknown = randomIntervalInteger(0, 100); - alert.data.cis.notchecked = randomIntervalInteger(0, 5); - alert.data.cis.result = randomArrayItem(CISCAT.result); + alert.data.cis.group = Random.arrayItem(CISCAT.group); + alert.data.cis.fail = Random.number(0, 100); + alert.data.cis.rule_title = Random.arrayItem(CISCAT.ruleTitle); + alert.data.cis.notchecked = Random.number(0, 100); + alert.data.cis.score = Random.number(0, 100); + alert.data.cis.pass = Random.number(0, 100); + alert.data.cis.timestamp = new Date(Random.date()); + alert.data.cis.error = Random.number(0, 1); + alert.data.cis.benchmark = Random.arrayItem(CISCAT.benchmark); + alert.data.cis.unknown = Random.number(0, 100); + alert.data.cis.notchecked = Random.number(0, 5); + alert.data.cis.result = Random.arrayItem(CISCAT.result); } if (params.docker) { - const dataDocker = randomArrayItem(Docker.dataDocker); + const dataDocker = Random.arrayItem(Docker.dataDocker); alert.data = {}; alert.data = dataDocker.data; alert.rule = dataDocker.rule; } if (params.mitre) { - alert.rule = randomArrayItem(Mitre.arrayMitreRules); - alert.location = randomArrayItem(Mitre.arrayLocation); + alert.rule = Random.arrayItem(Mitre.arrayMitreRules); + alert.location = Random.arrayItem(Mitre.arrayLocation); } if (params.openscap) { alert.data = {}; alert.data.oscap = {}; - const typeAlert = { ...randomArrayItem(OpenSCAP.data) }; + const typeAlert = { ...Random.arrayItem(OpenSCAP.data) }; alert.data = { ...typeAlert.data }; alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(2, 10); + alert.rule.firedtimes = Random.number(2, 10); alert.input = { type: 'log', }; @@ -550,14 +539,14 @@ function generateAlert(params) { type: 'log', }; - const alertCategory = randomArrayItem(['Rootkit', 'Trojan']); + const alertCategory = Random.arrayItem(['Rootkit', 'Trojan']); switch (alertCategory) { case 'Rootkit': { - const rootkitCategory = randomArrayItem( + const rootkitCategory = Random.arrayItem( Object.keys(PolicyMonitoring.rootkits), ); - const rootkit = randomArrayItem( + const rootkit = Random.arrayItem( PolicyMonitoring.rootkits[rootkitCategory], ); alert.data = { @@ -571,18 +560,18 @@ function generateAlert(params) { ), }; alert.rule = { ...PolicyMonitoring.rootkitsData.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 10); + alert.rule.firedtimes = Random.number(1, 10); alert.full_log = alert.data.title; break; } case 'Trojan': { - const trojan = randomArrayItem(PolicyMonitoring.trojans); + const trojan = Random.arrayItem(PolicyMonitoring.trojans); alert.data = { file: trojan.file, title: 'Trojaned version of file detected.', }; alert.rule = { ...PolicyMonitoring.trojansData.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 10); + alert.rule.firedtimes = Random.number(1, 10); alert.full_log = interpolateAlertProps( PolicyMonitoring.trojansData.full_log, alert, @@ -593,6 +582,7 @@ function generateAlert(params) { break; } default: { + /* empty */ } } } @@ -600,20 +590,20 @@ function generateAlert(params) { if (params.syscheck) { alert.rule.groups.push('syscheck'); alert.syscheck = {}; - alert.syscheck.event = randomArrayItem(IntegrityMonitoring.events); - alert.syscheck.path = randomArrayItem( + alert.syscheck.event = Random.arrayItem(IntegrityMonitoring.events); + alert.syscheck.path = Random.arrayItem( alert.agent.name === 'Windows' ? IntegrityMonitoring.pathsWindows : IntegrityMonitoring.pathsLinux, ); - alert.syscheck.uname_after = randomArrayItem(Users); + alert.syscheck.uname_after = Random.arrayItem(USERS); alert.syscheck.gname_after = 'root'; - alert.syscheck.mtime_after = new Date(randomDate()); - alert.syscheck.size_after = randomIntervalInteger(0, 65); - alert.syscheck.uid_after = randomArrayItem(IntegrityMonitoring.uid_after); - alert.syscheck.gid_after = randomArrayItem(IntegrityMonitoring.gid_after); + alert.syscheck.mtime_after = new Date(Random.date()); + alert.syscheck.size_after = Random.number(0, 65); + alert.syscheck.uid_after = Random.arrayItem(IntegrityMonitoring.uid_after); + alert.syscheck.gid_after = Random.arrayItem(IntegrityMonitoring.gid_after); alert.syscheck.perm_after = 'rw-r--r--'; - alert.syscheck.inode_after = randomIntervalInteger(0, 100000); + alert.syscheck.inode_after = Random.number(0, 100000); switch (alert.syscheck.event) { case 'added': alert.rule = IntegrityMonitoring.regulatory[0]; @@ -623,41 +613,42 @@ function generateAlert(params) { alert.syscheck.mtime_before = new Date( alert.syscheck.mtime_after.getTime() - 1000 * 60, ); - alert.syscheck.inode_before = randomIntervalInteger(0, 100000); - alert.syscheck.sha1_after = randomElements(40, 'abcdef0123456789'); + alert.syscheck.inode_before = Random.number(0, 100000); + alert.syscheck.sha1_after = Random.createHash(40); alert.syscheck.changed_attributes = [ - randomArrayItem(IntegrityMonitoring.attributes), + Random.arrayItem(IntegrityMonitoring.attributes), ]; - alert.syscheck.md5_after = randomElements(32, 'abcdef0123456789'); - alert.syscheck.sha256_after = randomElements(64, 'abcdef0123456789'); + alert.syscheck.md5_after = Random.createHash(32); + alert.syscheck.sha256_after = Random.createHash(64); break; case 'deleted': alert.rule = IntegrityMonitoring.regulatory[2]; - alert.syscheck.tags = [randomArrayItem(IntegrityMonitoring.tags)]; - alert.syscheck.sha1_after = randomElements(40, 'abcdef0123456789'); + alert.syscheck.tags = [Random.arrayItem(IntegrityMonitoring.tags)]; + alert.syscheck.sha1_after = Random.createHash(40); alert.syscheck.audit = { process: { - name: randomArrayItem(Paths), - id: randomIntervalInteger(0, 100000), - ppid: randomIntervalInteger(0, 100000), + name: Random.arrayItem(PATHS), + id: Random.number(0, 100000), + ppid: Random.number(0, 100000), }, effective_user: { - name: randomArrayItem(Users), - id: randomIntervalInteger(0, 100), + name: Random.arrayItem(USERS), + id: Random.number(0, 100), }, user: { - name: randomArrayItem(Users), - id: randomIntervalInteger(0, 100), + name: Random.arrayItem(USERS), + id: Random.number(0, 100), }, group: { - name: randomArrayItem(Users), - id: randomIntervalInteger(0, 100), + name: Random.arrayItem(USERS), + id: Random.number(0, 100), }, }; - alert.syscheck.md5_after = randomElements(32, 'abcdef0123456789'); - alert.syscheck.sha256_after = randomElements(64, 'abcdef0123456789'); + alert.syscheck.md5_after = Random.createHash(32); + alert.syscheck.sha256_after = Random.createHash(64); break; default: { + /* empty */ } } } @@ -666,25 +657,26 @@ function generateAlert(params) { alert.rule.groups.push('virustotal'); alert.location = 'virustotal'; alert.data.virustotal = {}; - alert.data.virustotal.found = randomArrayItem(['0', '1', '1', '1']); + alert.data.virustotal.found = Random.arrayItem(['0', '1', '1', '1']); alert.data.virustotal.source = { - sha1: randomElements(40, 'abcdef0123456789'), - file: randomArrayItem(Virustotal.sourceFile), - alert_id: `${randomElements(10, '0123456789')}.${randomElements( + sha1: Random.createHash(40), + file: Random.arrayItem(Virustotal.sourceFile), + alert_id: `${Random.createHash(10, Random.NUMBERS)}.${Random.createHash( 7, - '0123456789', + Random.NUMBERS, )}`, - md5: randomElements(32, 'abcdef0123456789'), + md5: Random.createHash(32), }; if (alert.data.virustotal.found === '1') { - alert.data.virustotal.malicious = randomArrayItem(Virustotal.malicious); - alert.data.virustotal.positives = `${randomIntervalInteger(0, 65)}`; + alert.data.virustotal.malicious = Random.arrayItem(Virustotal.malicious); + alert.data.virustotal.positives = `${Random.number(0, 65)}`; alert.data.virustotal.total = alert.data.virustotal.malicious + alert.data.virustotal.positives; + // eslint-disable-next-line max-len alert.rule.description = `VirusTotal: Alert - ${alert.data.virustotal.source.file} - ${alert.data.virustotal.positives} engines detected this file`; - alert.data.virustotal.permalink = randomArrayItem(Virustotal.permalink); + alert.data.virustotal.permalink = Random.arrayItem(Virustotal.permalink); alert.data.virustotal.scan_date = new Date( Date.parse(alert.timestamp) - 4 * 60000, ); @@ -696,7 +688,7 @@ function generateAlert(params) { } if (params.vulnerabilities) { - const dataVulnerability = randomArrayItem(Vulnerability.data); + const dataVulnerability = Random.arrayItem(Vulnerability.data); alert.rule = { ...dataVulnerability.rule, mail: false, @@ -706,7 +698,7 @@ function generateAlert(params) { tsc: ['CC7.1', 'CC7.2'], }; alert.location = 'vulnerability-detector'; - alert.decoder = { name: 'json' }; + alert.decoder = DECODER.JSON; alert.data = { ...dataVulnerability.data, }; @@ -715,14 +707,14 @@ function generateAlert(params) { if (params.osquery) { alert.rule.groups.push('osquery'); alert.data.osquery = {}; - if (randomIntervalInteger(0, 5) === 0) { + if (Random.number(0, 5) === 0) { alert.rule.description = 'osquery error message'; } else { - let dataOsquery = randomArrayItem(Osquery.dataOsquery); + const dataOsquery = Random.arrayItem(Osquery.dataOsquery); alert.data.osquery = dataOsquery.osquery; alert.data.osquery.calendarTime = alert.timestamp; alert.rule.description = dataOsquery.rule.description; - randomIntervalInteger(0, 99) === 0 + Random.number(0, 99) === 0 ? (alert.data.osquery.action = 'removed') : null; } @@ -733,63 +725,63 @@ function generateAlert(params) { params.pci_dss || params.regulatory_compliance || (params.random_probability_regulatory_compliance && - randomProbability(params.random_probability_regulatory_compliance)) + Random.probability(params.random_probability_regulatory_compliance)) ) { - alert.rule.pci_dss = [randomArrayItem(PCI_DSS)]; + alert.rule.pci_dss = [Random.arrayItem(PCI_DSS)]; } if ( params.gdpr || params.regulatory_compliance || (params.random_probability_regulatory_compliance && - randomProbability(params.random_probability_regulatory_compliance)) + Random.probability(params.random_probability_regulatory_compliance)) ) { - alert.rule.gdpr = [randomArrayItem(GDPR)]; + alert.rule.gdpr = [Random.arrayItem(GDPR)]; } if ( params.gpg13 || params.regulatory_compliance || (params.random_probability_regulatory_compliance && - randomProbability(params.random_probability_regulatory_compliance)) + Random.probability(params.random_probability_regulatory_compliance)) ) { - alert.rule.gpg13 = [randomArrayItem(GPG13)]; + alert.rule.gpg13 = [Random.arrayItem(GPG13)]; } if ( params.hipaa || params.regulatory_compliance || (params.random_probability_regulatory_compliance && - randomIntervalInteger(params.random_probability_regulatory_compliance)) + Random.number(params.random_probability_regulatory_compliance)) ) { - alert.rule.hipaa = [randomArrayItem(HIPAA)]; + alert.rule.hipaa = [Random.arrayItem(HIPAA)]; } if ( params.nist_800_83 || params.regulatory_compliance || (params.random_probability_regulatory_compliance && - randomIntervalInteger(params.random_probability_regulatory_compliance)) + Random.number(params.random_probability_regulatory_compliance)) ) { - alert.rule.nist_800_53 = [randomArrayItem(NIST_800_53)]; + alert.rule.nist_800_53 = [Random.arrayItem(NIST_800_53)]; } if (params.authentication) { alert.data = { - srcip: randomArrayItem(IPs), - srcuser: randomArrayItem(Users), - srcport: randomArrayItem(Ports), - }; - alert.GeoLocation = randomArrayItem(GeoLocation); - alert.decoder = { - name: 'sshd', - parent: 'sshd', + srcip: Random.arrayItem(IPs), + srcuser: Random.arrayItem(USERS), + srcport: Random.arrayItem(PORTS), }; + alert.GeoLocation = Random.arrayItem(GEO_LOCATION); + alert.decoder = DECODER.SSHD; alert.input = { type: 'log', }; alert.predecoder = { program_name: 'sshd', - timestamp: formatDate(new Date(alert.timestamp), 'N D h:m:s'), + timestamp: DateFormatter.format( + new Date(alert.timestamp), + DateFormatter.DATE_FORMAT.SHORT_READABLE_FORMAT, + ), hostname: alert.manager.name, }; - let typeAlert = randomArrayItem([ + const typeAlert = Random.arrayItem([ 'invalidLoginPassword', 'invalidLoginUser', 'multipleAuthenticationFailures', @@ -831,7 +823,7 @@ function generateAlert(params) { alert.rule.groups = [ ...Authentication.multipleAuthenticationFailures.rule.groups, ]; - alert.rule.frequency = randomIntervalInteger(5, 50); + alert.rule.frequency = Random.number(5, 50); alert.full_log = interpolateAlertProps( Authentication.multipleAuthenticationFailures.full_log, alert, @@ -844,23 +836,20 @@ function generateAlert(params) { alert.rule.groups = [ ...Authentication.windowsInvalidLoginPassword.rule.groups, ]; - alert.rule.frequency = randomIntervalInteger(5, 50); + alert.rule.frequency = Random.number(5, 50); alert.data.win = { ...Authentication.windowsInvalidLoginPassword.data_win, }; - alert.data.win.eventdata.ipAddress = randomArrayItem(IPs); - alert.data.win.eventdata.ipPort = randomArrayItem(Ports); - alert.data.win.system.computer = randomArrayItem(Win_Hostnames); - alert.data.win.system.eventID = `${randomIntervalInteger(1, 600)}`; - alert.data.win.system.eventRecordID = `${randomIntervalInteger( - 10000, - 50000, - )}`; - alert.data.win.system.processID = `${randomIntervalInteger(1, 1200)}`; + alert.data.win.eventdata.ipAddress = Random.arrayItem(IPs); + alert.data.win.eventdata.ipPort = Random.arrayItem(PORTS); + alert.data.win.system.computer = Random.arrayItem(WIN_HOSTNAMES); + alert.data.win.system.eventID = `${Random.number(1, 600)}`; + alert.data.win.system.eventRecordID = `${Random.number(10000, 50000)}`; + alert.data.win.system.processID = `${Random.number(1, 1200)}`; alert.data.win.system.systemTime = alert.timestamp; - alert.data.win.system.processID = `${randomIntervalInteger(1, 1200)}`; - alert.data.win.system.task = `${randomIntervalInteger(1, 1800)}`; - alert.data.win.system.threadID = `${randomIntervalInteger(1, 500)}`; + alert.data.win.system.processID = `${Random.number(1, 1200)}`; + alert.data.win.system.task = `${Random.number(1, 1800)}`; + alert.data.win.system.threadID = `${Random.number(1, 500)}`; alert.full_log = interpolateAlertProps( Authentication.windowsInvalidLoginPassword.full_log, alert, @@ -872,10 +861,10 @@ function generateAlert(params) { alert.rule = { ...Authentication.userLoginFailed.rule }; alert.rule.groups = [...Authentication.userLoginFailed.rule.groups]; alert.data = { - srcip: randomArrayItem(IPs), - dstuser: randomArrayItem(Users), - uid: `${randomIntervalInteger(0, 50)}`, - euid: `${randomIntervalInteger(0, 50)}`, + srcip: Random.arrayItem(IPs), + dstuser: Random.arrayItem(USERS), + uid: `${Random.number(0, 50)}`, + euid: `${Random.number(0, 50)}`, tty: 'ssh', }; alert.decoder = { ...Authentication.userLoginFailed.decoder }; @@ -890,7 +879,7 @@ function generateAlert(params) { alert.rule = { ...Authentication.passwordCheckFailed.rule }; alert.rule.groups = [...Authentication.passwordCheckFailed.rule.groups]; alert.data = { - srcuser: randomArrayItem(Users), + srcuser: Random.arrayItem(USERS), }; alert.predecoder.program_name = 'unix_chkpwd'; alert.decoder = { ...Authentication.passwordCheckFailed.decoder }; @@ -927,12 +916,13 @@ function generateAlert(params) { alert.rule = { ...Authentication.reverseLoockupError.rule }; alert.rule.groups = [...Authentication.reverseLoockupError.rule.groups]; alert.data = { - srcip: randomArrayItem(IPs), + srcip: Random.arrayItem(IPs), }; alert.full_log = interpolateAlertProps( Authentication.reverseLoockupError.full_log, alert, ); + break; } case 'insecureConnectionAttempt': { alert.location = Authentication.insecureConnectionAttempt.location; @@ -941,80 +931,86 @@ function generateAlert(params) { ...Authentication.insecureConnectionAttempt.rule.groups, ]; alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), + srcip: Random.arrayItem(IPs), + srcport: Random.arrayItem(PORTS), }; alert.full_log = interpolateAlertProps( Authentication.insecureConnectionAttempt.full_log, alert, ); + break; } - case 'authenticationSuccess': { - alert.location = Authentication.authenticationSuccess.location; - alert.rule = { ...Authentication.authenticationSuccess.rule }; - alert.rule.groups = [ - ...Authentication.authenticationSuccess.rule.groups, - ]; - alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - dstuser: randomArrayItem(Users), - }; - alert.full_log = interpolateAlertProps( - Authentication.authenticationSuccess.full_log, - alert, - ); - } - case 'maximumAuthenticationAttemptsExceeded': { - alert.location = - Authentication.maximumAuthenticationAttemptsExceeded.location; - alert.rule = { - ...Authentication.maximumAuthenticationAttemptsExceeded.rule, - }; - alert.rule.groups = [ - ...Authentication.maximumAuthenticationAttemptsExceeded.rule.groups, - ]; - alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - dstuser: randomArrayItem(Users), - }; - alert.full_log = interpolateAlertProps( - Authentication.maximumAuthenticationAttemptsExceeded.full_log, - alert, - ); - } + case 'authenticationSuccess': + { + alert.location = Authentication.authenticationSuccess.location; + alert.rule = { ...Authentication.authenticationSuccess.rule }; + alert.rule.groups = [ + ...Authentication.authenticationSuccess.rule.groups, + ]; + alert.data = { + srcip: Random.arrayItem(IPs), + srcport: Random.arrayItem(PORTS), + dstuser: Random.arrayItem(USERS), + }; + alert.full_log = interpolateAlertProps( + Authentication.authenticationSuccess.full_log, + alert, + ); + } + break; + case 'maximumAuthenticationAttemptsExceeded': + { + alert.location = + Authentication.maximumAuthenticationAttemptsExceeded.location; + alert.rule = { + ...Authentication.maximumAuthenticationAttemptsExceeded.rule, + }; + alert.rule.groups = [ + ...Authentication.maximumAuthenticationAttemptsExceeded.rule.groups, + ]; + alert.data = { + srcip: Random.arrayItem(IPs), + srcport: Random.arrayItem(PORTS), + dstuser: Random.arrayItem(USERS), + }; + alert.full_log = interpolateAlertProps( + Authentication.maximumAuthenticationAttemptsExceeded.full_log, + alert, + ); + } + break; default: { + /* empty */ } } - alert.rule.firedtimes = randomIntervalInteger(2, 15); - alert.rule.tsc = [randomArrayItem(tsc)]; + alert.rule.firedtimes = Random.number(2, 15); + alert.rule.tsc = [Random.arrayItem(tsc)]; } if (params.ssh) { alert.data = { - srcip: randomArrayItem(IPs), - srcuser: randomArrayItem(Users), - srcport: randomArrayItem(Ports), - }; - alert.GeoLocation = randomArrayItem(GeoLocation); - alert.decoder = { - name: 'sshd', - parent: 'sshd', + srcip: Random.arrayItem(IPs), + srcuser: Random.arrayItem(USERS), + srcport: Random.arrayItem(PORTS), }; + alert.GeoLocation = Random.arrayItem(GEO_LOCATION); + alert.decoder = DECODER.SSHD; alert.input = { type: 'log', }; alert.predecoder = { program_name: 'sshd', - timestamp: formatDate(new Date(alert.timestamp), 'N D h:m:s'), + timestamp: DateFormatter.format( + new Date(alert.timestamp), + DateFormatter.DATE_FORMAT.SHORT_READABLE_FORMAT, + ), hostname: alert.manager.name, }; - const typeAlert = randomArrayItem(SSH.data); + const typeAlert = Random.arrayItem(SSH.data); alert.location = typeAlert.location; alert.rule = { ...typeAlert.rule }; alert.rule.groups = [...typeAlert.rule.groups]; - alert.rule.firedtimes = randomIntervalInteger(1, 15); + alert.rule.firedtimes = Random.number(1, 15); alert.full_log = interpolateAlertProps(typeAlert.full_log, alert); } @@ -1031,13 +1027,13 @@ function generateAlert(params) { alert.data = { extra_data: 'Service Control Manager', dstuser: 'SYSTEM', - system_name: randomArrayItem(Win_Hostnames), + system_name: Random.arrayItem(WIN_HOSTNAMES), id: '7040', type: 'type', status: 'INFORMATION', }; alert.rule.description = 'Windows: Service startup type was changed.'; - alert.rule.firedtimes = randomIntervalInteger(1, 20); + alert.rule.firedtimes = Random.number(1, 20); alert.rule.mail = false; alert.rule.level = 3; alert.rule.groups.push('windows', 'policy_changed'); @@ -1047,12 +1043,9 @@ function generateAlert(params) { alert.rule.nist_800_53 = ['AU.6']; alert.rule.info = 'This does not appear to be logged on Windows 2000.'; alert.location = 'WinEvtLog'; - alert.decoder = { - parent: 'windows', - name: 'windows', - }; - alert.full_log = `2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: ${alert.data.system_name}: Background Intelligent Transfer Service auto start demand start BITS `; //TODO: date - alert.id = 18145; + alert.decoder = DECODER.WINDOWS; + alert.full_log = `2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: ${alert.data.system_name}: Background Intelligent Transfer Service auto start demand start BITS `; // TODO: date + alert.id = '18145'; alert.fields = { timestamp: alert.timestamp, }; @@ -1060,25 +1053,27 @@ function generateAlert(params) { } if (params.apache) { - const typeAlert = { ...Apache.data[0] }; // there is only one type alert in data array at the moment. Randomize if add more type of alerts to data array + // there is only one type alert in data array at the moment. Randomize if + // add more type of alerts to data array + const typeAlert = { ...Apache.data[0] }; alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - id: `AH${randomIntervalInteger(10000, 99999)}`, + srcip: Random.arrayItem(IPs), + srcport: Random.arrayItem(PORTS), + id: `AH${Random.number(10000, 99999)}`, }; - alert.GeoLocation = { ...randomArrayItem(GeoLocation) }; + alert.GeoLocation = { ...Random.arrayItem(GEO_LOCATION) }; alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(2, 10); + alert.rule.firedtimes = Random.number(2, 10); alert.input = { type: 'log' }; alert.location = Apache.location; alert.decoder = { ...Apache.decoder }; alert.full_log = interpolateAlertProps(typeAlert.full_log, alert, { - _timestamp_apache: formatDate( + _timestamp_apache: DateFormatter.format( new Date(alert.timestamp), - 'E N D h:m:s.l Y', + DateFormatter.DATE_FORMAT.READABLE_FORMAT, ), - _pi_id: randomIntervalInteger(10000, 30000), + _pi_id: Random.number(10000, 30000), }); } @@ -1088,31 +1083,40 @@ function generateAlert(params) { }; alert.data = { protocol: 'GET', - srcip: randomArrayItem(IPs), + srcip: Random.arrayItem(IPs), id: '404', - url: randomArrayItem(Web.urls), + url: Random.arrayItem(Web.urls), }; - alert.GeoLocation = { ...randomArrayItem(GeoLocation) }; + alert.GeoLocation = { ...Random.arrayItem(GEO_LOCATION) }; - const typeAlert = randomArrayItem(Web.data); - const userAgent = randomArrayItem(Web.userAgents); + const typeAlert = Random.arrayItem(Web.data); + const userAgent = Random.arrayItem(Web.userAgents); alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 10); + alert.rule.firedtimes = Random.number(1, 10); alert.decoder = { ...typeAlert.decoder }; alert.location = typeAlert.location; alert.full_log = interpolateAlertProps(typeAlert.full_log, alert, { _user_agent: userAgent, - _date: formatDate(new Date(alert.timestamp), 'D/N/Y:h:m:s +0000'), + _date: DateFormatter.format( + new Date(alert.timestamp), + DateFormatter.DATE_FORMAT.ISO_TIMESTAMP, + ), }); if (typeAlert.previous_output) { + /** @type {string[]} */ const previousOutput = []; const beforeSeconds = 4; for (let i = beforeSeconds; i > 0; i--) { - const beforeDate = new Date(new Date(alert.timestamp) - (2 + i) * 1000); + const beforeDate = new Date( + new Date(alert.timestamp).getTime() - (2 + i) * 1000, + ); previousOutput.push( interpolateAlertProps(typeAlert.full_log, alert, { _user_agent: userAgent, - _date: formatDate(new Date(beforeDate), 'D/N/Y:h:m:s +0000'), + _date: DateFormatter.format( + new Date(beforeDate), + DateFormatter.DATE_FORMAT.ISO_TIMESTAMP, + ), }), ); } @@ -1122,30 +1126,30 @@ function generateAlert(params) { if (params.github) { alert.location = GitHub.LOCATION; - alert.decoder = GitHub.DECODER; - const alertType = randomArrayItem(GitHub.ALERT_TYPES); - const actor = randomArrayItem(GitHub.ACTORS); + alert.decoder = GitHub.decoder; + const alertType = Random.arrayItem(GitHub.ALERT_TYPES); + const actor = Random.arrayItem(GitHub.ACTORS); alert.data = { github: { ...alertType.data.github }, }; - alert.data.github.org = randomArrayItem(GitHub.ORGANIZATION_NAMES); + alert.data.github.org = Random.arrayItem(GitHub.ORGANIZATION_NAMES); alert.data.github.repo && - (alert.data.github.repo = `${alert.data.github.org}/${randomArrayItem( + (alert.data.github.repo = `${alert.data.github.org}/${Random.arrayItem( GitHub.REPOSITORY_NAMES, )}`); alert.data.github.repository && (alert.data.github.repository = `${ alert.data.github.org - }/${randomArrayItem(GitHub.REPOSITORY_NAMES)}`); + }/${Random.arrayItem(GitHub.REPOSITORY_NAMES)}`); alert.data.github.actor = actor.name; alert.data.github.actor_location && alert.data.github.actor_location.country_code && (alert.data.github.actor_location.country_code = actor.country_code); alert.data.github.user && - (alert.data.github.user = randomArrayItem(GitHub.USER_NAMES)); + (alert.data.github.user = Random.arrayItem(GitHub.USER_NAMES)); alert.data.github.config && alert.data.github.config.url && - (alert.data.github.config.url = randomArrayItem( + (alert.data.github.config.url = Random.arrayItem( GitHub.SERVER_ADDRESS_WEBHOOK, )); alert.data.github['@timestamp'] = alert.timestamp; @@ -1156,35 +1160,15 @@ function generateAlert(params) { }; } - alert['@timestamp'] = alert.timestamp; - - return alert; -} - -/** - * Get a random array with unique values - * @param {[]} array Array to extract the values - * @param {*} randomMaxRepetitions Number max of random extractions - * @param {function} sort Funciton to seort elements - * @return {*} Array with random values extracted of paramater array passed - */ -function randomUniqueValuesFromArray(array, randomMaxRepetitions = 1, sort) { - const repetitions = randomIntervalInteger(1, randomMaxRepetitions); - const set = new Set(); - for (let i = 0; i < repetitions; i++) { - set.add(array[randomIntervalInteger(0, array.length - 1)]); + if (params.yara) { + alert = { ...alert, ...Yara.createAlert() }; } - return sort ? Array.from(set).sort(sort) : Array.from(set); -} -/** - * Get a integer within a range - * @param {number} min - Minimum limit - * @param {number} max - Maximum limit - * @returns {number} - Randomized number in interval - */ -function randomIntervalInteger(min, max) { - return Math.floor(Math.random() * (max - (min - 1))) + min; + return { + ...alert, + ['@sampledata']: true, + ['@timestamp']: alert.timestamp, + }; } /** @@ -1194,6 +1178,7 @@ function randomIntervalInteger(min, max) { * @return {*} - Random generated alerts defined with params */ function generateAlerts(params, numAlerts = 1) { + /** @type {import('./types').Alert[]} */ const alerts = []; for (let i = 0; i < numAlerts; i++) { alerts.push(generateAlert(params)); @@ -1201,119 +1186,4 @@ function generateAlerts(params, numAlerts = 1) { return alerts; } -/** - * Get a random Date in range(7 days ago - now) - * @returns {date} - Random date in range (7 days ago - now) - */ -function randomDate(inf, sup) { - const nowTimestamp = Date.now(); - const time = randomIntervalInteger(0, 604800000); // Random 7 days in miliseconds - - const unix_timestamp = nowTimestamp - time; // Last 7 days from now - - const lastWeek = new Date(unix_timestamp); - return formatDate(lastWeek, 'Y-M-DTh:m:s.l+0000'); -} - -const formatterNumber = (number, zeros = 0) => - ('0'.repeat(zeros) + `${number}`).slice(-zeros); -const monthNames = { - long: [ - 'January', - 'February', - 'March', - 'April', - 'May', - 'June', - 'July', - 'August', - 'September', - 'October', - 'November', - 'December', - ], - short: [ - 'Jan', - 'Feb', - 'Mar', - 'Apr', - 'May', - 'Jun', - 'Jul', - 'Aug', - 'Sep', - 'Oct', - 'Nov', - 'Dec', - ], -}; - -const dayNames = { - long: [ - 'Sunday', - 'Monday', - 'Tuesday', - 'Wednesday', - 'Thursday', - 'Friday', - 'Saturday', - ], - short: ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'], -}; - -function formatDate(date, format) { - // It could use "moment" library to format strings too - const tokens = { - D: d => formatterNumber(d.getDate(), 2), // 01-31 - A: d => dayNames.long[d.getDay()], // 'Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday' - E: d => dayNames.short[d.getDay()], // 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' - M: d => formatterNumber(d.getMonth() + 1, 2), // 01-12 - J: d => monthNames.long[d.getMonth()], // 'January', 'February', 'March', 'April', 'May', 'June', 'July', 'August', 'September', 'October', 'November', 'December' - N: d => monthNames.short[d.getMonth()], // 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' - Y: d => d.getFullYear(), // 2020 - h: d => formatterNumber(d.getHours(), 2), // 00-23 - m: d => formatterNumber(d.getMinutes(), 2), // 00-59 - s: d => formatterNumber(d.getSeconds(), 2), // 00-59 - l: d => formatterNumber(d.getMilliseconds(), 3), // 000-999 - }; - - return format.split('').reduce((accum, token) => { - if (tokens[token]) { - return accum + tokens[token](date); - } - return accum + token; - }, ''); -} - -/** - * - * @param {string} str String with interpolations - * @param {*} alert Alert object - * @param {*} extra Extra parameters to interpolate what aren't in alert objet. Only admit one level of depth - */ -function interpolateAlertProps(str, alert, extra = {}) { - const matches = str.match(/{([\w\._]+)}/g); - return ( - (matches && - matches.reduce((accum, cur) => { - const match = cur.match(/{([\w\._]+)}/); - const items = match[1].split('.'); - const value = - items.reduce((a, c) => (a && a[c]) || extra[c] || undefined, alert) || - cur; - return accum.replace(cur, value); - }, str)) || - str - ); -} - -/** - * Return a random probability - * @param {number} probability - * @param {number[=100]} maximum - */ -function randomProbability(probability, maximum = 100) { - return randomIntervalInteger(0, maximum) <= probability; -} - -export { generateAlert, generateAlerts }; +module.exports = { generateAlert, generateAlerts }; diff --git a/plugins/main/server/lib/generate-alerts/helpers/date-formatter.js b/plugins/main/server/lib/generate-alerts/helpers/date-formatter.js new file mode 100644 index 0000000000..e01be2287a --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/helpers/date-formatter.js @@ -0,0 +1,107 @@ +const { NumberFormatter } = require('./number-formatter'); + +class DateFormatter { + static LONG_MONTH_NAMES = [ + 'January', + 'February', + 'March', + 'April', + 'May', + 'June', + 'July', + 'August', + 'September', + 'October', + 'November', + 'December', + ]; + static SHORT_MONTH_NAMES = [ + 'Jan', + 'Feb', + 'Mar', + 'Apr', + 'May', + 'Jun', + 'Jul', + 'Aug', + 'Sep', + 'Oct', + 'Nov', + 'Dec', + ]; + static LONG_DAY_NAMES = [ + 'Sunday', + 'Monday', + 'Tuesday', + 'Wednesday', + 'Thursday', + 'Friday', + 'Saturday', + ]; + static SHORT_DAY_NAMES = ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat']; + + static DATE_FORMAT = { + ISO_FULL: 'Y-M-DTh:m:s.lZ', + FULL_HYPHENATED: 'Y-M-D-h-m-s-l', + READABLE_FORMAT: 'E N D h:m:s.l Y', + SHORT_READABLE_FORMAT: 'N D h:m:s', + SLASHED_TIMESTAMP: 'D/N/Y:h:m:s +0000', + ISO_TIMESTAMP: 'Y-M-DTh:m:s.l+0000', + SHORT_DATE_TIME_SLASH: 'Y/M/D/h', + COMPACT_DATE_TIME_HYPHENATED: 'Y-M-D-h-m-s', + }; + + static tokens = { + D: (/** @type {Date} */ date) => NumberFormatter.pads(date.getDate(), 2), // 01-31 + // 'Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', + // 'Saturday' + A: (/** @type {Date} */ date) => + DateFormatter.LONG_DAY_NAMES[date.getDay()], + // 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' + E: (/** @type {Date} */ date) => + DateFormatter.SHORT_DAY_NAMES[date.getDay()], + M: (/** @type {Date} */ date) => + NumberFormatter.pads(date.getMonth() + 1, 2), // 01-12 + // 'January', 'February', 'March', 'April', 'May', 'June', 'July', 'August', + // 'September', 'October', 'November', 'December' + J: (/** @type {Date} */ date) => + DateFormatter.LONG_MONTH_NAMES[date.getMonth()], + // 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', + // 'Nov', 'Dec' + N: (/** @type {Date} */ date) => + DateFormatter.SHORT_MONTH_NAMES[date.getMonth()], + Y: (/** @type {Date} */ date) => date.getFullYear(), // 2020 + h: (/** @type {Date} */ date) => NumberFormatter.pads(date.getHours(), 2), // 00-23 + m: (/** @type {Date} */ date) => NumberFormatter.pads(date.getMinutes(), 2), // 00-59 + s: (/** @type {Date} */ date) => NumberFormatter.pads(date.getSeconds(), 2), // 00-59 + l: (/** @type {Date} */ date) => + NumberFormatter.pads(date.getMilliseconds(), 3), // 000-999 + }; + + /** + * The function `format` formats a given date according to a specified format + * string. + * @param {Date} date - The `date` parameter in the `date` function is of type + * `Date`, which represents a specific point in time. It can include the year, + * month, day, hour, minute, second, and milliseconds. + * @param {string} format - The `format` parameter in the `date` function is used to + * specify the format in which the date should be displayed. It is a string + * that contains tokens representing different parts of the date (e.g., + * 'YYYY-MM-DD' for year-month-day format). + * @returns {string} The `date` function is returning the formatted date string based + * on the provided format. + */ + static format(date, format) { + if (!format) { + return date.toISOString(); + } + return format.split('').reduce((accum, token) => { + if (DateFormatter.tokens[token]) { + return accum + DateFormatter.tokens[token](date); + } + return accum + token; + }, ''); + } +} + +module.exports.DateFormatter = DateFormatter; diff --git a/plugins/main/server/lib/generate-alerts/helpers/date-formatter.test.js b/plugins/main/server/lib/generate-alerts/helpers/date-formatter.test.js new file mode 100644 index 0000000000..ff1ad62b14 --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/helpers/date-formatter.test.js @@ -0,0 +1,320 @@ +const { DateFormatter } = require('./date-formatter'); + +describe('DateFormatter', () => { + describe('tokens', () => { + describe('tokens.D', () => { + it('should_format_day_token_with_leading_zero', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(1); + expect(DateFormatter.tokens.D(actualDate)).toBe('01'); + }); + it('should_format_day_token_without_leading_zero', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(15); + expect(DateFormatter.tokens.D(actualDate)).toBe('15'); + }); + }); + describe('tokens.M', () => { + it('should_format_month_token_with_leading_zero', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(0); + expect(DateFormatter.tokens.M(actualDate)).toBe('01'); + }); + it('should_format_month_token_without_leading_zero', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(11); + expect(DateFormatter.tokens.M(actualDate)).toBe('12'); + }); + }); + describe('tokens.A', () => { + it('should_format_day_name_for_first_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(1); + expect(DateFormatter.tokens.A(actualDate)).toBe('Sunday'); + }); + it('should_format_day_name_for_second_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(2); + expect(DateFormatter.tokens.A(actualDate)).toBe('Monday'); + }); + it('should_format_day_name_for_third_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(3); + expect(DateFormatter.tokens.A(actualDate)).toBe('Tuesday'); + }); + it('should_format_day_name_for_fourth_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(4); + expect(DateFormatter.tokens.A(actualDate)).toBe('Wednesday'); + }); + it('should_format_day_name_for_fifth_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(5); + expect(DateFormatter.tokens.A(actualDate)).toBe('Thursday'); + }); + it('should_format_day_name_for_sixth_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(6); + expect(DateFormatter.tokens.A(actualDate)).toBe('Friday'); + }); + it('should_format_day_name_for_seventh_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(7); + expect(DateFormatter.tokens.A(actualDate)).toBe('Saturday'); + }); + it('should_format_day_name_for_eighth_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(8); + expect(DateFormatter.tokens.A(actualDate)).toBe('Sunday'); + }); + it('should_format_day_name_for_last_day_of_previous_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(0); + expect(DateFormatter.tokens.A(actualDate)).toBe('Saturday'); + }); + }); + describe('tokens.E', () => { + it('should_format_abbreviated_day_name_for_first_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(1); + expect(DateFormatter.tokens.E(actualDate)).toBe('Sun'); + }); + it('should_format_abbreviated_day_name_for_second_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(2); + expect(DateFormatter.tokens.E(actualDate)).toBe('Mon'); + }); + it('should_format_abbreviated_day_name_for_third_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(3); + expect(DateFormatter.tokens.E(actualDate)).toBe('Tue'); + }); + it('should_format_abbreviated_day_name_for_fourth_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(4); + expect(DateFormatter.tokens.E(actualDate)).toBe('Wed'); + }); + it('should_format_abbreviated_day_name_for_fifth_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(5); + expect(DateFormatter.tokens.E(actualDate)).toBe('Thu'); + }); + it('should_format_abbreviated_day_name_for_sixth_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(6); + expect(DateFormatter.tokens.E(actualDate)).toBe('Fri'); + }); + it('should_format_abbreviated_day_name_for_seventh_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(7); + expect(DateFormatter.tokens.E(actualDate)).toBe('Sat'); + }); + it('should_format_abbreviated_day_name_for_eighth_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(8); + expect(DateFormatter.tokens.E(actualDate)).toBe('Sun'); + }); + it('should_format_abbreviated_day_name_for_last_day_of_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setDate(0); + expect(DateFormatter.tokens.E(actualDate)).toBe('Sat'); + }); + }); + describe('tokens.J', () => { + it('should_format_full_month_name_for_january', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(0); + expect(DateFormatter.tokens.J(actualDate)).toBe('January'); + }); + it('should_format_full_month_name_for_february', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(1); + expect(DateFormatter.tokens.J(actualDate)).toBe('February'); + }); + it('should_format_full_month_name_for_march', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(2); + expect(DateFormatter.tokens.J(actualDate)).toBe('March'); + }); + it('should_format_full_month_name_for_april', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(3); + expect(DateFormatter.tokens.J(actualDate)).toBe('April'); + }); + it('should_format_full_month_name_for_may', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(4); + expect(DateFormatter.tokens.J(actualDate)).toBe('May'); + }); + it('should_format_full_month_name_for_june', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(5); + expect(DateFormatter.tokens.J(actualDate)).toBe('June'); + }); + it('should_format_full_month_name_for_july', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(6); + expect(DateFormatter.tokens.J(actualDate)).toBe('July'); + }); + it('should_format_full_month_name_for_august', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(7); + expect(DateFormatter.tokens.J(actualDate)).toBe('August'); + }); + it('should_format_full_month_name_for_september', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(8); + expect(DateFormatter.tokens.J(actualDate)).toBe('September'); + }); + it('should_format_full_month_name_for_october', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(9); + expect(DateFormatter.tokens.J(actualDate)).toBe('October'); + }); + it('should_format_full_month_name_for_november', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(10); + expect(DateFormatter.tokens.J(actualDate)).toBe('November'); + }); + it('should_format_full_month_name_for_december', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(11); + expect(DateFormatter.tokens.J(actualDate)).toBe('December'); + }); + it('should_format_full_month_name_for_thirteenth_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(12); + expect(DateFormatter.tokens.J(actualDate)).toBe('January'); + }); + it('should_format_full_month_name_for_previous_year_december', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(-1); + expect(DateFormatter.tokens.J(actualDate)).toBe('December'); + }); + }); + describe('tokens.N', () => { + it('should_format_month_name_for_january', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(0); + expect(DateFormatter.tokens.N(actualDate)).toBe('Jan'); + }); + it('should_format_month_name_for_february', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(1); + expect(DateFormatter.tokens.N(actualDate)).toBe('Feb'); + }); + it('should_format_month_name_for_march', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(2); + expect(DateFormatter.tokens.N(actualDate)).toBe('Mar'); + }); + it('should_format_month_name_for_april', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(3); + expect(DateFormatter.tokens.N(actualDate)).toBe('Apr'); + }); + it('should_format_month_name_for_may', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(4); + expect(DateFormatter.tokens.N(actualDate)).toBe('May'); + }); + it('should_format_month_name_for_june', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(5); + expect(DateFormatter.tokens.N(actualDate)).toBe('Jun'); + }); + it('should_format_month_name_for_july', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(6); + expect(DateFormatter.tokens.N(actualDate)).toBe('Jul'); + }); + it('should_format_month_name_for_august', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(7); + expect(DateFormatter.tokens.N(actualDate)).toBe('Aug'); + }); + it('should_format_month_name_for_september', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(8); + expect(DateFormatter.tokens.N(actualDate)).toBe('Sep'); + }); + it('should_format_month_name_for_october', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(9); + expect(DateFormatter.tokens.N(actualDate)).toBe('Oct'); + }); + it('should_format_month_name_for_november', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(10); + expect(DateFormatter.tokens.N(actualDate)).toBe('Nov'); + }); + it('should_format_month_name_for_december', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(11); + expect(DateFormatter.tokens.N(actualDate)).toBe('Dec'); + }); + it('should_format_month_name_for_thirteenth_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(12); + expect(DateFormatter.tokens.N(actualDate)).toBe('Jan'); + }); + it('should_format_month_name_for_previous_year_december', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + actualDate.setMonth(-1); + expect(DateFormatter.tokens.N(actualDate)).toBe('Dec'); + }); + }); + }); + describe('format', () => { + it('should_format_date_to_iso_string', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + expect(DateFormatter.format(actualDate)).toBe('2024-09-19T00:40:18.573Z'); + }); + it('should_format_date_with_custom_format_string', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + expect(DateFormatter.format(actualDate, 'Y-M-DTh:m:s.lZ')).toBe( + '2024-09-19T00:40:18.573Z', + ); + }); + it('should_format_date_with_custom_format_without_timezone', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + expect(DateFormatter.format(actualDate, 'Y-M-D-h-m-s-l')).toBe( + '2024-09-19-00-40-18-573', + ); + }); + it('should_format_date_with_day_name_and_custom_format', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + expect(DateFormatter.format(actualDate, 'E N D h:m:s.l Y')).toBe( + 'Thu Sep 19 00:40:18.573 2024', + ); + }); + it('should_format_date_with_abbreviated_month_and_custom_time', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + expect(DateFormatter.format(actualDate, 'N D h:m:s')).toBe( + 'Sep 19 00:40:18', + ); + }); + it('should_format_date_in_log_format_with_abbreviated_month', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + expect(DateFormatter.format(actualDate, 'D/N/Y:h:m:s +0000')).toBe( + '19/Sep/2024:00:40:18 +0000', + ); + }); + it('should_format_date_with_iso_format_and_timezone', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + expect(DateFormatter.format(actualDate, 'Y-M-DTh:m:s.l+0000')).toBe( + '2024-09-19T00:40:18.573+0000', + ); + }); + it('should_format_date_with_custom_separator_and_time', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + expect(DateFormatter.format(actualDate, 'Y/M/D/h')).toBe('2024/09/19/00'); + }); + it('should_format_date_with_custom_format_and_hyphen_separator', () => { + const actualDate = new Date('2024-09-19T00:40:18.573Z'); + expect(DateFormatter.format(actualDate, 'Y-M-D-h-m-s')).toBe( + '2024-09-19-00-40-18', + ); + }); + }); +}); diff --git a/plugins/main/server/lib/generate-alerts/helpers/interpolate-alert-props.js b/plugins/main/server/lib/generate-alerts/helpers/interpolate-alert-props.js new file mode 100644 index 0000000000..f8d98174a7 --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/helpers/interpolate-alert-props.js @@ -0,0 +1,24 @@ +/** + * + * @param {string} str String with interpolations + * @param {*} alert Alert object + * @param {*} extra Extra parameters to interpolate what aren't in alert objet. + * Only admit one level of depth + */ +function interpolateAlertProps(str, alert, extra = {}) { + const matches = str.match(/{([\w\._]+)}/g); + return ( + (matches && + matches.reduce((accum, cur) => { + const match = cur.match(/{([\w\._]+)}/); + const items = match[1].split('.'); + const value = + items.reduce((a, c) => (a && a[c]) || extra[c] || undefined, alert) || + cur; + return accum.replace(cur, value); + }, str)) || + str + ); +} + +module.exports.interpolateAlertProps = interpolateAlertProps; diff --git a/plugins/main/server/lib/generate-alerts/helpers/number-formatter.js b/plugins/main/server/lib/generate-alerts/helpers/number-formatter.js new file mode 100644 index 0000000000..adb0fd523f --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/helpers/number-formatter.js @@ -0,0 +1,21 @@ +class NumberFormatter { + /** + * The function `pads` pads a number with zeros to a specified length. + * @param {number} number - The `number` parameter is a number that you want + * to format as a string with leading zeros. + * @param [zeros=0] - The `zeros` parameter in the `number` function specifies + * the number of zeros to add before the `number` parameter. If `zeros` is + * provided, the function pads the `number` with zeros to ensure it has at + * least that many digits. + * @returns {string} The `number` function is returning a string with the input number + * padded with zeros to the left based on the `zeros` parameter. + */ + static pads(number, zeros = 0) { + if (zeros < 0) { + throw new RangeError('Invalid count value'); + } + return number.toString().padStart(zeros, '0'); + } +} + +module.exports.NumberFormatter = NumberFormatter; diff --git a/plugins/main/server/lib/generate-alerts/helpers/number-formatter.test.js b/plugins/main/server/lib/generate-alerts/helpers/number-formatter.test.js new file mode 100644 index 0000000000..c6736bd7eb --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/helpers/number-formatter.test.js @@ -0,0 +1,21 @@ +const { NumberFormatter } = require('./number-formatter'); + +describe('NumberFormatter', () => { + it('should_return_number_without_padding_by_default', () => { + expect(NumberFormatter.pads(1)).toEqual('1'); + }); + it('should_not_add_padding_when_single_digit', () => { + expect(NumberFormatter.pads(1, 1)).toEqual('1'); + }); + it('should_pad_number_with_zeros', () => { + expect(NumberFormatter.pads(1, 2)).toEqual('01'); + }); + it('should_pad_number_with_specified_number_of_zeros', () => { + expect(NumberFormatter.pads(1, 5)).toEqual('00001'); + }); + it('should_throw_range_error_for_invalid_count_value', () => { + expect(() => { + NumberFormatter.pads(1, -1); + }).toThrow('Invalid count value'); + }); +}); diff --git a/plugins/main/server/lib/generate-alerts/helpers/random.js b/plugins/main/server/lib/generate-alerts/helpers/random.js new file mode 100644 index 0000000000..0a38ae76b6 --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/helpers/random.js @@ -0,0 +1,166 @@ +class Random { + static NUMBERS = '0123456789'; + static HEX_CHARACTERS = 'abcdef' + this.NUMBERS; + static ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; + + // 7 days in miliseconds + static SEVEN_DAYS = 604800000; + + /** + * @template T + * The function `arrayItem` returns a random item from an input array. + * @param {T[]} array - The `array` parameter is an array of elements of type + * `T`. + * @returns {T} A random item from the input array is being returned. + */ + static arrayItem(array) { + return array[Math.floor(array.length * Math.random())]; + } + + /** + * The function `character` takes a string input and returns a random + * character from that string. + * @param {string} text - The `text` parameter in the `character` method is + * a string that represents the input text from which a random character will + * be selected. + * @returns {string} A random character from the input text is being returned. + */ + static character(text) { + return Random.arrayItem(text.split('')); + } + + /** + * The function `createHash` generates a random hash of a specified length + * using a set of characters. + * @param {number} length - The `length` parameter in the `createHash` + * function represents the desired length of the hash that will be generated. + * This value determines how many characters will be included in the final + * hash string. + * @param {string} characters - The `characters` parameter in the `createHash` function + * is a default parameter that is set to `Random.CHARACTERS` if no value is + * provided when calling the function. This parameter likely represents the + * set of characters from which the random hash is generated. + * @returns {string} The `createHash` function is returning a randomly generated hash + * string of the specified length using the characters provided. + */ + static createHash(length, characters = Random.HEX_CHARACTERS) { + let hash = ''; + + for (let i = 0; i < length; i++) { + hash += Random.character(characters); + } + + return hash; + } + + /** + * The function generates a random number within a specified range, with the + * option to provide a minimum and maximum value. + * @param {number} min - The `min` parameter in the `number` function + * represents the minimum value that can be generated randomly. + * @param {number} [max] - The `max` parameter in the `number` function + * represents the maximum value that can be generated randomly. If the `max` + * parameter is not provided when calling the function, it defaults to the + * value of the `min` parameter. + * @returns {number} The `number` function returns a random integer between the + * specified `min` and `max` values (inclusive). + */ + static number(min, max) { + if (!max) { + max = min; + min = 0; + } + return Math.floor(Math.random() * (max - (min - 1))) + min; + } + + /** + * The function returns a random date within the last 7 days from the current + * date. + * @returns {Date} A new Date object representing a date that is 7 days before the + * current date and time. + */ + static date() { + // Last 7 days from now + const unixTimestamp = Date.now() - Random.number(Random.SEVEN_DAYS); + + return new Date(unixTimestamp); + } + + /** + * The function `probability` returns true with a given probability based on + * the input parameters. + * @param {number} probability - The `probability` parameter represents the + * likelihood of an event occurring, expressed as a number between 0 and 100. + * @param [maximum=100] - The `maximum` parameter in the `probability` + * function represents the upper limit for generating a random number. The + * function will return `true` if the randomly generated number is less than + * or equal to the `probability` parameter. The `maximum` parameter is + * optional and defaults to 100 if not provided + * @returns {boolean} The `probability` method is returning a boolean value based on + * whether a randomly generated number between 0 and `maximum` is less than or + * equal to the provided `probability` value. + */ + static probability(probability, maximum = 100) { + return Random.number(0, maximum) <= probability; + } + + /** + * @template T + * The function `uniqueValues` generates an array of unique values from a + * given array with a specified length. + * @param {number} lenght - The `lenght` parameter represents the desired + * length of the output array containing unique values. + * @param {T[]} values - The `values` parameter in the `uniqueValues` function + * represents an array of elements of type `T`. These elements are used to + * generate a new array containing unique values up to a specified length. + * @returns {T[]} The `uniqueValues` function returns an array of unique values from + * the `values` array parameter. If the length of the `values` array is less + * than or equal to the specified `length` parameter, the function simply + * returns the `values` array as is. Otherwise, it creates a `Set` to store + * unique values and keeps adding random items from the `values` array until + * the set + */ + static uniqueValues(lenght, values) { + if (values.length <= lenght) { + return values; + } + + const result = new Set(); + + while (result.size < lenght) { + result.add(Random.arrayItem(values)); + } + + return Array.from(result); + } + + /** + * @template T + * This function generates a set of unique values from an array with an option to + * sort them and control the maximum number of repetitions. + * @param {T[]} array - The `array` parameter in the `uniqueValuesFromArray` function is + * an array from which unique values will be selected. + * @param {(a: T, b: T) => number} sort - The `sort` parameter in the `uniqueValuesFromArray` function is a + * function that defines the sort order of the unique values in the resulting + * array. If a `sort` function is provided, the unique values will be sorted based + * on the criteria specified in that function. If no `sort` function + * @param [randomMaxRepetitions=1] - The `randomMaxRepetitions` parameter in the + * `uniqueValuesFromArray` function determines the maximum number of times a random + * element from the input `array` will be added to the `Set`. This parameter allows + * you to control the variability in the number of unique values returned by the + * function. + * @returns {T[]} The method `uniqueValuesFromArray` returns an array containing unique + * values from the input `array`, with an optional sorting based on the `sort` + * function provided. + */ + static uniqueValuesFromArray(array, sort, randomMaxRepetitions = 1) { + const repetitions = Random.number(1, randomMaxRepetitions); + const set = new Set(); + for (let i = 0; i < repetitions; i++) { + set.add(array[Random.number(0, array.length - 1)]); + } + return sort ? Array.from(set).sort(sort) : Array.from(set); + } +} + +module.exports.Random = Random; diff --git a/plugins/main/server/lib/generate-alerts/helpers/random.test.js b/plugins/main/server/lib/generate-alerts/helpers/random.test.js new file mode 100644 index 0000000000..9739174c1e --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/helpers/random.test.js @@ -0,0 +1,92 @@ +const { Random } = require('./random'); + +describe('Random', () => { + describe('arrayItem', () => { + it('should_verify_random_item_is_in_array', () => { + const actualArray = [1, 2, 3]; + expect(actualArray.includes(Random.arrayItem(actualArray))).toBe(true); + }); + }); + describe('character', () => { + it('should_verify_random_character_is_in_string', () => { + const actualText = '123'; + expect(actualText.includes(Random.character(actualText))).toBe(true); + }); + }); + describe('createHash', () => { + it('should_return_empty_string_for_negative_length_hash', () => { + expect(Random.createHash(-1)).toBe(''); + }); + it('should_return_empty_string_for_zero_length_hash', () => { + expect(Random.createHash(0)).toBe(''); + }); + it('should_verify_random_hash_is_in_string', () => { + const actualHash = Random.createHash(1); + expect('abcdef0123456789'.includes(actualHash)).toBe(true); + }); + it('should_verify_all_characters_in_random_hash_are_in_string', () => { + const actualHash = Random.createHash(16); + actualHash.split('').forEach(char => { + expect('abcdef0123456789'.includes(char)).toBe(true); + }); + }); + it('should_verify_all_characters_in_random_hash_with_default_charset_are_in_string', () => { + const actualHash = Random.createHash(16, undefined); + actualHash.split('').forEach(char => { + expect('abcdef0123456789'.includes(char)).toBe(true); + }); + }); + }); + describe('number', () => { + it('should_return_zero_for_zero_range_number', () => { + const actualNumber = Random.number(0); + expect(actualNumber).toBe(0); + }); + it('should_return_number_within_range_of_zero_and_one', () => { + const actualNumber = Random.number(1); + expect(actualNumber).toBeGreaterThanOrEqual(0); + expect(actualNumber).toBeLessThanOrEqual(1); + }); + it('should_return_number_within_range_of_zero_and_two', () => { + const actualNumber = Random.number(2); + expect(actualNumber).toBeGreaterThanOrEqual(0); + expect(actualNumber).toBeLessThanOrEqual(2); + }); + it('should_return_zero_for_negative_range_number', () => { + const actualNumber = Random.number(-1); + expect(actualNumber).toBe(0); + }); + it('should_return_number_within_range_of_negative_two_and_zero', () => { + const actualNumber = Random.number(-2); + expect(actualNumber).toBeGreaterThanOrEqual(-2); + expect(actualNumber).toBeLessThanOrEqual(0); + }); + it('should_return_number_within_range_of_three_and_five', () => { + const actualNumber = Random.number(3, 5); + expect(actualNumber).toBeGreaterThanOrEqual(3); + expect(actualNumber).toBeLessThanOrEqual(5); + }); + }); + describe('date', () => { + it('should_return_date_after_seven_days_ago', () => { + for (let i = 0; i < 100; i++) { + const expectedDate = new Date(); + expectedDate.setDate(-7); + expect(Random.date().getTime()).toBeGreaterThanOrEqual( + expectedDate.getTime(), + ); + } + }); + }); + describe('uniqueValues', () => { + it('should_verify_unique_values_returns_array_within_specified_length', () => { + for (let i = 0; i < 100; i++) { + const actualLenght = 2; + const actualValue = Random.uniqueValues(actualLenght, [1, 2, 3]); + expect(Array.isArray(actualValue)).toBe(true); + expect(actualValue.length).toBeGreaterThanOrEqual(1); + expect(actualValue.length).toBeLessThanOrEqual(actualLenght); + } + }); + }); +}); diff --git a/plugins/main/server/lib/generate-alerts/helpers/rule-generator.js b/plugins/main/server/lib/generate-alerts/helpers/rule-generator.js new file mode 100644 index 0000000000..16d3871f1d --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/helpers/rule-generator.js @@ -0,0 +1,33 @@ +const { + ALERT_ID_MAX, + RULE_MAX_FIREDTIMES, + RULE_MAX_LEVEL, +} = require('../constants'); +const { Random } = require('./random'); +const { + FREQUENCY, + GDPR, + GPG13, + HIPAA, + NIST_800_53, + PCI, + PCI_DSS, + tsc, +} = require('../sample-data/regulatory-compliance'); + +const RuleGenerator = { + id: () => Random.number(1, ALERT_ID_MAX).toString(), + level: () => Random.number(1, RULE_MAX_LEVEL), + firedtimes: () => Random.number(1, RULE_MAX_FIREDTIMES), + mail: () => Math.random() < 0.5, + gdpr: () => Random.uniqueValues(Random.number(1, 2), GDPR), + pci_dss: () => Random.uniqueValues(Random.number(1, 3), PCI_DSS), + tsc: () => Random.uniqueValues(Random.number(1, 6), tsc), + hipaa: () => Random.uniqueValues(Random.number(1, 3), HIPAA), + nist_800_53: () => Random.uniqueValues(Random.number(1, 4), NIST_800_53), + gpg13: () => Random.uniqueValues(Random.number(1, 3), GPG13), + pci: () => Random.uniqueValues(1, PCI), + frequency: () => Random.arrayItem(FREQUENCY), +}; + +module.exports.RuleGenerator = RuleGenerator; diff --git a/plugins/main/server/lib/generate-alerts/helpers/rule-generator.test.js b/plugins/main/server/lib/generate-alerts/helpers/rule-generator.test.js new file mode 100644 index 0000000000..44762d6c55 --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/helpers/rule-generator.test.js @@ -0,0 +1,132 @@ +const { RuleGenerator } = require('./rule-generator'); + +describe('rule-generator', () => { + describe('id', () => { + it('should_verify_id_is_string', () => { + expect(typeof RuleGenerator.id() === 'string').toBe(true); + for (let i = 0; i < 100; i++) { + expect(/\d+/.test(RuleGenerator.id())).toBe(true); + } + }); + }); + describe('level', () => { + it('should_verify_level_is_an_integer', () => { + for (let i = 0; i < 100; i++) { + expect(Number.isInteger(RuleGenerator.level())).toBe(true); + } + }); + }); + describe('firedtimes', () => { + it('firedtimes_is_an_integer', () => { + for (let i = 0; i < 100; i++) { + const actualValue = RuleGenerator.firedtimes(); + expect(Number.isInteger(actualValue)).toBe(true); + expect(actualValue).toBeGreaterThanOrEqual(0); + } + }); + }); + describe('mail', () => { + it('mail_is_an_integer', () => { + for (let i = 0; i < 100; i++) { + expect(typeof RuleGenerator.mail() === 'boolean').toBe(true); + } + }); + }); + describe('gdpr', () => { + it('should_verify_gdpr_returns_array_of_strings_within_length', () => { + for (let i = 0; i < 100; i++) { + const actualValue = RuleGenerator.gdpr(); + expect(Array.isArray(actualValue)).toBe(true); + expect(actualValue.every(value => typeof value === 'string')).toBe( + true, + ); + expect(actualValue.length).toBeGreaterThanOrEqual(1); + expect(actualValue.length).toBeLessThanOrEqual(2); + } + }); + }); + describe('pci_dss', () => { + it('should_verify_pci_dss_returns_array_of_strings_within_length', () => { + for (let i = 0; i < 100; i++) { + const actualValue = RuleGenerator.pci_dss(); + expect(Array.isArray(actualValue)).toBe(true); + expect(actualValue.every(value => typeof value === 'string')).toBe( + true, + ); + expect(actualValue.length).toBeGreaterThanOrEqual(1); + expect(actualValue.length).toBeLessThanOrEqual(3); + } + }); + }); + describe('tsc', () => { + it('should_verify_tsc_returns_array_of_strings_within_length', () => { + for (let i = 0; i < 100; i++) { + const actualValue = RuleGenerator.tsc(); + expect(Array.isArray(actualValue)).toBe(true); + expect(actualValue.every(value => typeof value === 'string')).toBe( + true, + ); + expect(actualValue.length).toBeGreaterThanOrEqual(1); + expect(actualValue.length).toBeLessThanOrEqual(6); + } + }); + }); + describe('hipaa', () => { + it('should_verify_hipaa_returns_array_of_strings_within_length', () => { + for (let i = 0; i < 100; i++) { + const actualValue = RuleGenerator.hipaa(); + expect(Array.isArray(actualValue)).toBe(true); + expect(actualValue.every(value => typeof value === 'string')).toBe( + true, + ); + expect(actualValue.length).toBeGreaterThanOrEqual(1); + expect(actualValue.length).toBeLessThanOrEqual(3); + } + }); + }); + describe('nist_800_53', () => { + it('should_verify_nist_800_53_returns_array_of_strings_within_length', () => { + for (let i = 0; i < 100; i++) { + const actualValue = RuleGenerator.nist_800_53(); + expect(Array.isArray(actualValue)).toBe(true); + expect(actualValue.every(value => typeof value === 'string')).toBe( + true, + ); + expect(actualValue.length).toBeGreaterThanOrEqual(1); + expect(actualValue.length).toBeLessThanOrEqual(4); + } + }); + }); + describe('gpg13', () => { + it('should_verify_gpg13_returns_array_of_strings_within_length', () => { + for (let i = 0; i < 100; i++) { + const actualValue = RuleGenerator.gpg13(); + expect(Array.isArray(actualValue)).toBe(true); + expect(actualValue.every(value => typeof value === 'string')).toBe( + true, + ); + expect(actualValue.length).toBeGreaterThanOrEqual(1); + expect(actualValue.length).toBeLessThanOrEqual(3); + } + }); + }); + describe('pci', () => { + it('should_verify_pci_returns_array_of_strings_within_length', () => { + for (let i = 0; i < 100; i++) { + const actualValue = RuleGenerator.pci(); + expect(Array.isArray(actualValue)).toBe(true); + expect(actualValue.every(value => typeof value === 'string')).toBe( + true, + ); + expect(actualValue.length).toEqual(1); + } + }); + }); + describe('frequency', () => { + it('should_verify_frequency_is_an_integer', () => { + for (let i = 0; i < 100; i++) { + expect(Number.isInteger(RuleGenerator.frequency())).toBe(true); + } + }); + }); +}); diff --git a/plugins/main/server/lib/generate-alerts/sample-data/apache.js b/plugins/main/server/lib/generate-alerts/sample-data/apache.js index b6ee306534..de7db4364b 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/apache.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/apache.js @@ -10,33 +10,27 @@ * Find more information about this on the LICENSE file. */ -export const location = '/var/log/httpd/error_log'; +const { DECODER } = require('./common'); -export const decoder = { - parent: "apache-errorlog", - name: "apache-errorlog" -}; +module.exports.location = '/var/log/httpd/error_log'; -export const data = [ +module.exports.decoder = DECODER.APACHE_ERRORLOG; + +module.exports.data = [ { - "rule": { - "firedtimes": 5, - "mail": false, - "level": 5, - "pci_dss": ["6.5.8","10.2.4"], - "hipaa": [ - "164.312.b" - ], - "description": "Apache: Attempt to access forbidden directory index.", - "groups": ["apache","web","access_denied"], - "id": "30306", - "nist_800_53": [ - "SA.11", - "AU.14", - "AC.7" - ], - "gdpr": ["IV_35.7.d"] + rule: { + firedtimes: 5, + mail: false, + level: 5, + pci_dss: ['6.5.8', '10.2.4'], + hipaa: ['164.312.b'], + description: 'Apache: Attempt to access forbidden directory index.', + groups: ['apache', 'web', 'access_denied'], + id: '30306', + nist_800_53: ['SA.11', 'AU.14', 'AC.7'], + gdpr: ['IV_35.7.d'], }, - "full_log": "[{_timestamp_apache}] [autoindex:error] [pid {_pi_id}] [client {data.srcip}:{data.srcport}] {data.id}: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive", - } -]; \ No newline at end of file + full_log: + '[{_timestamp_apache}] [autoindex:error] [pid {_pi_id}] [client {data.srcip}:{data.srcport}] {data.id}: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive', + }, +]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/audit.js b/plugins/main/server/lib/generate-alerts/sample-data/audit.js index c898cfff13..076d805ca5 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/audit.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/audit.js @@ -10,292 +10,247 @@ * Find more information about this on the LICENSE file. */ -// Audit +const { Random } = require('../helpers/random'); -import { randomArrayItem } from './common'; +// Audit -export const fileName = ["/etc/samplefile", "/etc/sample/file", "/var/sample"]; +module.exports.fileName = [ + '/etc/samplefile', + '/etc/sample/file', + '/var/sample', +]; const ruleId = ['80790', '80784', '80781', '80791']; -const auditType = ["SYSCALL", "EXECVE", "CWD", "NORMAL", "PATH", "PROCTITLE"]; +const auditType = ['SYSCALL', 'EXECVE', 'CWD', 'NORMAL', 'PATH', 'PROCTITLE']; -export const dataAudit = [{ +module.exports.dataAudit = [ + { data: { audit: { file: { - name: '' + name: '', }, exe: '/usr/sbin/sudo', command: 'sudo', success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), + cwd: '/home/wazuh', + type: Random.arrayItem(auditType), }, }, rule: { - id: randomArrayItem(ruleId), + id: Random.arrayItem(ruleId), firedtimes: 12, mail: false, level: 3, - description: "Audit: Command: /usr/sbin/sudo", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] + description: 'Audit: Command: /usr/sbin/sudo', + groups: ['audit', 'audit_command'], + gdpr: ['IV_30.1.g'], }, }, { data: { audit: { file: { - name: '' + name: '', }, exe: '/usr/sbin/sshd', command: 'ssh', success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), + cwd: '/home/wazuh', + type: Random.arrayItem(auditType), }, }, rule: { - id: randomArrayItem(ruleId), + id: Random.arrayItem(ruleId), firedtimes: 3, mail: false, level: 3, - description: "Audit: Command: /usr/sbin/ssh", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] + description: 'Audit: Command: /usr/sbin/ssh', + groups: ['audit', 'audit_command'], + gdpr: ['IV_30.1.g'], }, }, { data: { audit: { file: { - name: '' + name: '', }, exe: '/usr/sbin/crond', command: 'cron', success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), + cwd: '/home/wazuh', + type: Random.arrayItem(auditType), }, }, rule: { - id: randomArrayItem(ruleId), + id: Random.arrayItem(ruleId), firedtimes: 1, mail: false, level: 3, - description: "Audit: Command: /usr/sbin/crond", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] + description: 'Audit: Command: /usr/sbin/crond', + groups: ['audit', 'audit_command'], + gdpr: ['IV_30.1.g'], }, }, { data: { audit: { file: { - name: '' + name: '', }, exe: '/usr/sbin/ls', command: 'ls', success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), + cwd: '/home/wazuh', + type: Random.arrayItem(auditType), }, }, rule: { - id: randomArrayItem(ruleId), + id: Random.arrayItem(ruleId), firedtimes: 6, mail: false, level: 3, - description: "Audit: Command: /usr/sbin/ls", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] + description: 'Audit: Command: /usr/sbin/ls', + groups: ['audit', 'audit_command'], + gdpr: ['IV_30.1.g'], }, }, { data: { audit: { file: { - name: '/sbin/consoletype' + name: '/sbin/consoletype', }, exe: '/usr/sbin/consoletype', command: 'consoletype', success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), + cwd: '/home/wazuh', + type: Random.arrayItem(auditType), }, }, rule: { - id: randomArrayItem(ruleId), + id: Random.arrayItem(ruleId), firedtimes: 16, mail: false, level: 3, - description: "Audit: Command: /usr/sbin/consoletype", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] + description: 'Audit: Command: /usr/sbin/consoletype', + groups: ['audit', 'audit_command'], + gdpr: ['IV_30.1.g'], }, }, { data: { audit: { file: { - name: '/bin/bash' + name: '/bin/bash', }, exe: '/usr/sbin/bash', command: 'bash', success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), + cwd: '/home/wazuh', + type: Random.arrayItem(auditType), }, }, rule: { - id: randomArrayItem(ruleId), + id: Random.arrayItem(ruleId), firedtimes: 1, mail: false, level: 3, - description: "Audit: Command: /usr/sbin/bash", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] + description: 'Audit: Command: /usr/sbin/bash', + groups: ['audit', 'audit_command'], + gdpr: ['IV_30.1.g'], }, }, { data: { audit: { file: { - name: '/usr/bin/id' + name: '/usr/bin/id', }, exe: '/usr/sbin/id', command: 'id', success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), + cwd: '/home/wazuh', + type: Random.arrayItem(auditType), }, }, rule: { - id: randomArrayItem(ruleId), + id: Random.arrayItem(ruleId), firedtimes: 11, mail: false, level: 3, - description: "Audit: Command: /usr/sbin/id", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] + description: 'Audit: Command: /usr/sbin/id', + groups: ['audit', 'audit_command'], + gdpr: ['IV_30.1.g'], }, }, { data: { audit: { file: { - name: '/usr/bin/grep' + name: '/usr/bin/grep', }, exe: '/usr/sbin/grep', command: 'grep', success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), + cwd: '/home/wazuh', + type: Random.arrayItem(auditType), }, }, rule: { - id: randomArrayItem(ruleId), + id: Random.arrayItem(ruleId), firedtimes: 13, mail: false, level: 3, - description: "Audit: Command: /usr/sbin/grep", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] + description: 'Audit: Command: /usr/sbin/grep', + groups: ['audit', 'audit_command'], + gdpr: ['IV_30.1.g'], }, }, { data: { audit: { file: { - name: '/usr/bin/hostname' + name: '/usr/bin/hostname', }, exe: '/usr/sbin/hostname', command: 'hostname', success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), + cwd: '/home/wazuh', + type: Random.arrayItem(auditType), }, }, rule: { - id: randomArrayItem(ruleId), + id: Random.arrayItem(ruleId), firedtimes: 13, mail: false, level: 3, - description: "Audit: Command: /usr/sbin/hostname", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] + description: 'Audit: Command: /usr/sbin/hostname', + groups: ['audit', 'audit_command'], + gdpr: ['IV_30.1.g'], }, }, { data: { audit: { file: { - name: '/usr/bin/sh' + name: '/usr/bin/sh', }, exe: '/usr/sbin/sh', command: 'sh', success: 'yes', - cwd: "/home/sh", - type: randomArrayItem(auditType), + cwd: '/home/sh', + type: Random.arrayItem(auditType), }, }, rule: { - id: randomArrayItem(ruleId), + id: Random.arrayItem(ruleId), firedtimes: 17, mail: false, level: 3, - description: "Audit: Command: /usr/sbin/sh", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] + description: 'Audit: Command: /usr/sbin/sh', + groups: ['audit', 'audit_command'], + gdpr: ['IV_30.1.g'], }, }, // { @@ -309,7 +264,7 @@ export const dataAudit = [{ // }, // }, // rule: { - // id: randomArrayItem(ruleId), + // id: Random.getArrayItem(ruleId), // firedtimes: 10, // mail: false, // level: 3, @@ -326,4 +281,4 @@ export const dataAudit = [{ // ] // }, // }, -] +]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/authentication.js b/plugins/main/server/lib/generate-alerts/sample-data/authentication.js index e8f54fb2a5..2e8aea2958 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/authentication.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/authentication.js @@ -10,11 +10,10 @@ * Find more information about this on the LICENSE file. */ -export const invalidLoginPassword = { - decoder: { - parent: 'sshd', - name: 'sshd', - }, +const { DECODER } = require('./common'); + +module.exports.invalidLoginPassword = { + decoder: DECODER.SSHD, full_log: '{predecoder.timestamp} {predecoder.hostname} sshd[5330]: Failed password for {data.srcuser} from {data.srcip} port {data.srcport} ssh2', location: '/var/log/auth.log', @@ -26,7 +25,7 @@ export const invalidLoginPassword = { rule: { description: 'sshd: authentication failed.', groups: ['syslog', 'sshd', 'invalid_login', 'authentication_failed'], - id: 5716, + id: '5716', level: 5, mail: false, pci_dss: ['10.2.4', '10.2.5'], @@ -37,11 +36,8 @@ export const invalidLoginPassword = { }, }; -export const invalidLoginUser = { - decoder: { - parent: 'sshd', - name: 'sshd', - }, +module.exports.invalidLoginUser = { + decoder: DECODER.SSHD, full_log: '{predecoder.timestamp} {predecoder.hostname} sshd[10022]: Invalid user {data.srcuser} from {data.srcuser} from {data.srcip} port {data.srcport} ssh2', location: '/var/log/secure', @@ -53,7 +49,7 @@ export const invalidLoginUser = { rule: { description: 'sshd: Attempt to login using a non-existent user', groups: ['syslog', 'sshd', 'invalid_login', 'authentication_failed'], - id: 5710, + id: '5710', level: 5, pci_dss: ['10.2.4', '10.2.5', '10.6.1'], gpg13: ['7.1'], @@ -63,16 +59,14 @@ export const invalidLoginUser = { }, }; -export const multipleAuthenticationFailures = { - decoder: { - parent: 'sshd', - name: 'sshd', - }, - full_log: `{predecoder.timestamp} {predecoder.hostname} sshd[5413]: Failed password for invalid user {data.srcuser} from {data.srcip} port {data.srcport} ssh2`, +module.exports.multipleAuthenticationFailures = { + decoder: DECODER.SSHD, + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[5413]: Failed password for invalid user {data.srcuser} from {data.srcip} port {data.srcport} ssh2', location: '/var/log/secure', rule: { description: 'sshd: Multiple authentication failures.', - id: 5720, + id: '5720', level: 10, frequency: 8, groups: ['syslog', 'sshd', 'authentication_failures'], @@ -89,8 +83,9 @@ export const multipleAuthenticationFailures = { }, }; -export const windowsInvalidLoginPassword = { - full_log: `{predecoder.timestamp} {predecoder.hostname} sshd[5413]: Failed password for invalid user {data.srcuser} from {data.srcip} port {data.srcport} ssh2`, +module.exports.windowsInvalidLoginPassword = { + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[5413]: Failed password for invalid user {data.srcuser} from {data.srcip} port {data.srcport} ssh2', data_win: { eventdata: { authenticationPackageName: 'NTLM', @@ -117,15 +112,12 @@ export const windowsInvalidLoginPassword = { version: '0', }, }, - decoder: { - parent: 'sshd', - name: 'windows_eventchannel', - }, + decoder: DECODER.WINDOWS_EVENTCHANNEL, location: 'EventChannel', rule: { description: 'Logon Failure - Unknown user or bad password', groups: ['windows', 'windows_security', 'win_authentication_failed'], - id: 60122, + id: '60122', level: 5, pci_dss: ['10.2.4', '10.2.5'], gpg13: ['7.1'], @@ -135,9 +127,9 @@ export const windowsInvalidLoginPassword = { }, }; -export const userLoginFailed = { +module.exports.userLoginFailed = { rule: { - id: 5503, + id: '5503', level: 5, description: 'PAM: User login failed.', mail: false, @@ -153,15 +145,13 @@ export const userLoginFailed = { timestamp: 'Apr 17 00:04:40', hostname: 'ip-10-0-1-178', }, - decoder: { - name: 'pam', - }, + decoder: DECODER.PAM, location: '/var/log/secure', full_log: '{predecoder.timestamp} {predecoder.hostname} sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid={data.uid} euid={data.euid} tty={data.tty} ruser= rhost={data.srcip} user={data.dstuser}', }; -export const passwordCheckFailed = { +module.exports.passwordCheckFailed = { rule: { level: 5, description: 'unix_chkpwd: Password check failed.', @@ -179,16 +169,14 @@ export const passwordCheckFailed = { timestamp: 'Apr 17 00:07:04', hostname: 'ip-10-0-1-132', }, - decoder: { - name: 'unix_chkpwd', - }, + decoder: DECODER.UNIX_CHKPWD, data: { srcuser: 'root' }, location: '/var/log/secure', full_log: '{predecoder.timestamp} {predecoder.hostname} {decoder.name}[29593]: password check failed for user ({data.srcuser})', }; -export const nonExistentUser = { +module.exports.nonExistentUser = { rule: { mail: false, level: 5, @@ -206,7 +194,7 @@ export const nonExistentUser = { location: '/var/log/secure', }; -export const bruteForceTryingAccessSystem = { +module.exports.bruteForceTryingAccessSystem = { rule: { mail: false, level: 10, @@ -229,7 +217,7 @@ export const bruteForceTryingAccessSystem = { location: '/var/log/secure', }; -export const authenticationSuccess = { +module.exports.authenticationSuccess = { data: { srcip: '84.122.71.89', dstuser: 'ec2-user', @@ -254,7 +242,7 @@ export const authenticationSuccess = { }, }; -export const maximumAuthenticationAttemptsExceeded = { +module.exports.maximumAuthenticationAttemptsExceeded = { rule: { mail: false, level: 8, diff --git a/plugins/main/server/lib/generate-alerts/sample-data/aws.js b/plugins/main/server/lib/generate-alerts/sample-data/aws.js index fc76f8e10f..f2ee4cacfc 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/aws.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/aws.js @@ -10,486 +10,530 @@ * Find more information about this on the LICENSE file. */ - // Amazon AWS services -export const source = ["guardduty", "cloudtrail", "vpcflow", "config"]; -export const accountId = ["186157501624", "117521235382", "150447125201", "18773455640", "186154171780", "250141701015"]; -export const region = ["eu-west-1", "eu-west-2", "eu-west-3", "eu-north-1", "eu-central-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2", "me-south-1", "ap-east-1", "ap-east-2", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ap-northeast-1", "ca-central-1"]; // https://docs.aws.amazon.com/es_es/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions -export const buckets = ["aws-sample-bucket-1", "aws-sample-bucket-2", "aws-sample-bucket-3", "aws-sample-bucket-4", "aws-sample-bucket-5", "aws-sample-bucket-6", "aws-sample-bucket-7", "aws-sample-bucket-8", "aws-sample-bucket-9"]; +const { Random } = require('../helpers/random'); +const { DECODER } = require('./common'); -export const instanceId = ['i-060bb01699dddc20c','i-060bb020479bedc20w', 'i-070eb020479bebf20a', 'i-070eb015479befb15d', 'i-057eb060779fdae15b']; +// Amazon AWS services +module.exports.source = ['guardduty', 'cloudtrail', 'vpcflow', 'config']; +module.exports.accountId = [ + '186157501624', + '117521235382', + '150447125201', + '18773455640', + '186154171780', + '250141701015', +]; +module.exports.region = [ + 'eu-west-1', + 'eu-west-2', + 'eu-west-3', + 'eu-north-1', + 'eu-central-1', + 'us-east-1', + 'us-east-2', + 'us-west-1', + 'us-west-2', + 'me-south-1', + 'ap-east-1', + 'ap-east-2', + 'ap-northeast-2', + 'ap-northeast-3', + 'ap-south-1', + 'ap-southeast-1', + 'ap-southeast-2', + 'ap-northeast-1', + 'ca-central-1', +]; // https://docs.aws.amazon.com/es_es/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions +module.exports.buckets = [ + 'aws-sample-bucket-1', + 'aws-sample-bucket-2', + 'aws-sample-bucket-3', + 'aws-sample-bucket-4', + 'aws-sample-bucket-5', + 'aws-sample-bucket-6', + 'aws-sample-bucket-7', + 'aws-sample-bucket-8', + 'aws-sample-bucket-9', +]; + +module.exports.instanceId = [ + 'i-060bb01699dddc20c', + 'i-060bb020479bedc20w', + 'i-070eb020479bebf20a', + 'i-070eb015479befb15d', + 'i-057eb060779fdae15b', +]; -export const remoteIpDetails = [ +module.exports.remoteIpDetails = [ { country: { - countryName: "Mexico" + countryName: 'Mexico', }, city: { - cityName: "Mérida" + cityName: 'Mérida', }, geoLocation: { - lon: "-89.616700", - lat: "20.950000" + lon: '-89.616700', + lat: '20.950000', }, organization: { - asnOrg: "Internet Mexico Company", - org: "Internet Mexico Company", - isp: "Internet Mexico Company", - asn: "4257" + asnOrg: 'Internet Mexico Company', + org: 'Internet Mexico Company', + isp: 'Internet Mexico Company', + asn: '4257', }, - ipAddressV4: "160.0.14.40" + ipAddressV4: '160.0.14.40', }, { country: { - countryName: "Italy" + countryName: 'Italy', }, city: { - cityName: "Savona" + cityName: 'Savona', }, geoLocation: { - lon: "8.477200", - lat: "44.309000" + lon: '8.477200', + lat: '44.309000', }, organization: { - asnOrg: "Speedweb", - org: "Speedweb", - isp: "Speedweb", - asn: "42784" + asnOrg: 'Speedweb', + org: 'Speedweb', + isp: 'Speedweb', + asn: '42784', }, - ipAddressV4: "2.25.80.45" + ipAddressV4: '2.25.80.45', }, { country: { - countryName: "Mexico" + countryName: 'Mexico', }, city: { - cityName: "Colima" + cityName: 'Colima', }, geoLocation: { - lon: "-103.714500", - lat: "19.266800" + lon: '-103.714500', + lat: '19.266800', }, organization: { - asnOrg: "Internet Mexico Company", - org: "Internet Mexico Company", - isp: "Internet Mexico Company", - asn: "4257" + asnOrg: 'Internet Mexico Company', + org: 'Internet Mexico Company', + isp: 'Internet Mexico Company', + asn: '4257', }, - ipAddressV4: "187.234.16.206" + ipAddressV4: '187.234.16.206', }, { country: { - countryName: "Netherlands" + countryName: 'Netherlands', }, city: { - cityName: "Amsterdam" + cityName: 'Amsterdam', }, geoLocation: { - lon: "4.889700", - lat: "52.374000" + lon: '4.889700', + lat: '52.374000', }, organization: { - asnOrg: "Netherlands Telecom", - org: "Netherlands Telecom", - isp: "Netherlands Telecom", - asn: "40070" + asnOrg: 'Netherlands Telecom', + org: 'Netherlands Telecom', + isp: 'Netherlands Telecom', + asn: '40070', }, - ipAddressV4: "160.0.14.40" + ipAddressV4: '160.0.14.40', }, { country: { - "countryName": "Italy" + countryName: 'Italy', }, city: { - cityName: "Palermo" + cityName: 'Palermo', }, geoLocation: { - lon: "13.334100", - lat: "38.129000" + lon: '13.334100', + lat: '38.129000', }, organization: { - asnOrg: "Net Connections", - org: "Net Connections", - isp: "Net Connections", - asn: "1547" + asnOrg: 'Net Connections', + org: 'Net Connections', + isp: 'Net Connections', + asn: '1547', }, - ipAddressV4: "75.0.101.245" + ipAddressV4: '75.0.101.245', }, { country: { - countryName: "United States" + countryName: 'United States', }, city: { - cityName: "Panama City" + cityName: 'Panama City', }, geoLocation: { - lon: "-85.669600", - lat: "30.190900" + lon: '-85.669600', + lat: '30.190900', }, organization: { - asnOrg: "Internet Innovations", - org: "Intenet Innovations", - isp: "Intenet Innovations", - asn: "4252" + asnOrg: 'Internet Innovations', + org: 'Intenet Innovations', + isp: 'Intenet Innovations', + asn: '4252', }, - ipAddressV4: "70.24.101.214" - } + ipAddressV4: '70.24.101.214', + }, ]; -export const instanceDetails = [ +module.exports.instanceDetails = [ { - "launchTime": "2020-04-22T11:17:08Z", - "instanceId": "i-0b0b8b34a48c8f1c4", - "networkInterfaces": { - "networkInterfaceId": "eni-01e777fb9acd548e4", - "subnetId": "subnet-7930da22", - "vpcId": "vpc-68e3c60f", - "privateDnsName": "ip-10-0-2-2.ec2.internal", - "publicIp": "40.220.125.204", - "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", - "privateIpAddress": "10.0.2.2" - }, - "instanceState": "running", - "imageId": "ami-0ff8a91507f77f900", - "instanceType": "t2.small", - "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", - "iamInstanceProfile": { - "id": "AIPAJGAZMFPZHKIBOCBIG", - "arn": "arn:aws:iam::{data.aws.accountId}:instance-profile/opsworks-web-production" - }, - "availabilityZone": "us-east-1a" + launchTime: '2020-04-22T11:17:08Z', + instanceId: 'i-0b0b8b34a48c8f1c4', + networkInterfaces: { + networkInterfaceId: 'eni-01e777fb9acd548e4', + subnetId: 'subnet-7930da22', + vpcId: 'vpc-68e3c60f', + privateDnsName: 'ip-10-0-2-2.ec2.internal', + publicIp: '40.220.125.204', + publicDnsName: 'ec2-40.220.125.204.compute-1.amazonaws.com', + privateIpAddress: '10.0.2.2', + }, + instanceState: 'running', + imageId: 'ami-0ff8a91507f77f900', + instanceType: 't2.small', + imageDescription: 'Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2', + iamInstanceProfile: { + id: 'AIPAJGAZMFPZHKIBOCBIG', + arn: 'arn:aws:iam::{data.aws.accountId}:instance-profile/opsworks-web-production', + }, + availabilityZone: 'us-east-1a', }, { - "launchTime": "2019-03-22T14:15:41Z", - "instanceId": "i-0cab4a083d57dc400", - "networkInterfaces": { - "networkInterfaceId": "eni-0bb465b2d939dbda6", - "subnetId": "subnet-6b1d6203", - "vpcId": "vpc-921e61fa", - "privateDnsName": "ip-10-0-0-1.ec2.internal", - "publicIp": "54.90.48.38", - "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", - "privateIpAddress": "10.0.0.1" - }, - "instanceState": "running", - "imageId": "ami-09ae67bbfcd740875", - "instanceType": "a1.medium", - "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", - "productCodes": { - "productCodeId": "zud1u4kjmxu2j2jf0n36bqa", - "productCodeType": "marketplace" - }, - "iamInstanceProfile": { // FIXME - "id": "AIPAJGAZMFPZHKIBOUFGA", - "arn": "arn:aws:iam::{data.aws.accountId}:instance-profile/opsworks-web-production" - }, - "availabilityZone": "us-east-1e" - } -] + launchTime: '2019-03-22T14:15:41Z', + instanceId: 'i-0cab4a083d57dc400', + networkInterfaces: { + networkInterfaceId: 'eni-0bb465b2d939dbda6', + subnetId: 'subnet-6b1d6203', + vpcId: 'vpc-921e61fa', + privateDnsName: 'ip-10-0-0-1.ec2.internal', + publicIp: '54.90.48.38', + publicDnsName: 'ec2-54.90.48.38.compute-1.amazonaws.com', + privateIpAddress: '10.0.0.1', + }, + instanceState: 'running', + imageId: 'ami-09ae67bbfcd740875', + instanceType: 'a1.medium', + imageDescription: + 'Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12', + productCodes: { + productCodeId: 'zud1u4kjmxu2j2jf0n36bqa', + productCodeType: 'marketplace', + }, + iamInstanceProfile: { + id: Random.createHash(21, Random.ALPHABET), + arn: 'arn:aws:iam::{data.aws.accountId}:instance-profile/opsworks-web-production', + }, + availabilityZone: 'us-east-1e', + }, +]; -export const guarddutyPortProbe = { +module.exports.guarddutyPortProbe = { data: { aws: { - severity: "2", - schemaVersion: "2.0", + severity: '2', + schemaVersion: '2.0', resource: { // instanceDetails - resourceType: "Instance" + resourceType: 'Instance', }, - description: "EC2 instance has an unprotected port which is being probed by a known malicious host.", - source: "guardduty", - type: "Recon:EC2/PortProbeUnprotectedPort", - title: "Unprotected port on EC2 instance {data.aws.resource.instanceDetails.instanceId} is being probed.", + description: + 'EC2 instance has an unprotected port which is being probed by a known malicious host.', + source: 'guardduty', + type: 'Recon:EC2/PortProbeUnprotectedPort', + title: + 'Unprotected port on EC2 instance {data.aws.resource.instanceDetails.instanceId} is being probed.', // accountId: "166157441623", // createdAt: "2019-07-31T16:31:14.739Z", - partition: "aws", + partition: 'aws', service: { - archived: "false", - resourceRole: "TARGET", - detectorId: "cab38390b400c06fb2897dfcebffb80d", + archived: 'false', + resourceRole: 'TARGET', + detectorId: 'cab38390b400c06fb2897dfcebffb80d', // eventFirstSeen: "2019-07-31T16:18:08Z", // eventLastSeen: "2020-04-22T04:11:01Z", additionalInfo: { - threatListName: "ProofPoint", - threatName: "Scanner" + threatListName: 'ProofPoint', + threatName: 'Scanner', }, - count: "2594", + count: '2594', action: { - actionType: "PORT_PROBE", + actionType: 'PORT_PROBE', portProbeAction: { - blocked: "false", + blocked: 'false', portProbeDetails: { localPortDetails: { - port: "80", - portName: "HTTP" + port: '80', + portName: 'HTTP', }, remoteIpDetails: { country: { - countryName: "Mexico" + countryName: 'Mexico', }, city: { - cityName: "M?rida" + cityName: 'M?rida', }, geoLocation: { - lon: "-89.616700", - lat: "20.950000" + lon: '-89.616700', + lat: '20.950000', }, organization: { - asnOrg: "Internet Mexico Company", - org: "Internet Mexico Company", - isp: "Internet Mexico Company", - asn: "4257" + asnOrg: 'Internet Mexico Company', + org: 'Internet Mexico Company', + isp: 'Internet Mexico Company', + asn: '4257', }, - ipAddressV4: "187.234.16.206" - } - } - } + ipAddressV4: '187.234.16.206', + }, + }, + }, }, - "serviceName": "guardduty" - } - } + serviceName: 'guardduty', + }, + }, }, rule: { firedtimes: 1, mail: false, level: 3, - description: "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance {data.aws.resource.instanceDetails.instanceId} is being probed. [IP: {data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4}] [Port: {data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port}]", - groups: ["amazon","aws","aws_guardduty"], - id: "80305" - }, - location: "Wazuh-AWS", - decoder: { - "name": "json" + description: + 'AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance {data.aws.resource.instanceDetails.instanceId} is being probed. [IP: {data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4}] [Port: {data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port}]', + groups: ['amazon', 'aws', 'aws_guardduty'], + id: '80305', }, + location: 'Wazuh-AWS', + decoder: DECODER.JSON, }; -export const apiCall = { - "data": { - "aws": { - "severity": "5", - "schemaVersion": "2.0", - "resource": { - "accessKeyDetails": { - "principalId": "AIDAIL4SI43KE7QMMBABB", - "userType": "IAMUser", - "userName": "" +module.exports.apiCall = { + data: { + aws: { + severity: '5', + schemaVersion: '2.0', + resource: { + accessKeyDetails: { + principalId: 'AIDAIL4SI43KE7QMMBABB', + userType: 'IAMUser', + userName: '', }, - "resourceType": "AccessKey" + resourceType: 'AccessKey', }, - "log_info": { - "s3bucket": "wazuh-aws-wodle", - "log_file": "guardduty/2020/04/22/10/firehose_guardduty-1-2020-04-22-10-36-02-d67c99dc-800a-486a-8339-59a7a8254ab2.zip" + log_info: { + s3bucket: 'wazuh-aws-wodle', + log_file: + 'guardduty/2020/04/22/10/firehose_guardduty-1-2020-04-22-10-36-02-d67c99dc-800a-486a-8339-59a7a8254ab2.zip', }, - "description": "Unusual console login seen from principal {data.aws.resource.accessKeyDetails.userName}. Login activity using this client application, from the specific location has not been seen before from this principal.", - "source": "guardduty", - "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", - "title": "Unusual console login was seen for principal {data.aws.resource.accessKeyDetails.userName}.", - "accountId": "166157447443", - "createdAt": "2020-04-22T10:30:26.721Z", - "partition": "aws", - "service": { - "archived": "false", - "resourceRole": "TARGET", - "detectorId": "cab38390b728c06fb2897dfcebffb80d", - "eventFirstSeen": "2020-04-22T10:09:51Z", - "eventLastSeen": "2020-04-22T10:09:55Z", - "additionalInfo": { - "recentApiCalls": { - "count": "1", - "api": "ConsoleLogin" - } + description: + 'Unusual console login seen from principal {data.aws.resource.accessKeyDetails.userName}. Login activity using this client application, from the specific location has not been seen before from this principal.', + source: 'guardduty', + type: 'UnauthorizedAccess:IAMUser/ConsoleLogin', + title: + 'Unusual console login was seen for principal {data.aws.resource.accessKeyDetails.userName}.', + accountId: '166157447443', + createdAt: '2020-04-22T10:30:26.721Z', + partition: 'aws', + service: { + archived: 'false', + resourceRole: 'TARGET', + detectorId: 'cab38390b728c06fb2897dfcebffb80d', + eventFirstSeen: '2020-04-22T10:09:51Z', + eventLastSeen: '2020-04-22T10:09:55Z', + additionalInfo: { + recentApiCalls: { + count: '1', + api: 'ConsoleLogin', + }, }, - "count": "1", - "action": { - "actionType": "AWS_API_CALL", - "awsApiCallAction": { - "callerType": "Remote IP", - "api": "ConsoleLogin", - "serviceName": "signin.amazonaws.com", - "remoteIpDetails": { - "country": { - "countryName": "United States" + count: '1', + action: { + actionType: 'AWS_API_CALL', + awsApiCallAction: { + callerType: 'Remote IP', + api: 'ConsoleLogin', + serviceName: 'signin.amazonaws.com', + remoteIpDetails: { + country: { + countryName: 'United States', }, - "city": { - "cityName": "Ashburn" + city: { + cityName: 'Ashburn', }, - "geoLocation": { - "lon": "-77.472800", - "lat": "39.048100" + geoLocation: { + lon: '-77.472800', + lat: '39.048100', }, - "organization": { - "asnOrg": "ASN-Internet-Com", - "org": "Internet-Com", - "isp": "Internet-Com", - "asn": "27850" + organization: { + asnOrg: 'ASN-Internet-Com', + org: 'Internet-Com', + isp: 'Internet-Com', + asn: '27850', }, - "ipAddressV4": "80.14.0.90" - } - } + ipAddressV4: '80.14.0.90', + }, + }, }, - "serviceName": "guardduty" + serviceName: 'guardduty', }, - "id": "a8b8d0b82c50eed686df4d24fa87b657", - "region": "us-east-1", - "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", - "updatedAt": "2020-04-22T10:30:26.721Z" - } + id: 'a8b8d0b82c50eed686df4d24fa87b657', + region: 'us-east-1', + arn: 'arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657', + updatedAt: '2020-04-22T10:30:26.721Z', + }, }, - "rule": { + rule: { // "firedtimes": 1, - "mail": false, - "level": 6, - "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal {data.aws.resource.accessKeyDetails.userName}.", - "groups": [ - "amazon", - "aws", - "aws_guardduty" - ], - "id": "80302" + mail: false, + level: 6, + description: + 'AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal {data.aws.resource.accessKeyDetails.userName}.', + groups: ['amazon', 'aws', 'aws_guardduty'], + id: '80302', }, - "location": "Wazuh-AWS", - "decoder": { - "name": "json" - } + location: 'Wazuh-AWS', + decoder: DECODER.JSON, }; -export const networkConnection = { - "data": { - "integration": "aws", - "aws": { - "severity": "5", - "schemaVersion": "2.0", - "resource": { - "resourceType": "Instance" +module.exports.networkConnection = { + data: { + integration: 'aws', + aws: { + severity: '5', + schemaVersion: '2.0', + resource: { + resourceType: 'Instance', }, - "description": "EC2 instance {data.aws.resource.instanceDetails.instanceId} is communicating with a remote host on an unusual server port 5060.", - "source": "guardduty", - "type": "Behavior:EC2/NetworkPortUnusual", - "title": "Unusual outbound communication seen from EC2 instance {data.aws.resource.instanceDetails.instanceId} on server port 5060.", - "accountId": "166157441800", - "createdAt": "2020-04-22T07:18:12.769Z", - "partition": "aws", - "service": { - "archived": "false", - "resourceRole": "ACTOR", - "detectorId": "cab38390b728c06fb2897dfcebffc80d", - "eventFirstSeen": "2020-04-22T07:13:44Z", - "eventLastSeen": "2020-04-22T07:15:04Z", - "additionalInfo": { - "localPort": "50040", - "outBytes": "1912", - "inBytes": "4621", - "unusual": "5060" + description: + 'EC2 instance {data.aws.resource.instanceDetails.instanceId} is communicating with a remote host on an unusual server port 5060.', + source: 'guardduty', + type: 'Behavior:EC2/NetworkPortUnusual', + title: + 'Unusual outbound communication seen from EC2 instance {data.aws.resource.instanceDetails.instanceId} on server port 5060.', + accountId: '166157441800', + createdAt: '2020-04-22T07:18:12.769Z', + partition: 'aws', + service: { + archived: 'false', + resourceRole: 'ACTOR', + detectorId: 'cab38390b728c06fb2897dfcebffc80d', + eventFirstSeen: '2020-04-22T07:13:44Z', + eventLastSeen: '2020-04-22T07:15:04Z', + additionalInfo: { + localPort: '50040', + outBytes: '1912', + inBytes: '4621', + unusual: '5060', }, - "count": "8", - "action": { - "actionType": "NETWORK_CONNECTION", - "networkConnectionAction": { - "localIpDetails": { - "ipAddressV4": "10.0.0.251" + count: '8', + action: { + actionType: 'NETWORK_CONNECTION', + networkConnectionAction: { + localIpDetails: { + ipAddressV4: '10.0.0.251', }, - "protocol": "TCP", - "blocked": "false", - "connectionDirection": "OUTBOUND", - "localPortDetails": { - "port": "36220", - "portName": "Unknown" + protocol: 'TCP', + blocked: 'false', + connectionDirection: 'OUTBOUND', + localPortDetails: { + port: '36220', + portName: 'Unknown', }, - "remotePortDetails": { - "port": "5050", - "portName": "Unknown" + remotePortDetails: { + port: '5050', + portName: 'Unknown', }, - "remoteIpDetails": { - "country": { - "countryName": "United States" + remoteIpDetails: { + country: { + countryName: 'United States', }, - "city": { - "cityName": "Washington" + city: { + cityName: 'Washington', }, - "geoLocation": { - "lon": "-77.031900", - "lat": "38.905700" + geoLocation: { + lon: '-77.031900', + lat: '38.905700', }, - "organization": { - "asnOrg": "ASN-Supreme-Web", - "org": "Supreme Web", - "isp": "Supreme Web", - "asn": "395604" + organization: { + asnOrg: 'ASN-Supreme-Web', + org: 'Supreme Web', + isp: 'Supreme Web', + asn: '395604', }, - "ipAddressV4": "8.2.14.2" - } - } + ipAddressV4: '8.2.14.2', + }, + }, }, - "serviceName": "guardduty" + serviceName: 'guardduty', }, - "id": "06b8d0602d109db1282f9143809f80b8", - "region": "us-east-1", - "arn": "arn:aws:guardduty:{data.aws.region}:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", - "updatedAt": "2020-04-22T07:18:12.778Z" - } - }, - "rule": { - "mail": false, - "level": 6, - "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance {data.aws.resource.instanceDetails.instanceId} on server port 5060.", - "groups": [ - "amazon", - "aws", - "aws_guardduty" - ], - "id": "80302" + id: '06b8d0602d109db1282f9143809f80b8', + region: 'us-east-1', + arn: 'arn:aws:guardduty:{data.aws.region}:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8', + updatedAt: '2020-04-22T07:18:12.778Z', + }, }, - "location": "Wazuh-AWS", - "decoder": { - "name": "json" + rule: { + mail: false, + level: 6, + description: + 'AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance {data.aws.resource.instanceDetails.instanceId} on server port 5060.', + groups: ['amazon', 'aws', 'aws_guardduty'], + id: '80302', }, + location: 'Wazuh-AWS', + decoder: DECODER.JSON, }; -export const iamPolicyGrantGlobal = { - "data": { - "aws": { - "severity": "CRITICAL", - "actor": "resources.wazuh.sample.com", - "summary": { - "Timestamps": "2020-04-22T00:11:44.617597Z,", - "Description": "S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", - "Bucket": "resources.wazuh.sample.com,", - "Record Count": "1", - "Event Count": "1", - "recipientAccountId": "166157441400", - "ACL": { - "resources": { - "wazuh": { - "com": { - "Owner": { - "DisplayName": "wazuh", - "ID": "3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700" - } - } - } - } - } +module.exports.iamPolicyGrantGlobal = { + data: { + aws: { + severity: 'CRITICAL', + actor: 'resources.wazuh.sample.com', + summary: { + Timestamps: '2020-04-22T00:11:44.617597Z,', + Description: + 'S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts', + Bucket: 'resources.wazuh.sample.com,', + 'Record Count': '1', + 'Event Count': '1', + recipientAccountId: '166157441400', + ACL: { + resources: { + wazuh: { + com: { + Owner: { + DisplayName: 'wazuh', + ID: '3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700', + }, + }, + }, + }, + }, }, - "risk-score": "9", - "notification-type": "ALERT_CREATED", - "name": "S3 Bucket IAM policy grants global read rights", - "created-at": "2020-04-22T00:14:45.764008", - "source": "macie", - "url": "https://mt.{data.aws.region}.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3A{data.aws.region}%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded", - "tags": { - "value": "Open Permissions,Basic Alert," + 'risk-score': '9', + 'notification-type': 'ALERT_CREATED', + name: 'S3 Bucket IAM policy grants global read rights', + 'created-at': '2020-04-22T00:14:45.764008', + source: 'macie', + url: 'https://mt.{data.aws.region}.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3A{data.aws.region}%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded', + tags: { + value: 'Open Permissions,Basic Alert,', }, - "alert-arn": "arn:aws:macie:{data.aws.region}:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed" - } + 'alert-arn': + 'arn:aws:macie:{data.aws.region}:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed', + }, }, - "rule": { - "mail": true, - "level": 12, - "description": "AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", - "groups": ["amazon","aws","aws_macie"], - "id": "80355" + rule: { + mail: true, + level: 12, + description: + 'AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts', + groups: ['amazon', 'aws', 'aws_macie'], + id: '80355', }, - "location": "Wazuh-AWS", - "decoder": { - "name": "json" - } + location: 'Wazuh-AWS', + decoder: DECODER.JSON, }; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/ciscat.js b/plugins/main/server/lib/generate-alerts/sample-data/ciscat.js index acbdf3ada8..bbbcc10baf 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/ciscat.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/ciscat.js @@ -10,9 +10,20 @@ * Find more information about this on the LICENSE file. */ - // CIS-CAT +// CIS-CAT // More info https://documentation.wazuh.com/3.12/user-manual/capabilities/policy-monitoring/ciscat/ciscat.html -export const ruleTitle = ["CIS-CAT 1", "CIS-CAT 2", "CIS-CAT 3", "CIS-CAT 4", "CIS-CAT 5", "CIS-CAT 6"]; -export const group = ["Access, Authentication and Authorization", "Logging and Auditing"]; -export const benchmark = ["CIS Ubuntu Linux 16.04 LTS Benchmark"]; // TODO: add more benchmarks -export const result = ["fail", "errors", "pass", "unknown", "notchecked"]; \ No newline at end of file +module.exports.ruleTitle = [ + 'CIS-CAT 1', + 'CIS-CAT 2', + 'CIS-CAT 3', + 'CIS-CAT 4', + 'CIS-CAT 5', + 'CIS-CAT 6', +]; +module.exports.group = [ + 'Access, Authentication and Authorization', + 'Logging and Auditing', +]; +// TODO: add more benchmarks +module.exports.benchmark = ['CIS Ubuntu Linux 16.04 LTS Benchmark']; +module.exports.result = ['fail', 'errors', 'pass', 'unknown', 'notchecked']; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/common.js b/plugins/main/server/lib/generate-alerts/sample-data/common.js index 920a15a36c..65bc29b019 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/common.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/common.js @@ -10,8 +10,12 @@ * Find more information about this on the LICENSE file. */ -// Common data -export const IPs = [ +/* + ┌─────────────────────────────────────────────────────────────────────────┐ + │ Common data │ + └─────────────────────────────────────────────────────────────────────────┘ + */ +module.exports.IPs = [ '141.98.81.37', '54.10.24.5', '187.80.4.18', @@ -21,7 +25,8 @@ export const IPs = [ '45.75.196.15', '16.4.20.20', ]; -export const Users = [ + +module.exports.USERS = [ 'root', 'ec2-user', 'SYSTEM', @@ -31,7 +36,8 @@ export const Users = [ 'LOCAL Service', 'NETWORK Service', ]; -export const Ports = [ + +module.exports.PORTS = [ '22', '55047', '26874', @@ -46,16 +52,17 @@ export const Ports = [ '5784', '7854', ]; -export const Win_Hostnames = [ + +module.exports.WIN_HOSTNAMES = [ 'Win_Server_01', 'Win_Server_02', 'Win_Server_03', 'Win_Server_04', ]; -export const Paths = ['/home/user/sample', '/tmp/sample', '/etc/sample']; -// Agents -export const Agents = [ +module.exports.PATHS = ['/home/user/sample', '/tmp/sample', '/etc/sample']; + +module.exports.AGENTS = [ // { id: '000', name: 'master', ip: '120.17.47.10' }, { id: '001', @@ -94,8 +101,7 @@ export const Agents = [ }, ]; -// Geolocation {country_name, location: {lat, lon }, region_name} -export const GeoLocation = [ +module.exports.GEO_LOCATION = [ { country_name: 'Spain', location: { @@ -188,26 +194,43 @@ export const GeoLocation = [ }, ]; -/** - * Get a random element of an array - * @param {[]} array - Array to get a randomized element - * @returns {any} - Element randomized - */ -function randomStrItem(str) { - let array = str.split(''); - return array[Math.floor(array.length * Math.random())]; -} - -export const randomElements = (length, elements) => { - let hash = ''; - - for (let i = 0; i < length; i++) { - hash += randomStrItem(elements); - } - - return hash; -}; - -export const randomArrayItem = array => { - return array[Math.floor(array.length * Math.random())]; +module.exports.DECODER = { + JSON: { + name: 'json', + }, + SSHD: { + parent: 'sshd', + name: 'sshd', + }, + WINDOWS_EVENTCHANNEL: { + parent: 'sshd', + name: 'windows_eventchannel', + }, + PAM: { + name: 'pam', + }, + UNIX_CHKPWD: { + name: 'unix_chkpwd', + }, + WEB_ACCESSLOG: { + name: 'web-accesslog', + }, + OSCAP: { + parent: 'oscap', + name: 'oscap', + }, + ROOTCHECK: { + name: 'rootcheck', + }, + APACHE_ERRORLOG: { + parent: 'apache-errorlog', + name: 'apache-errorlog', + }, + WINDOWS: { + parent: 'windows', + name: 'windows', + }, + YARA: { + name: 'YARA_decoder', + }, }; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/docker.js b/plugins/main/server/lib/generate-alerts/sample-data/docker.js index 15214f26d9..3aa4ee70b5 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/docker.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/docker.js @@ -10,481 +10,462 @@ * Find more information about this on the LICENSE file. */ -import { - randomElements -} from './common'; +const { Random } = require('../helpers/random'); +module.exports.actorAttributesImage = [ + 'wazuh/wazuh:3.12.0-7.6.1', + 'docker.elastic.co/elasticsearch/elasticsearch:7.6.2', + 'docker.elastic.co/kibana/kibana:7.6.2', + 'nginx:latest', +]; +module.exports.type = ['container', 'image', 'volume', 'network']; +module.exports.action = ['start', 'stop', 'pause', 'unpause']; +module.exports.actorAttributesName = [ + 'wonderful_page', + 'nostalgic_gates', + 'jovial_zuckerberg', + 'inspiring_jobs', + 'opening_torvalds', + 'gifted_bezos', + 'clever_wales', + 'laughing_tesla', + 'kind_nobel', +]; // https://github.com/moby/moby/blob/5aa44cdf132788cc0cd28ce2393b44265dd400e9/pkg/namesgenerator/names-generator.go#L600 -export const actorAttributesImage = ["wazuh/wazuh:3.12.0-7.6.1", "docker.elastic.co/elasticsearch/elasticsearch:7.6.2", "docker.elastic.co/kibana/kibana:7.6.2", "nginx:latest"]; -export const type = ["container", "image", "volume", "network"]; -export const action = ["start", "stop", "pause", "unpause"]; -export const actorAttributesName = ["wonderful_page", "nostalgic_gates", "jovial_zuckerberg", "inspiring_jobs", "opening_torvalds", "gifted_bezos", "clever_wales", "laughing_tesla", "kind_nobel"]; // https://github.com/moby/moby/blob/5aa44cdf132788cc0cd28ce2393b44265dd400e9/pkg/namesgenerator/names-generator.go#L600 - -const stringRandom = 'abcdef0123456789'; - -export const dataDocker = [{ +module.exports.dataDocker = [ + { rule: { level: 3, - description: "Docker: Network vagrant_default created", - id: "87930", + description: 'Docker: Network vagrant_default created', + id: '87930', firedtimes: 1, mail: false, - pci_dss: ["10.2.7"], - groups: ["docker"] + pci_dss: ['10.2.7'], + groups: ['docker'], }, data: { - integration: "docker", + integration: 'docker', docker: { - Type: "network", - Action: "create", + Type: 'network', + Action: 'create', Actor: { - ID: randomElements(64, stringRandom), + ID: Random.createHash(64), Attributes: { - name: "vagrant_default", - type: "bridge" - } + name: 'vagrant_default', + type: 'bridge', + }, }, - scope: "local", - time: "1563354307", - timeNano: "1563354307459382528.000000" - } - } + scope: 'local', + time: '1563354307', + timeNano: '1563354307459382528.000000', + }, + }, }, { rule: { level: 3, - description: "Docker: Image or repository wazuh/wazuh pulled", - id: "87932", + description: 'Docker: Image or repository wazuh/wazuh pulled', + id: '87932', firedtimes: 1, mail: false, - groups: ["docker"], - pci_dss: ["10.2.7"] + groups: ['docker'], + pci_dss: ['10.2.7'], }, data: { - integration: "docker", + integration: 'docker', docker: { - status: "pull", - id: "wazuh/wazuh:3.9.2_7.1.1", - Type: "image", - Action: "pull", + status: 'pull', + id: 'wazuh/wazuh:3.9.2_7.1.1', + Type: 'image', + Action: 'pull', Actor: { - ID: "wazuh/wazuh:3.9.2_7.1.1", + ID: 'wazuh/wazuh:3.9.2_7.1.1', Attributes: { - name: "wazuh/wazuh" - } + name: 'wazuh/wazuh', + }, }, - scope: "local", - time: "1563354346", - timeNano: "1563354346181027328.000000" - } - } + scope: 'local', + time: '1563354346', + timeNano: '1563354346181027328.000000', + }, + }, }, { rule: { firedtimes: 2, mail: false, level: 5, - pci_dss: [ - "10.2.7" - ], - description: "Docker: Started shell session in container nginx_container", - groups: [ - "docker" - ], - id: "87908", - nist_800_53: [ - "AU.14" - ], - gdpr: [ - "IV_32.2" - ] + pci_dss: ['10.2.7'], + description: 'Docker: Started shell session in container nginx_container', + groups: ['docker'], + id: '87908', + nist_800_53: ['AU.14'], + gdpr: ['IV_32.2'], }, data: { - integration: "docker", + integration: 'docker', docker: { - Action: "exec_start: bash ", - Type: "container", + Action: 'exec_start: bash ', + Type: 'container', Actor: { Attributes: { - image: "nginx", - name: "nginx_container", - maintainer: "NGINX Docker Maintainers ", - execID: randomElements(64, stringRandom), + image: 'nginx', + name: 'nginx_container', + maintainer: 'NGINX Docker Maintainers ', + execID: Random.createHash(64), }, - ID: randomElements(64, stringRandom), + ID: Random.createHash(64), }, - timeNano: "1587404196804128000.000000", - from: "nginx", - time: "1587404196", - status: "exec_start: bash " - } - } + timeNano: '1587404196804128000.000000', + from: 'nginx', + time: '1587404196', + status: 'exec_start: bash ', + }, + }, }, { rule: { level: 3, - description: "Docker: Error message", - id: "86003", + description: 'Docker: Error message', + id: '86003', firedtimes: 1, mail: false, - groups: ["docker", "docker-error"] + groups: ['docker', 'docker-error'], }, data: { docker: { - level: "error", - message: "Not continuing with pull after error: context canceled" - } - } + level: 'error', + message: 'Not continuing with pull after error: context canceled', + }, + }, }, { rule: { level: 3, - description: "Docker: Image or repository wazuh/wazuh-elasticsearch pulled", - id: "87932", + description: + 'Docker: Image or repository wazuh/wazuh-elasticsearch pulled', + id: '87932', firedtimes: 2, mail: false, - groups: ["docker"], - pci_dss: ["10.2.7"] + groups: ['docker'], + pci_dss: ['10.2.7'], }, data: { - integration: "docker", + integration: 'docker', docker: { - status: "pull", - id: "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", - Type: "image", - Action: "pull", + status: 'pull', + id: 'wazuh/wazuh-elasticsearch:3.9.2_7.1.1', + Type: 'image', + Action: 'pull', Actor: { - ID: "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", + ID: 'wazuh/wazuh-elasticsearch:3.9.2_7.1.1', Attributes: { - license: "Elastic License", - name: "wazuh/wazuh-elasticsearch", + license: 'Elastic License', + name: 'wazuh/wazuh-elasticsearch', org: { - "label-schema": { - "build-date": "20190305", - license: "GPLv2", - name: "elasticsearch", - "schema-version": "1.0", - url: "https://www.elastic.co/products/elasticsearch", - "vcs-url": "https://github.com/elastic/elasticsearch", - vendor: "Elastic", - version: "7.1.1" - } - } - } + 'label-schema': { + 'build-date': '20190305', + license: 'GPLv2', + name: 'elasticsearch', + 'schema-version': '1.0', + url: 'https://www.elastic.co/products/elasticsearch', + 'vcs-url': 'https://github.com/elastic/elasticsearch', + vendor: 'Elastic', + version: '7.1.1', + }, + }, + }, }, - scope: "local", - time: "1563354404", - timeNano: "1563354404067201536.000000" - } - } + scope: 'local', + time: '1563354404', + timeNano: '1563354404067201536.000000', + }, + }, }, { rule: { level: 3, - description: "Docker: Image or repository wazuh/wazuh-kibana pulled", - id: "87932", + description: 'Docker: Image or repository wazuh/wazuh-kibana pulled', + id: '87932', firedtimes: 3, mail: false, - groups: ["docker"], - pci_dss: ["10.2.7"] + groups: ['docker'], + pci_dss: ['10.2.7'], }, data: { - integration: "docker", + integration: 'docker', docker: { - status: "pull", - id: "wazuh/wazuh-kibana:3.9.2_7.1.1", - Type: "image", - Action: "pull", + status: 'pull', + id: 'wazuh/wazuh-kibana:3.9.2_7.1.1', + Type: 'image', + Action: 'pull', Actor: { - ID: "wazuh/wazuh-kibana:3.9.2_7.1.1", + ID: 'wazuh/wazuh-kibana:3.9.2_7.1.1', Attributes: { - license: "Elastic License", - name: "wazuh/wazuh-kibana", + license: 'Elastic License', + name: 'wazuh/wazuh-kibana', org: { - "label-schema": { - "build-date": "20190305", - license: "GPLv2", - name: "kibana", - "schema-version": "1.0", - url: "https://www.elastic.co/products/kibana", - "vcs-url": "https://github.com/elastic/kibana", - vendor: "Elastic", - version: "7.1.1" - } - } - } + 'label-schema': { + 'build-date': '20190305', + license: 'GPLv2', + name: 'kibana', + 'schema-version': '1.0', + url: 'https://www.elastic.co/products/kibana', + 'vcs-url': 'https://github.com/elastic/kibana', + vendor: 'Elastic', + version: '7.1.1', + }, + }, + }, }, - scope: "local", - time: "1563354404", - timeNano: "1563354404067201536.000000" - } - } + scope: 'local', + time: '1563354404', + timeNano: '1563354404067201536.000000', + }, + }, }, { rule: { level: 3, - description: "Docker: Image or repository wazuh/wazuh-nginx pulled", - id: "87932", + description: 'Docker: Image or repository wazuh/wazuh-nginx pulled', + id: '87932', firedtimes: 3, mail: false, - groups: ["docker"], - pci_dss: ["10.2.7"] + groups: ['docker'], + pci_dss: ['10.2.7'], }, data: { - integration: "docker", + integration: 'docker', docker: { - status: "pull", - id: "wazuh/wazuh-nginx:3.9.2_7.1.1", - Type: "image", - Action: "pull", + status: 'pull', + id: 'wazuh/wazuh-nginx:3.9.2_7.1.1', + Type: 'image', + Action: 'pull', Actor: { - ID: "wazuh/wazuh-nginx:3.9.2_7.1.1", + ID: 'wazuh/wazuh-nginx:3.9.2_7.1.1', Attributes: { - maintainer: "NGINX Docker Maintainers ", - name: "wazuh/wazuh-nginx" - } - } + maintainer: 'NGINX Docker Maintainers ', + name: 'wazuh/wazuh-nginx', + }, + }, }, - scope: "local", - time: "1563354404", - timeNano: "1563354404067201536.000000" - } + scope: 'local', + time: '1563354404', + timeNano: '1563354404067201536.000000', + }, }, { rule: { firedtimes: 1, mail: false, level: 3, - description: "Docker: Network bridge connected", - groups: [ - "docker" - ], - id: "87928" + description: 'Docker: Network bridge connected', + groups: ['docker'], + id: '87928', }, data: { - integration: "docker", + integration: 'docker', docker: { - Action: "connect", - Type: "network", + Action: 'connect', + Type: 'network', Actor: { Attributes: { - container: randomElements(64, stringRandom), - name: "bridge", - type: "bridge" + container: Random.createHash(64), + name: 'bridge', + type: 'bridge', }, - ID: randomElements(64, stringRandom), + ID: Random.createHash(64), }, - scope: "local", - timeNano: "1587084599776133888.000000", - time: "1587084599" - } - } + scope: 'local', + timeNano: '1587084599776133888.000000', + time: '1587084599', + }, + }, }, { rule: { firedtimes: 1, mail: false, level: 3, - description: "Docker: Container test_container started", - groups: [ - "docker" - ], - id: "87928" + description: 'Docker: Container test_container started', + groups: ['docker'], + id: '87928', }, data: { - integration: "docker", + integration: 'docker', docker: { - Action: "start", - Type: "container", + Action: 'start', + Type: 'container', Actor: { Attributes: { - image: "nginx", - name: "test_container", - maintainer: "NGINX Docker Maintainers " + image: 'nginx', + name: 'test_container', + maintainer: 'NGINX Docker Maintainers ', }, - ID: randomElements(64, stringRandom), + ID: Random.createHash(64), }, - scope: "local", - timeNano: "1587084600046795264.000000", - from: "nginx", - time: "1587084600", - status: "start" - } - } + scope: 'local', + timeNano: '1587084600046795264.000000', + from: 'nginx', + time: '1587084600', + status: 'start', + }, + }, }, { rule: { firedtimes: 1, mail: false, level: 3, - description: "Docker: Container test_container received the action: die", - groups: [ - "docker" - ], - id: "87928", - gdpr: [ - "IV_32.2" - ] + description: 'Docker: Container test_container received the action: die', + groups: ['docker'], + id: '87928', + gdpr: ['IV_32.2'], }, data: { - integration: "docker", + integration: 'docker', docker: { - Action: "die", - Type: "container", + Action: 'die', + Type: 'container', Actor: { Attributes: { - image: "nginx", - name: "test_container", - exitCode: "0", - maintainer: "NGINX Docker Maintainers " + image: 'nginx', + name: 'test_container', + exitCode: '0', + maintainer: 'NGINX Docker Maintainers ', }, - ID: randomElements(64, stringRandom), + ID: Random.createHash(64), }, - scope: "local", - timeNano: "1587084648640092672.000000", - from: "nginx", - time: "1587084648", - status: "die" - } - } + scope: 'local', + timeNano: '1587084648640092672.000000', + from: 'nginx', + time: '1587084648', + status: 'die', + }, + }, }, { rule: { firedtimes: 1, mail: false, level: 4, - description: "Docker: Network bridge disconnected", - groups: [ - "docker" - ], - id: "87929", - gdpr: [ - "IV_32.2" - ] + description: 'Docker: Network bridge disconnected', + groups: ['docker'], + id: '87929', + gdpr: ['IV_32.2'], }, data: { - integration: "docker", + integration: 'docker', docker: { - Action: "disconnect", - Type: "network", + Action: 'disconnect', + Type: 'network', Actor: { Attributes: { - container: randomElements(64, stringRandom), - name: "bridge", - type: "bridge" + container: Random.createHash(64), + name: 'bridge', + type: 'bridge', }, - ID: randomElements(64, stringRandom), + ID: Random.createHash(64), }, - scope: "local", - timeNano: "1586460544485358336.000000", - time: "1586460544" - } - } + scope: 'local', + timeNano: '1586460544485358336.000000', + time: '1586460544', + }, + }, }, { rule: { firedtimes: 1, mail: false, level: 7, - description: "Docker: Container nginx_container received the action: kill", - groups: [ - "docker" - ], - id: "87924", - gdpr: [ - "IV_32.2" - ] + description: + 'Docker: Container nginx_container received the action: kill', + groups: ['docker'], + id: '87924', + gdpr: ['IV_32.2'], }, data: { - integration: "docker", + integration: 'docker', docker: { - Action: "kill", - Type: "container", + Action: 'kill', + Type: 'container', Actor: { Attributes: { - image: "nginx", - name: "nginx_container", - signal: "15", - maintainer: "NGINX Docker Maintainers " + image: 'nginx', + name: 'nginx_container', + signal: '15', + maintainer: 'NGINX Docker Maintainers ', }, - ID: randomElements(64, stringRandom), + ID: Random.createHash(64), }, - scope: "local", - timeNano: "1586460544324527616.000000", - from: "nginx", - time: "1586460544", - status: "kill" - } - } + scope: 'local', + timeNano: '1586460544324527616.000000', + from: 'nginx', + time: '1586460544', + status: 'kill', + }, + }, }, { rule: { firedtimes: 2, mail: false, level: 3, - description: "Docker: Container nginx_container stopped", - groups: [ - "docker" - ], - id: "87904", - gdpr: [ - "IV_32.2" - ] + description: 'Docker: Container nginx_container stopped', + groups: ['docker'], + id: '87904', + gdpr: ['IV_32.2'], }, data: { - integration: "docker", + integration: 'docker', docker: { - Action: "stop", - Type: "container", + Action: 'stop', + Type: 'container', Actor: { Attributes: { - image: "nginx", - name: "nginx_container", - maintainer: "NGINX Docker Maintainers " + image: 'nginx', + name: 'nginx_container', + maintainer: 'NGINX Docker Maintainers ', }, - ID: randomElements(64, stringRandom), + ID: Random.createHash(64), }, - scope: "local", - timeNano: "1586461541373152000.000000", - from: "nginx", - time: "1586461541", - status: "stop" - } - } + scope: 'local', + timeNano: '1586461541373152000.000000', + from: 'nginx', + time: '1586461541', + status: 'stop', + }, + }, }, { rule: { firedtimes: 1, mail: false, level: 3, - description: "Docker: Container nginx_container restarted", - groups: [ - "docker" - ], - id: "87909", - gdpr: [ - "IV_32.2" - ] + description: 'Docker: Container nginx_container restarted', + groups: ['docker'], + id: '87909', + gdpr: ['IV_32.2'], }, data: { - integration: "docker", + integration: 'docker', docker: { - Action: "restart", - Type: "container", + Action: 'restart', + Type: 'container', Actor: { Attributes: { - image: "nginx", - name: "nginx_container", - maintainer: "NGINX Docker Maintainers " + image: 'nginx', + name: 'nginx_container', + maintainer: 'NGINX Docker Maintainers ', }, - ID: randomElements(64, stringRandom), + ID: Random.createHash(64), }, - scope: "local", - timeNano: "1586460544801840896.000000", - from: "nginx", - time: "1586460544", - status: "restart" - } - } + scope: 'local', + timeNano: '1586460544801840896.000000', + from: 'nginx', + time: '1586460544', + status: 'restart', + }, + }, }, -] +]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/gcp.js b/plugins/main/server/lib/generate-alerts/sample-data/gcp.js index 975b33ac25..8c8fb22cbf 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/gcp.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/gcp.js @@ -11,81 +11,134 @@ */ // GCP -export const arrayAuthAnswer = ["true", "false"]; -export const arrayProtocol = ['UDP', 'TCP']; -export const arrayQueryName = ['185.5.205.124.in-addr.arpa.', '98.72.244.104.in-addr.arpa.', 'mirrors.advancedhosters.com.', '41.212.95.203.in-addr.arpa', '41.212.95.203.in-addr.arpa.']; -export const arrayQueryType = ['PTR', 'PTR', 'PTR', 'PTR', 'PTR', 'A']; -export const arrayResponseCode = ['NXDOMAIN', 'NOERROR', 'WARNING', 'CRITICAL', 'ALERT', 'EMERGENCY', 'SERVFAIL', 'INFO', 'SUCCESS', 'BADTRUNC', 'BADNAME', 'NOTAUTH']; -export const arraySourceIP = ['163.172.0.0', '1.33.213.199', '83.32.0.0', '154.84.246.205', '75.142.129.202', '171.197.217.149', '77.38.119.17']; -export const arrayLocation = ['europe-west1', 'us-central1', 'asia-east1', 'australia-southeast1', 'us-west1', 'us-west3', 'us-west2', 'us-west4', 'us-east1', 'us-east2', 'us-east3', 'southamerica-east1']; -export const arrayProject = ['wazuh-dev', 'wazuh-prod', 'wazuh-test']; -export const arraySourceType = ['gce-vm', 'internet']; -export const arraySeverity = ['ERROR', 'INFO', 'NOTICE', 'CRITICAL', 'EMERGENCY', 'ALERT']; -export const arrayType = ['dns_query', 'app_script_function', 'generic_task']; - +module.exports.arrayAuthAnswer = ['true', 'false']; +module.exports.arrayProtocol = ['UDP', 'TCP']; +module.exports.arrayQueryName = [ + '185.5.205.124.in-addr.arpa.', + '98.72.244.104.in-addr.arpa.', + 'mirrors.advancedhosters.com.', + '41.212.95.203.in-addr.arpa', + '41.212.95.203.in-addr.arpa.', +]; +module.exports.arrayQueryType = ['PTR', 'PTR', 'PTR', 'PTR', 'PTR', 'A']; +module.exports.arrayResponseCode = [ + 'NXDOMAIN', + 'NOERROR', + 'WARNING', + 'CRITICAL', + 'ALERT', + 'EMERGENCY', + 'SERVFAIL', + 'INFO', + 'SUCCESS', + 'BADTRUNC', + 'BADNAME', + 'NOTAUTH', +]; +module.exports.arraySourceIP = [ + '163.172.0.0', + '1.33.213.199', + '83.32.0.0', + '154.84.246.205', + '75.142.129.202', + '171.197.217.149', + '77.38.119.17', +]; +module.exports.arrayLocation = [ + 'europe-west1', + 'us-central1', + 'asia-east1', + 'australia-southeast1', + 'us-west1', + 'us-west3', + 'us-west2', + 'us-west4', + 'us-east1', + 'us-east2', + 'us-east3', + 'southamerica-east1', +]; +module.exports.arrayProject = ['wazuh-dev', 'wazuh-prod', 'wazuh-test']; +module.exports.arraySourceType = ['gce-vm', 'internet']; +module.exports.arraySeverity = [ + 'ERROR', + 'INFO', + 'NOTICE', + 'CRITICAL', + 'EMERGENCY', + 'ALERT', +]; +module.exports.arrayType = ['dns_query', 'app_script_function', 'generic_task']; -export const arrayRules = [{ +module.exports.arrayRules = [ + { level: 12, - description: "Unable to process query due to a problem with the name server", - id: "65007", + description: + 'Unable to process query due to a problem with the name server', + id: '65007', firedtimes: 2, mail: true, - groups: ["gcp"] + groups: ['gcp'], }, { level: 5, - description: "GCP notice event", - id: "65001", + description: 'GCP notice event', + id: '65001', firedtimes: 1, mail: true, - groups: ["gcp"] + groups: ['gcp'], }, { level: 3, - description: "DNS external query", - id: "65032", + description: 'DNS external query', + id: '65032', firedtimes: 1, mail: true, - groups: ["gcp"] + groups: ['gcp'], }, { level: 5, - description: "GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1", - id: "65034", + description: + 'GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1', + id: '65034', firedtimes: 1, mail: true, - groups: ["gcp"] - }, { + groups: ['gcp'], + }, + { level: 9, - description: "GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1", - id: "65036", + description: + 'GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1', + id: '65036', firedtimes: 4, mail: true, - groups: ["gcp"] + groups: ['gcp'], }, { level: 11, - description: "GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1", - id: "65037", + description: + 'GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1', + id: '65037', firedtimes: 1, mail: true, - groups: ["gcp"] + groups: ['gcp'], }, { level: 12, - description: "GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1", - id: "65038", + description: + 'GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1', + id: '65038', firedtimes: 2, mail: true, - groups: ["gcp"] + groups: ['gcp'], }, { - level: 5, - description: "GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN", - id: "65010", + description: + 'GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN', + id: '65010', firedtimes: 2, mail: true, - groups: ["gcp"] - } + groups: ['gcp'], + }, ]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/github.js b/plugins/main/server/lib/generate-alerts/sample-data/github.js index ef27b0e824..4f131094c7 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/github.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/github.js @@ -10,11 +10,13 @@ * Find more information about this on the LICENSE file. */ -export const LOCATION = 'github'; +const { DECODER } = require('./common'); -export const DECODER = { "name": "json" }; +module.exports.LOCATION = 'github'; -export const COUNTRY_CODES = [ +module.exports.decoder = DECODER.JSON; + +const COUNTRY_CODES = [ 'AR', 'CA', 'DE', @@ -24,74 +26,1200 @@ export const COUNTRY_CODES = [ 'IN', 'MX', 'SE', - 'US' + 'US', ]; +module.exports.COUNTRY_CODES = COUNTRY_CODES; const baseElements = Array(10).fill(); -export const ORGANIZATION_NAMES = baseElements.map((_, index) => `Organization${index + 1}`); +module.exports.ORGANIZATION_NAMES = baseElements.map( + (_, index) => `Organization${index + 1}`, +); -export const USER_NAMES = baseElements.map((_, index) => `User${index + 1}`); +const USER_NAMES = baseElements.map((_, index) => `User${index + 1}`); +module.exports.USER_NAMES = USER_NAMES; -export const REPOSITORY_NAMES = baseElements.map((_, index) => `Repo${index + 1}`); +module.exports.REPOSITORY_NAMES = baseElements.map( + (_, index) => `Repo${index + 1}`, +); -export const ACTORS = baseElements.map((_, index) => ({ name: USER_NAMES[index], country_code: COUNTRY_CODES[index] })); +module.exports.ACTORS = baseElements.map((_, index) => ({ + name: USER_NAMES[index], + country_code: COUNTRY_CODES[index], +})); -export const SERVER_ADDRESS_WEBHOOK = [ +module.exports.SERVER_ADDRESS_WEBHOOK = [ 'https://server/webhook', 'https://cool_server/integrations/webhook', 'https://another_server/github_notifications', 'https://my_web/notifications/webhook', ]; -export const ALERT_TYPES = [ - { "rule": { "level": 5, "description": "GitHub Organization audit log export.", "id": "91193", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624444988681.000000", "org": "_ORGANIZATION_", "created_at": "1624444988681.000000", "action": "org.audit_log_export", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "ElEQJvOCnhWZ2mVpjzYOMw" } } }, - { "rule": { "level": 5, "description": "GitHub Team create.", "id": "91397", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624445678369.000000", "org": "_ORGANIZATION_", "created_at": "1624445678369.000000", "action": "team.create", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "_document_id": "cC4uIXPNDz1O1G21Vjs8Vw" } } }, - { "rule": { "level": 5, "description": "GitHub Team add member.", "id": "91393", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624445678470.000000", "org": "_ORGANIZATION_", "created_at": "1624445678470.000000", "action": "team.add_member", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "user": "_USER_", "_document_id": "0Z4NBBhHM2T4gEuWziZfvQ" } } }, - { "rule": { "level": 5, "description": "GitHub Team add member.", "id": "91393", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624445927571.000000", "org": "_ORGANIZATION_", "created_at": "1624445927571.000000", "action": "team.add_member", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "user": "_USER_", "_document_id": "Hi6dpYdi9G5PrEqqTkEYnA" } } }, - { "rule": { "level": 5, "description": "GitHub Repo create.", "id": "91318", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_repo"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624445965569.000000", "visibility": "private", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "created_at": "1624445965569.000000", "action": "repo.create", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "fXwGe7IW-BX8Ze64V_AORg" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624445969188.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624446009635.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 5, "description": "GitHub Organization audit log export.", "id": "91193", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446236415.000000", "org": "_ORGANIZATION_", "created_at": "1624446236415.000000", "action": "org.audit_log_git_event_export", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "vkV52PbNTZPJRRNLuOZcuw" } } }, - { "rule": { "level": 5, "description": "GitHub Organization audit log export.", "id": "91193", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446254661.000000", "org": "_ORGANIZATION_", "created_at": "1624446254661.000000", "action": "org.audit_log_export", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "gwkccTbAcX2WujhEXS3r0Q" } } }, - { "rule": { "level": 5, "description": "GitHub Team create.", "id": "91397", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446278480.000000", "org": "_ORGANIZATION_", "created_at": "1624446278480.000000", "action": "team.create", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "_document_id": "Qf6RhFYhb7ysdV8K8ukYFw" } } }, - { "rule": { "level": 5, "description": "GitHub Team add member.", "id": "91393", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446278606.000000", "org": "_ORGANIZATION_", "created_at": "1624446278606.000000", "action": "team.add_member", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "user": "_USER_", "_document_id": "T6DZ-t0-a9yQShoBbUxc_g" } } }, - { "rule": { "level": 7, "description": "GitHub Team destroy.", "id": "91399", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446293390.000000", "org": "_ORGANIZATION_", "created_at": "1624446293390.000000", "action": "team.destroy", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "_document_id": "ZLC0q4Ka_R4gGw3gWgxc3w" } } }, - { "rule": { "level": 7, "description": "GitHub Team remove member.", "id": "91401", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446387691.000000", "org": "_ORGANIZATION_", "created_at": "1624446387691.000000", "action": "team.remove_member", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/backend", "user": "_USER_", "_document_id": "PYn3TOghg5FYze673svhgw" } } }, - { "rule": { "level": 5, "description": "GitHub Team add member.", "id": "91393", "firedtimes": 3, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446397464.000000", "org": "_ORGANIZATION_", "created_at": "1624446397464.000000", "action": "team.add_member", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/backend", "user": "_USER_", "_document_id": "z4qIP_kjzjnilIhL8ak0mg" } } }, - { "rule": { "level": 3, "description": "GitHub Dependency graph new repos enable.", "id": "91131", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_dependency_graph_new_repos"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446915154.000000", "org": "_ORGANIZATION_", "created_at": "1624446915154.000000", "action": "dependency_graph_new_repos.enable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "2Az9XCqb-Fe8k0KkLQlk0A" } } }, - { "rule": { "level": 12, "description": "GitHub Dependency graph new repos disable.", "id": "91130", "firedtimes": 1, "mail": true, "groups": ["github", "git", "git_dependency_graph_new_repos"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446916718.000000", "org": "_ORGANIZATION_", "created_at": "1624446916718.000000", "action": "dependency_graph_new_repos.disable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "TzBGANy3SmrnxI8GW9bpQA" } } }, - { "rule": { "level": 5, "description": "GitHub Hook create.", "id": "91162", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_hook"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446982688.000000", "org": "_ORGANIZATION_", "hook_id": "303999727", "name": "webhook", "created_at": "1624446982688.000000", "action": "hook.create", "active": "true", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "config": { "content_type": "json", "insecure_ssl": "0", "secret": "********", "url": "_SERVER_ADDRESS_WEBHOOK_" }, "events": ["push"], "_document_id": "SSlObiXNNtzQzxFooK4-fw" } } }, - { "rule": { "level": 5, "description": "GitHub Hook events changed.", "id": "91165", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_hook"] }, "data": { "integration": "github", "github": { "org": "_ORGANIZATION_", "created_at": "1624447042505.000000", "active": "true", "actor": "_USER_", "@timestamp": "1624447042505.000000", "hook_id": "303999727", "name": "webhook", "action": "hook.events_changed", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "config": { "content_type": "json", "insecure_ssl": "0", "secret": "********", "url": "_SERVER_ADDRESS_WEBHOOK_" }, "events": ["push", "create", "deployment", "fork", "issues"], "_document_id": "Ba9NJbFnSfJB1zGEn29asw", "events_were": ["push"] } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447139607.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 3, "description": "GitHub Git push.", "id": "91160", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447520462.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.push", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 3, "description": "GitHub Git push.", "id": "91160", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447522682.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.push", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624447527007.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 5, "description": "GitHub Repo create.", "id": "91318", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_repo"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447568303.000000", "visibility": "private", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "created_at": "1624447568303.000000", "action": "repo.create", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "AcrdSmMW0PpEEmuGWiTcoQ" } } }, - { "rule": { "level": 9, "description": "GitHub Repo destroy.", "id": "91320", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_repo"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447588615.000000", "visibility": "private", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "created_at": "1624447588615.000000", "action": "repo.destroy", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "H-bRCuWh_FAoZxzW8BV9JA" } } }, - { "rule": { "level": 3, "description": "GitHub Git fetch.", "id": "91159", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447744877.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.fetch", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 7, "description": "GitHub Organization update default repository permission.", "id": "91231", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448015027.000000", "org": "_ORGANIZATION_", "created_at": "1624448015027.000000", "action": "org.update_default_repository_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "BHpvG7xc2bTNW3ME3nAgDw" } } }, - { "rule": { "level": 7, "description": "GitHub Organization update default repository permission.", "id": "91231", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448020670.000000", "org": "_ORGANIZATION_", "created_at": "1624448020670.000000", "action": "org.update_default_repository_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "t5ZumMJeWBs2CqZT-n4JNA" } } }, - { "rule": { "level": 7, "description": "GitHub Organization update member repository creation permission.", "id": "91233", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448034735.000000", "visibility": "private_internal", "org": "_ORGANIZATION_", "created_at": "1624448034735.000000", "action": "org.update_member_repository_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "CAwbh8KpE75aa0ajCpRISw" } } }, - { "rule": { "level": 7, "description": "GitHub Organization update member repository creation permission.", "id": "91233", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448038247.000000", "visibility": "internal", "org": "_ORGANIZATION_", "created_at": "1624448038247.000000", "action": "org.update_member_repository_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "s96ibVD5sEyRDxYgQ8gKhQ" } } }, - { "rule": { "level": 9, "description": "GitHub Private repository forking enable.", "id": "91273", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_private_repository_forking"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448046546.000000", "org": "_ORGANIZATION_", "created_at": "1624448046546.000000", "action": "private_repository_forking.enable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "NZWBrO2Ac02LnG3TFeEykA" } } }, - { "rule": { "level": 5, "description": "GitHub Private repository forking disable.", "id": "91274", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_private_repository_forking"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448051193.000000", "org": "_ORGANIZATION_", "created_at": "1624448051193.000000", "action": "private_repository_forking.disable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "5EkgWPa8Du6ZJ_5oOfU_rg" } } }, - { "rule": { "level": 3, "description": "GitHub Generic rule.", "id": "91449", "firedtimes": 1, "mail": false, "groups": ["github", "git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448069427.000000", "org": "_ORGANIZATION_", "created_at": "1624448069427.000000", "action": "members_can_create_private_pages.disable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "0rtyFg2GD2-oJyJsOtRZ_A" } } }, - { "rule": { "level": 3, "description": "GitHub Generic rule.", "id": "91449", "firedtimes": 2, "mail": false, "groups": ["github", "git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448073290.000000", "org": "_ORGANIZATION_", "created_at": "1624448073290.000000", "action": "members_can_create_private_pages.enable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "sSbImF40N-hLe0mfDHkfMg" } } }, - { "rule": { "level": 3, "description": "GitHub Generic rule.", "id": "91449", "firedtimes": 3, "mail": false, "groups": ["github", "git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448089991.000000", "org": "_ORGANIZATION_", "created_at": "1624448089991.000000", "action": "repository_visibility_change.enable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "dWJ-7ZR6DdumQeu01PAGig" } } }, - { "rule": { "level": 3, "description": "GitHub Issues.", "id": "91169", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_issues"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448109958.000000", "org": "_ORGANIZATION_", "created_at": "1624448109958.000000", "action": "issues.deletes_enabled", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "gWT0UNMVFaI8ZPB3tGGsew" } } }, - { "rule": { "level": 3, "description": "GitHub Issues.", "id": "91169", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_issues"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448114493.000000", "org": "_ORGANIZATION_", "created_at": "1624448114493.000000", "action": "issues.deletes_disabled", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "T2hgq3r3yVD23Np6CAD-zQ" } } }, - { "rule": { "level": 5, "description": "GitHub Organization display commenter full name enabled.", "id": "91202", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448121171.000000", "org": "_ORGANIZATION_", "created_at": "1624448121171.000000", "action": "org.display_commenter_full_name_enabled", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "o-Edi8owvz1iPv78RPPSJw" } } }, - { "rule": { "level": 3, "description": "GitHub Organization.", "id": "91188", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448125116.000000", "org": "_ORGANIZATION_", "created_at": "1624448125116.000000", "action": "org.display_commenter_full_name_disabled", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "OxJjqpug2FM8RJuzE1CZpA" } } }, - { "rule": { "level": 3, "description": "GitHub Organization.", "id": "91188", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448133245.000000", "org": "_ORGANIZATION_", "created_at": "1624448133245.000000", "action": "org.enable_reader_discussion_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "5KmA_VkQPn3I6gY4L8qFPA" } } }, - { "rule": { "level": 3, "description": "GitHub Organization.", "id": "91188", "firedtimes": 3, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448138392.000000", "org": "_ORGANIZATION_", "created_at": "1624448138392.000000", "action": "org.disable_reader_discussion_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "JQ3JAd3zHmpRpGZYJsJIQw" } } }, - { "rule": { "level": 5, "description": "GitHub Organization enable member team creation permission.", "id": "91203", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448148271.000000", "org": "_ORGANIZATION_", "created_at": "1624448148271.000000", "action": "org.enable_member_team_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "sd2fnKW-Jc_OZI9xm2pyyQ" } } }, - { "rule": { "level": 9, "description": "GitHub Organization disable member team creation permission.", "id": "91198", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448154972.000000", "org": "_ORGANIZATION_", "created_at": "1624448154972.000000", "action": "org.disable_member_team_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "ppjVxGQBAQts82at9Az3XQ" } } }, - { "rule": { "level": 12, "description": "GitHub Repository vulnerability alerts disable.", "id": "91367", "firedtimes": 1, "mail": true, "groups": ["github", "git", "git_repository_vulnerability_alerts"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448419210.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "created_at": "1624448419210.000000", "action": "repository_vulnerability_alerts.disable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "wgf0uCen5LG4su6jQ2xKDA" } } }, - { "rule": { "level": 5, "description": "GitHub Repo create.", "id": "91318", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_repo"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448419470.000000", "visibility": "public", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "created_at": "1624448419470.000000", "action": "repo.create", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "oLAjZ_DbHvzZlPmRCXr4MA" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 3, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624448422207.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "true" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 4, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624448423987.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "true" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 5, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624448432101.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "true" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 6, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624448487893.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "true" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 7, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624448736294.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "true" } } }, +module.exports.ALERT_TYPES = [ + { + rule: { + level: 5, + description: 'GitHub Organization audit log export.', + id: '91193', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624444988681.000000', + org: '_ORGANIZATION_', + created_at: '1624444988681.000000', + action: 'org.audit_log_export', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 'ElEQJvOCnhWZ2mVpjzYOMw', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Team create.', + id: '91397', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_team'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624445678369.000000', + org: '_ORGANIZATION_', + created_at: '1624445678369.000000', + action: 'team.create', + actor_location: { country_code: '_COUNTRY_CODE_' }, + team: '_ORGANIZATION_/_REPOSITORY_', + _document_id: 'cC4uIXPNDz1O1G21Vjs8Vw', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Team add member.', + id: '91393', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_team'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624445678470.000000', + org: '_ORGANIZATION_', + created_at: '1624445678470.000000', + action: 'team.add_member', + actor_location: { country_code: '_COUNTRY_CODE_' }, + team: '_ORGANIZATION_/_REPOSITORY_', + user: '_USER_', + _document_id: '0Z4NBBhHM2T4gEuWziZfvQ', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Team add member.', + id: '91393', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_team'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624445927571.000000', + org: '_ORGANIZATION_', + created_at: '1624445927571.000000', + action: 'team.add_member', + actor_location: { country_code: '_COUNTRY_CODE_' }, + team: '_ORGANIZATION_/_REPOSITORY_', + user: '_USER_', + _document_id: 'Hi6dpYdi9G5PrEqqTkEYnA', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Repo create.', + id: '91318', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_repo'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624445965569.000000', + visibility: 'private', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + created_at: '1624445965569.000000', + action: 'repo.create', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 'fXwGe7IW-BX8Ze64V_AORg', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git clone.', + id: '91158', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + '@timestamp': '1624445969188.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + action: 'git.clone', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'false', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git clone.', + id: '91158', + firedtimes: 2, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + '@timestamp': '1624446009635.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + action: 'git.clone', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'false', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Organization audit log export.', + id: '91193', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624446236415.000000', + org: '_ORGANIZATION_', + created_at: '1624446236415.000000', + action: 'org.audit_log_git_event_export', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 'vkV52PbNTZPJRRNLuOZcuw', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Organization audit log export.', + id: '91193', + firedtimes: 2, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624446254661.000000', + org: '_ORGANIZATION_', + created_at: '1624446254661.000000', + action: 'org.audit_log_export', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 'gwkccTbAcX2WujhEXS3r0Q', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Team create.', + id: '91397', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_team'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624446278480.000000', + org: '_ORGANIZATION_', + created_at: '1624446278480.000000', + action: 'team.create', + actor_location: { country_code: '_COUNTRY_CODE_' }, + team: '_ORGANIZATION_/_REPOSITORY_', + _document_id: 'Qf6RhFYhb7ysdV8K8ukYFw', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Team add member.', + id: '91393', + firedtimes: 2, + mail: false, + groups: ['github', 'git', 'git_team'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624446278606.000000', + org: '_ORGANIZATION_', + created_at: '1624446278606.000000', + action: 'team.add_member', + actor_location: { country_code: '_COUNTRY_CODE_' }, + team: '_ORGANIZATION_/_REPOSITORY_', + user: '_USER_', + _document_id: 'T6DZ-t0-a9yQShoBbUxc_g', + }, + }, + }, + { + rule: { + level: 7, + description: 'GitHub Team destroy.', + id: '91399', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_team'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624446293390.000000', + org: '_ORGANIZATION_', + created_at: '1624446293390.000000', + action: 'team.destroy', + actor_location: { country_code: '_COUNTRY_CODE_' }, + team: '_ORGANIZATION_/_REPOSITORY_', + _document_id: 'ZLC0q4Ka_R4gGw3gWgxc3w', + }, + }, + }, + { + rule: { + level: 7, + description: 'GitHub Team remove member.', + id: '91401', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_team'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624446387691.000000', + org: '_ORGANIZATION_', + created_at: '1624446387691.000000', + action: 'team.remove_member', + actor_location: { country_code: '_COUNTRY_CODE_' }, + team: '_ORGANIZATION_/backend', + user: '_USER_', + _document_id: 'PYn3TOghg5FYze673svhgw', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Team add member.', + id: '91393', + firedtimes: 3, + mail: false, + groups: ['github', 'git', 'git_team'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624446397464.000000', + org: '_ORGANIZATION_', + created_at: '1624446397464.000000', + action: 'team.add_member', + actor_location: { country_code: '_COUNTRY_CODE_' }, + team: '_ORGANIZATION_/backend', + user: '_USER_', + _document_id: 'z4qIP_kjzjnilIhL8ak0mg', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Dependency graph new repos enable.', + id: '91131', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_dependency_graph_new_repos'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624446915154.000000', + org: '_ORGANIZATION_', + created_at: '1624446915154.000000', + action: 'dependency_graph_new_repos.enable', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: '2Az9XCqb-Fe8k0KkLQlk0A', + }, + }, + }, + { + rule: { + level: 12, + description: 'GitHub Dependency graph new repos disable.', + id: '91130', + firedtimes: 1, + mail: true, + groups: ['github', 'git', 'git_dependency_graph_new_repos'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624446916718.000000', + org: '_ORGANIZATION_', + created_at: '1624446916718.000000', + action: 'dependency_graph_new_repos.disable', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'TzBGANy3SmrnxI8GW9bpQA', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Hook create.', + id: '91162', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_hook'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624446982688.000000', + org: '_ORGANIZATION_', + hook_id: '303999727', + name: 'webhook', + created_at: '1624446982688.000000', + action: 'hook.create', + active: 'true', + actor_location: { country_code: '_COUNTRY_CODE_' }, + config: { + content_type: 'json', + insecure_ssl: '0', + secret: '********', + url: '_SERVER_ADDRESS_WEBHOOK_', + }, + events: ['push'], + _document_id: 'SSlObiXNNtzQzxFooK4-fw', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Hook events changed.', + id: '91165', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_hook'], + }, + data: { + integration: 'github', + github: { + org: '_ORGANIZATION_', + created_at: '1624447042505.000000', + active: 'true', + actor: '_USER_', + '@timestamp': '1624447042505.000000', + hook_id: '303999727', + name: 'webhook', + action: 'hook.events_changed', + actor_location: { country_code: '_COUNTRY_CODE_' }, + config: { + content_type: 'json', + insecure_ssl: '0', + secret: '********', + url: '_SERVER_ADDRESS_WEBHOOK_', + }, + events: ['push', 'create', 'deployment', 'fork', 'issues'], + _document_id: 'Ba9NJbFnSfJB1zGEn29asw', + events_were: ['push'], + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git clone.', + id: '91158', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624447139607.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + actor_location: { country_code: '_COUNTRY_CODE_' }, + action: 'git.clone', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'false', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git push.', + id: '91160', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624447520462.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + actor_location: { country_code: '_COUNTRY_CODE_' }, + action: 'git.push', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'false', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git push.', + id: '91160', + firedtimes: 2, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624447522682.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + actor_location: { country_code: '_COUNTRY_CODE_' }, + action: 'git.push', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'false', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git clone.', + id: '91158', + firedtimes: 2, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + '@timestamp': '1624447527007.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + action: 'git.clone', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'false', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Repo create.', + id: '91318', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_repo'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624447568303.000000', + visibility: 'private', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + created_at: '1624447568303.000000', + action: 'repo.create', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 'AcrdSmMW0PpEEmuGWiTcoQ', + }, + }, + }, + { + rule: { + level: 9, + description: 'GitHub Repo destroy.', + id: '91320', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_repo'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624447588615.000000', + visibility: 'private', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + created_at: '1624447588615.000000', + action: 'repo.destroy', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 'H-bRCuWh_FAoZxzW8BV9JA', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git fetch.', + id: '91159', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624447744877.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + actor_location: { country_code: '_COUNTRY_CODE_' }, + action: 'git.fetch', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'false', + }, + }, + }, + { + rule: { + level: 7, + description: 'GitHub Organization update default repository permission.', + id: '91231', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448015027.000000', + org: '_ORGANIZATION_', + created_at: '1624448015027.000000', + action: 'org.update_default_repository_permission', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 'BHpvG7xc2bTNW3ME3nAgDw', + }, + }, + }, + { + rule: { + level: 7, + description: 'GitHub Organization update default repository permission.', + id: '91231', + firedtimes: 2, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448020670.000000', + org: '_ORGANIZATION_', + created_at: '1624448020670.000000', + action: 'org.update_default_repository_permission', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 't5ZumMJeWBs2CqZT-n4JNA', + }, + }, + }, + { + rule: { + level: 7, + description: + 'GitHub Organization update member repository creation permission.', + id: '91233', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448034735.000000', + visibility: 'private_internal', + org: '_ORGANIZATION_', + created_at: '1624448034735.000000', + action: 'org.update_member_repository_creation_permission', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 'CAwbh8KpE75aa0ajCpRISw', + }, + }, + }, + { + rule: { + level: 7, + description: + 'GitHub Organization update member repository creation permission.', + id: '91233', + firedtimes: 2, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448038247.000000', + visibility: 'internal', + org: '_ORGANIZATION_', + created_at: '1624448038247.000000', + action: 'org.update_member_repository_creation_permission', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 's96ibVD5sEyRDxYgQ8gKhQ', + }, + }, + }, + { + rule: { + level: 9, + description: 'GitHub Private repository forking enable.', + id: '91273', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_private_repository_forking'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448046546.000000', + org: '_ORGANIZATION_', + created_at: '1624448046546.000000', + action: 'private_repository_forking.enable', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'NZWBrO2Ac02LnG3TFeEykA', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Private repository forking disable.', + id: '91274', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_private_repository_forking'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448051193.000000', + org: '_ORGANIZATION_', + created_at: '1624448051193.000000', + action: 'private_repository_forking.disable', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: '5EkgWPa8Du6ZJ_5oOfU_rg', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Generic rule.', + id: '91449', + firedtimes: 1, + mail: false, + groups: ['github', 'git'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448069427.000000', + org: '_ORGANIZATION_', + created_at: '1624448069427.000000', + action: 'members_can_create_private_pages.disable', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: '0rtyFg2GD2-oJyJsOtRZ_A', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Generic rule.', + id: '91449', + firedtimes: 2, + mail: false, + groups: ['github', 'git'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448073290.000000', + org: '_ORGANIZATION_', + created_at: '1624448073290.000000', + action: 'members_can_create_private_pages.enable', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'sSbImF40N-hLe0mfDHkfMg', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Generic rule.', + id: '91449', + firedtimes: 3, + mail: false, + groups: ['github', 'git'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448089991.000000', + org: '_ORGANIZATION_', + created_at: '1624448089991.000000', + action: 'repository_visibility_change.enable', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'dWJ-7ZR6DdumQeu01PAGig', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Issues.', + id: '91169', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_issues'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448109958.000000', + org: '_ORGANIZATION_', + created_at: '1624448109958.000000', + action: 'issues.deletes_enabled', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'gWT0UNMVFaI8ZPB3tGGsew', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Issues.', + id: '91169', + firedtimes: 2, + mail: false, + groups: ['github', 'git', 'git_issues'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448114493.000000', + org: '_ORGANIZATION_', + created_at: '1624448114493.000000', + action: 'issues.deletes_disabled', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'T2hgq3r3yVD23Np6CAD-zQ', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Organization display commenter full name enabled.', + id: '91202', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448121171.000000', + org: '_ORGANIZATION_', + created_at: '1624448121171.000000', + action: 'org.display_commenter_full_name_enabled', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'o-Edi8owvz1iPv78RPPSJw', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Organization.', + id: '91188', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448125116.000000', + org: '_ORGANIZATION_', + created_at: '1624448125116.000000', + action: 'org.display_commenter_full_name_disabled', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'OxJjqpug2FM8RJuzE1CZpA', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Organization.', + id: '91188', + firedtimes: 2, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448133245.000000', + org: '_ORGANIZATION_', + created_at: '1624448133245.000000', + action: 'org.enable_reader_discussion_creation_permission', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: '5KmA_VkQPn3I6gY4L8qFPA', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Organization.', + id: '91188', + firedtimes: 3, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448138392.000000', + org: '_ORGANIZATION_', + created_at: '1624448138392.000000', + action: 'org.disable_reader_discussion_creation_permission', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'JQ3JAd3zHmpRpGZYJsJIQw', + }, + }, + }, + { + rule: { + level: 5, + description: + 'GitHub Organization enable member team creation permission.', + id: '91203', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448148271.000000', + org: '_ORGANIZATION_', + created_at: '1624448148271.000000', + action: 'org.enable_member_team_creation_permission', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'sd2fnKW-Jc_OZI9xm2pyyQ', + }, + }, + }, + { + rule: { + level: 9, + description: + 'GitHub Organization disable member team creation permission.', + id: '91198', + firedtimes: 1, + mail: false, + groups: ['github', 'git', 'git_org'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448154972.000000', + org: '_ORGANIZATION_', + created_at: '1624448154972.000000', + action: 'org.disable_member_team_creation_permission', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'ppjVxGQBAQts82at9Az3XQ', + }, + }, + }, + { + rule: { + level: 12, + description: 'GitHub Repository vulnerability alerts disable.', + id: '91367', + firedtimes: 1, + mail: true, + groups: ['github', 'git', 'git_repository_vulnerability_alerts'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448419210.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + created_at: '1624448419210.000000', + action: 'repository_vulnerability_alerts.disable', + actor_location: { country_code: '_COUNTRY_CODE_' }, + user: '_USER_', + _document_id: 'wgf0uCen5LG4su6jQ2xKDA', + }, + }, + }, + { + rule: { + level: 5, + description: 'GitHub Repo create.', + id: '91318', + firedtimes: 2, + mail: false, + groups: ['github', 'git', 'git_repo'], + }, + data: { + integration: 'github', + github: { + actor: '_USER_', + '@timestamp': '1624448419470.000000', + visibility: 'public', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + created_at: '1624448419470.000000', + action: 'repo.create', + actor_location: { country_code: '_COUNTRY_CODE_' }, + _document_id: 'oLAjZ_DbHvzZlPmRCXr4MA', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git clone.', + id: '91158', + firedtimes: 3, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + '@timestamp': '1624448422207.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + action: 'git.clone', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'true', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git clone.', + id: '91158', + firedtimes: 4, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + '@timestamp': '1624448423987.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + action: 'git.clone', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'true', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git clone.', + id: '91158', + firedtimes: 5, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + '@timestamp': '1624448432101.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + actor_location: { country_code: '_COUNTRY_CODE_' }, + action: 'git.clone', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'true', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git clone.', + id: '91158', + firedtimes: 6, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + '@timestamp': '1624448487893.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + actor_location: { country_code: '_COUNTRY_CODE_' }, + action: 'git.clone', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'true', + }, + }, + }, + { + rule: { + level: 3, + description: 'GitHub Git clone.', + id: '91158', + firedtimes: 7, + mail: false, + groups: ['github', 'git', 'git_git'], + }, + data: { + integration: 'github', + github: { + '@timestamp': '1624448736294.000000', + org: '_ORGANIZATION_', + repo: '_ORGANIZATION_/_REPOSITORY_', + actor_location: { country_code: '_COUNTRY_CODE_' }, + action: 'git.clone', + transport_protocol_name: 'http', + transport_protocol: '1', + repository: '_ORGANIZATION_/_REPOSITORY_', + repository_public: 'true', + }, + }, + }, ]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/integrity-monitoring.js b/plugins/main/server/lib/generate-alerts/sample-data/integrity-monitoring.js index 4290528796..fa5446bb69 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/integrity-monitoring.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/integrity-monitoring.js @@ -10,127 +10,94 @@ * Find more information about this on the LICENSE file. */ -export const events = ["modified", "deleted", "added"]; -export const attributes = ["mtime", "inode", "size", "tmp", "md5", "sha1", "sha256"]; -export const pathsLinux = [ - "/etc/resolv.conf", - "/var/wazuh/queue/fim/db/fim.db-journal", - "/var/wazuh/queue/fim/db/fim.db", - "/var/osquery/osquery.db/CURRENT", - "/etc/sysconfig/network-scripts/ifcfg-eth1", - "/etc/filebeat/fields.yml", - "/var/log/lastlog", - "/tmp/agent.conf", - "/etc/elasticsearch/elasticsearch.yml", - "/etc/elasticsearch/users", - "/etc/elasticsearch/config", - "/tmp/wazuh-config", - "/run/utmp", - "/etc/resolv.conf", - "/var/wazuh/queue/fim/db/fim.db", - "/var/osquery/osquery.db/CURRENT", - "/run/utmp" +module.exports.events = ['modified', 'deleted', 'added']; +module.exports.attributes = [ + 'mtime', + 'inode', + 'size', + 'tmp', + 'md5', + 'sha1', + 'sha256', ]; -export const pathsWindows = [ - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv", - "[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F4", - "[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F5", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\Config", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", - "[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch", - "c:\\programdata\\microsoft\\windows defender\\scans\\mpenginedb.db-wal", - "c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector", - "c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter", - "c:\\program files (x86)\\wazuh-agent\\queue\\fim\\db\\fim.db", - "c:\\program files (x86)\\wazuh-agent\\wazuh-agent.state", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-856620481-996501011-1859314257-500", +module.exports.pathsLinux = [ + '/etc/resolv.conf', + '/var/wazuh/queue/fim/db/fim.db-journal', + '/var/wazuh/queue/fim/db/fim.db', + '/var/osquery/osquery.db/CURRENT', + '/etc/sysconfig/network-scripts/ifcfg-eth1', + '/etc/filebeat/fields.yml', + '/var/log/lastlog', + '/tmp/agent.conf', + '/etc/elasticsearch/elasticsearch.yml', + '/etc/elasticsearch/users', + '/etc/elasticsearch/config', + '/tmp/wazuh-config', + '/run/utmp', + '/etc/resolv.conf', + '/var/wazuh/queue/fim/db/fim.db', + '/var/osquery/osquery.db/CURRENT', + '/run/utmp', ]; -export const uid_after = ["0", "S-1-5-18", "S-1-5-32-544", "996", "S-1-5-19"]; -export const gid_after = ["994", "0", "993", "190", "22"]; -export const tags = ["tmp"]; -export const regulatory = [{ - "firedtimes": 1, - "mail": false, - "level": 5, - "pci_dss": [ - "11.5" - ], - "hipaa": [ - "164.312.c.1", - "164.312.c.2" - ], - "description": "File added to the system.", - "groups": [ - "wazuh", - "syscheck" - ], - "id": "554", - "nist_800_53": [ - "SI.7" - ], - "gpg13": [ - "4.11" - ], - "gdpr": [ - "II_5.1.f" - ] +module.exports.pathsWindows = [ + '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv', + '[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F4', + '[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F5', + '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}', + '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\Config', + '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits', + '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime', + '[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7', + '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch', + 'c:\\programdata\\microsoft\\windows defender\\scans\\mpenginedb.db-wal', + 'c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector', + 'c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter', + 'c:\\program files (x86)\\wazuh-agent\\queue\\fim\\db\\fim.db', + 'c:\\program files (x86)\\wazuh-agent\\wazuh-agent.state', + '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend', + '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-856620481-996501011-1859314257-500', +]; +module.exports.uid_after = ['0', 'S-1-5-18', 'S-1-5-32-544', '996', 'S-1-5-19']; +module.exports.gid_after = ['994', '0', '993', '190', '22']; +module.exports.tags = ['tmp']; +module.exports.regulatory = [ + { + firedtimes: 1, + mail: false, + level: 5, + pci_dss: ['11.5'], + hipaa: ['164.312.c.1', '164.312.c.2'], + description: 'File added to the system.', + groups: ['wazuh', 'syscheck'], + id: '554', + nist_800_53: ['SI.7'], + gpg13: ['4.11'], + gdpr: ['II_5.1.f'], }, { - "firedtimes": 2, - "mail": false, - "level": 7, - "pci_dss": [ - "11.5" - ], - "hipaa": [ - "164.312.c.1", - "164.312.c.2" - ], - "description": "Integrity checksum changed.", - "groups": [ - "wazuh", - "syscheck" - ], - "id": "550", - "nist_800_53": [ - "SI.7" - ], - "gpg13": [ - "4.11" - ], - "gdpr": [ - "II_5.1.f" - ] + firedtimes: 2, + mail: false, + level: 7, + pci_dss: ['11.5'], + hipaa: ['164.312.c.1', '164.312.c.2'], + description: 'Integrity checksum changed.', + groups: ['wazuh', 'syscheck'], + id: '550', + nist_800_53: ['SI.7'], + gpg13: ['4.11'], + gdpr: ['II_5.1.f'], }, { - "firedtimes": 2, - "mail": false, - "level": 7, - "pci_dss": [ - "11.5" - ], - "hipaa": [ - "164.312.c.1", - "164.312.c.2" - ], - "description": "File deleted.", - "groups": [ - "wazuh", - "syscheck" - ], - "id": "553", - "nist_800_53": [ - "SI.7" - ], - "gpg13": [ - "4.11" - ], - "gdpr": [ - "II_5.1.f" - ] + firedtimes: 2, + mail: false, + level: 7, + pci_dss: ['11.5'], + hipaa: ['164.312.c.1', '164.312.c.2'], + description: 'File deleted.', + groups: ['wazuh', 'syscheck'], + id: '553', + nist_800_53: ['SI.7'], + gpg13: ['4.11'], + gdpr: ['II_5.1.f'], }, ]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/mitre.js b/plugins/main/server/lib/generate-alerts/sample-data/mitre.js index 96e19c81a1..ec683af881 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/mitre.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/mitre.js @@ -11,11 +11,11 @@ */ // Mitre -export const arrayMitreRules = [ +module.exports.arrayMitreRules = [ { filename: '0015-ossec_rules.xml', relative_dirname: 'ruleset/rules', - id: 504, + id: '504', level: 3, status: 'enabled', details: { if_sid: '500', match: 'Agent disconnected' }, @@ -25,14 +25,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'AU.14', 'AU.5'], tsc: ['CC7.2', 'CC7.3', 'CC6.8'], - mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, + mitre: { + tactic: ['Defense Evasion'], + id: ['T1089'], + technique: ['Disabling Security Tools'], + }, groups: ['wazuh'], description: 'Ossec agent disconnected.', }, { filename: '0015-ossec_rules.xml', relative_dirname: 'ruleset/rules', - id: 505, + id: '505', level: 3, status: 'enabled', details: { if_sid: '500', match: 'Agent removed' }, @@ -42,14 +46,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'AU.14', 'AU.5'], tsc: ['CC7.2', 'CC7.3', 'CC6.8'], - mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, + mitre: { + tactic: ['Defense Evasion'], + id: ['T1089'], + technique: ['Disabling Security Tools'], + }, groups: ['wazuh'], description: 'Ossec agent removed.', }, { filename: '0015-ossec_rules.xml', relative_dirname: 'ruleset/rules', - id: 518, + id: '518', level: 9, status: 'enabled', details: { if_sid: '514', match: 'Adware|Spyware' }, @@ -66,7 +74,7 @@ export const arrayMitreRules = [ { filename: '0015-ossec_rules.xml', relative_dirname: 'ruleset/rules', - id: 550, + id: '550', level: 7, status: 'enabled', details: { category: 'wazuh', decoded_as: 'syscheck_integrity_changed' }, @@ -76,14 +84,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.c.1', '164.312.c.2'], nist_800_53: ['SI.7'], tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] }, + mitre: { + tactic: ['Impact'], + id: ['T1492'], + technique: ['Stored Data Manipulation'], + }, groups: ['syscheck', 'wazuh'], description: 'Integrity checksum changed.', }, { filename: '0015-ossec_rules.xml', relative_dirname: 'ruleset/rules', - id: 553, + id: '553', level: 7, status: 'enabled', details: { category: 'wazuh', decoded_as: 'syscheck_deleted' }, @@ -104,7 +116,7 @@ export const arrayMitreRules = [ { filename: '0015-ossec_rules.xml', relative_dirname: 'ruleset/rules', - id: 592, + id: '592', level: 8, status: 'enabled', details: { if_sid: '500', match: '^ossec: File size reduced' }, @@ -114,14 +126,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.9', 'SI.4'], tsc: ['CC6.1', 'CC7.2', 'CC7.3', 'CC6.8'], - mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] }, + mitre: { + tactic: ['Impact'], + id: ['T1492'], + technique: ['Stored Data Manipulation'], + }, groups: ['attacks', 'wazuh'], description: 'Log file size reduced.', }, { filename: '0015-ossec_rules.xml', relative_dirname: 'ruleset/rules', - id: 593, + id: '593', level: 9, status: 'enabled', details: { if_sid: '500', match: '^ossec: Event log cleared' }, @@ -131,34 +147,50 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.9'], tsc: ['CC6.1', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Defense Evasion'], id: ['T1070'], technique: ['Indicator Removal on Host'] }, + mitre: { + tactic: ['Defense Evasion'], + id: ['T1070'], + technique: ['Indicator Removal on Host'], + }, groups: ['logs_cleared', 'wazuh'], description: 'Microsoft Event log cleared.', }, { filename: '0015-ossec_rules.xml', relative_dirname: 'ruleset/rules', - id: 594, + id: '594', level: 5, status: 'enabled', - details: { category: 'wazuh', if_sid: '550', hostname: 'syscheck-registry' }, + details: { + category: 'wazuh', + if_sid: '550', + hostname: 'syscheck-registry', + }, pci_dss: ['11.5'], gpg13: ['4.13'], gdpr: ['II_5.1.f'], hipaa: ['164.312.c.1', '164.312.c.2'], nist_800_53: ['SI.7'], tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] }, + mitre: { + tactic: ['Impact'], + id: ['T1492'], + technique: ['Stored Data Manipulation'], + }, groups: ['syscheck', 'wazuh'], description: 'Registry Integrity Checksum Changed', }, { filename: '0015-ossec_rules.xml', relative_dirname: 'ruleset/rules', - id: 597, + id: '597', level: 5, status: 'enabled', - details: { category: 'wazuh', if_sid: '553', hostname: 'syscheck-registry' }, + details: { + category: 'wazuh', + if_sid: '553', + hostname: 'syscheck-registry', + }, pci_dss: ['11.5'], gpg13: ['4.13'], gdpr: ['II_5.1.f'], @@ -176,19 +208,23 @@ export const arrayMitreRules = [ { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 1003, + id: '1003', level: 13, status: 'enabled', details: { maxsize: '1025', noalert: '1' }, gpg13: ['4.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + mitre: { + tactic: ['Impact'], + id: ['T1499'], + technique: ['Endpoint Denial of Service'], + }, groups: ['syslog', 'errors'], description: 'Non standard syslog message (size too large).', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 2301, + id: '2301', level: 10, status: 'enabled', details: { match: '^Deactivating service ' }, @@ -197,14 +233,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6'], tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + mitre: { + tactic: ['Impact'], + id: ['T1499'], + technique: ['Endpoint Denial of Service'], + }, groups: ['syslog', 'xinetd'], description: 'xinetd: Excessive number connections to a service.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 2502, + id: '2502', level: 10, status: 'enabled', details: { match: 'more authentication failures;|REPEATED login failures' }, @@ -214,14 +254,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + mitre: { + tactic: ['Credential Access'], + id: ['T1110'], + technique: ['Brute Force'], + }, groups: ['authentication_failed', 'syslog', 'access_control'], description: 'syslog: User missed the password more than one time', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 2503, + id: '2503', level: 5, status: 'enabled', details: { @@ -247,7 +291,7 @@ export const arrayMitreRules = [ { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 2504, + id: '2504', level: 9, status: 'enabled', details: { match: 'ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED' }, @@ -257,14 +301,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7', 'AC.6'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + mitre: { + tactic: ['Privilege Escalation'], + id: ['T1169'], + technique: ['Sudo'], + }, groups: ['invalid_login', 'syslog', 'access_control'], description: 'syslog: Illegal root login.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 2551, + id: '2551', level: 10, status: 'enabled', details: { if_sid: '2550', regex: '^Connection from S+ on illegal port$' }, @@ -274,14 +322,19 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6'], tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Discovery'], id: ['T1046'], technique: ['Network Service Scanning'] }, + mitre: { + tactic: ['Discovery'], + id: ['T1046'], + technique: ['Network Service Scanning'], + }, groups: ['connection_attempt', 'syslog', 'access_control'], - description: 'Connection to rshd from unprivileged port. Possible network scan.', + description: + 'Connection to rshd from unprivileged port. Possible network scan.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 2833, + id: '2833', level: 8, status: 'enabled', details: { if_sid: '2832', match: '^(root)' }, @@ -291,53 +344,74 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AU.6', 'AC.6'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + mitre: { + tactic: ['Privilege Escalation'], + id: ['T1169'], + technique: ['Sudo'], + }, groups: ['syslog', 'cron'], description: "Root's crontab entry changed.", }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 2960, + id: '2960', level: 2, status: 'enabled', details: { decoded_as: 'gpasswd', match: 'added by' }, gpg13: ['7.9', '4.13'], gdpr: ['IV_32.2'], - mitre: { tactic: ['Persistence'], id: ['T1136'], technique: ['Create Account'] }, + mitre: { + tactic: ['Persistence'], + id: ['T1136'], + technique: ['Create Account'], + }, groups: ['syslog', 'yum'], description: 'User added to group.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 2961, + id: '2961', level: 5, status: 'enabled', details: { if_sid: '2960', group: 'sudo' }, gpg13: ['7.9', '4.13'], gdpr: ['IV_32.2'], - mitre: { tactic: ['Persistence'], id: ['T1136'], technique: ['Create Account'] }, + mitre: { + tactic: ['Persistence'], + id: ['T1136'], + technique: ['Create Account'], + }, groups: ['syslog', 'yum'], description: 'User added to group sudo.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 2964, + id: '2964', level: 10, status: 'enabled', - details: { frequency: '4', timeframe: '30', if_matched_sid: '2963', same_source_ip: '' }, + details: { + frequency: '4', + timeframe: '30', + if_matched_sid: '2963', + same_source_ip: '', + }, pci_dss: ['11.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + mitre: { + tactic: ['Impact'], + id: ['T1499'], + technique: ['Endpoint Denial of Service'], + }, groups: ['recon', 'syslog', 'perdition'], description: 'perdition: Multiple connection attempts from same source.', }, { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3102, + id: '3102', level: 5, status: 'enabled', details: { if_sid: '3101', match: 'reject=451 4.1.8 ' }, @@ -345,7 +419,11 @@ export const arrayMitreRules = [ gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'sendmail'], description: 'sendmail: Sender domain does not have any valid MX record (Requested action aborted).', @@ -353,7 +431,7 @@ export const arrayMitreRules = [ { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3103, + id: '3103', level: 6, status: 'enabled', details: { if_sid: '3101', match: 'reject=550 5.0.0 |reject=553 5.3.0' }, @@ -361,14 +439,19 @@ export const arrayMitreRules = [ gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'sendmail'], - description: 'sendmail: Rejected by access list (55x: Requested action not taken).', + description: + 'sendmail: Rejected by access list (55x: Requested action not taken).', }, { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3104, + id: '3104', level: 6, status: 'enabled', details: { if_sid: '3101', match: 'reject=550 5.7.1 ' }, @@ -376,14 +459,19 @@ export const arrayMitreRules = [ gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'sendmail'], - description: 'sendmail: Attempt to use mail server as relay (550: Requested action not taken).', + description: + 'sendmail: Attempt to use mail server as relay (550: Requested action not taken).', }, { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3105, + id: '3105', level: 5, status: 'enabled', details: { if_sid: '3101', match: 'reject=553 5.1.8 ' }, @@ -391,14 +479,19 @@ export const arrayMitreRules = [ gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'sendmail'], - description: 'sendmail: Sender domain is not found (553: Requested action not taken).', + description: + 'sendmail: Sender domain is not found (553: Requested action not taken).', }, { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3106, + id: '3106', level: 5, status: 'enabled', details: { if_sid: '3101', match: 'reject=553 5.5.4 ' }, @@ -406,14 +499,19 @@ export const arrayMitreRules = [ gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'sendmail'], - description: 'sendmail: Sender address does not have domain (553: Requested action not taken).', + description: + 'sendmail: Sender address does not have domain (553: Requested action not taken).', }, { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3108, + id: '3108', level: 6, status: 'enabled', details: { if_sid: '3100', match: 'rejecting commands from' }, @@ -421,17 +519,26 @@ export const arrayMitreRules = [ gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'sendmail'], description: 'sendmail: Sendmail rejected due to pre-greeting.', }, { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3151, + id: '3151', level: 10, status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3102', same_source_ip: '' }, + details: { + frequency: '8', + timeframe: '120', + if_matched_sid: '3102', + same_source_ip: '', + }, pci_dss: ['11.4'], gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], @@ -442,15 +549,21 @@ export const arrayMitreRules = [ technique: ['Email Collection', 'Endpoint Denial of Service'], }, groups: ['multiple_spam', 'syslog', 'sendmail'], - description: 'sendmail: Sender domain has bogus MX record. It should not be sending e-mail.', + description: + 'sendmail: Sender domain has bogus MX record. It should not be sending e-mail.', }, { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3152, + id: '3152', level: 6, status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3103', same_source_ip: '' }, + details: { + frequency: '8', + timeframe: '120', + if_matched_sid: '3103', + same_source_ip: '', + }, pci_dss: ['11.4'], gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], @@ -467,10 +580,15 @@ export const arrayMitreRules = [ { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3153, + id: '3153', level: 6, status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3104', same_source_ip: '' }, + details: { + frequency: '8', + timeframe: '120', + if_matched_sid: '3104', + same_source_ip: '', + }, pci_dss: ['11.4'], gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], @@ -486,10 +604,15 @@ export const arrayMitreRules = [ { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3154, + id: '3154', level: 10, status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3105', same_source_ip: '' }, + details: { + frequency: '8', + timeframe: '120', + if_matched_sid: '3105', + same_source_ip: '', + }, pci_dss: ['11.4'], gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], @@ -500,15 +623,21 @@ export const arrayMitreRules = [ technique: ['Email Collection', 'Endpoint Denial of Service'], }, groups: ['multiple_spam', 'syslog', 'sendmail'], - description: 'sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain.', + description: + 'sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain.', }, { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3155, + id: '3155', level: 10, status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3106', same_source_ip: '' }, + details: { + frequency: '8', + timeframe: '120', + if_matched_sid: '3106', + same_source_ip: '', + }, pci_dss: ['11.4'], gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], @@ -519,15 +648,21 @@ export const arrayMitreRules = [ technique: ['Email Collection', 'Endpoint Denial of Service'], }, groups: ['multiple_spam', 'syslog', 'sendmail'], - description: 'sendmail: Multiple attempts to send e-mail from invalid/unknown sender.', + description: + 'sendmail: Multiple attempts to send e-mail from invalid/unknown sender.', }, { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3156, + id: '3156', level: 10, status: 'enabled', - details: { frequency: '12', timeframe: '120', if_matched_sid: '3107', same_source_ip: '' }, + details: { + frequency: '12', + timeframe: '120', + if_matched_sid: '3107', + same_source_ip: '', + }, pci_dss: ['11.4'], gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], @@ -543,10 +678,15 @@ export const arrayMitreRules = [ { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3158, + id: '3158', level: 10, status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3108', same_source_ip: '' }, + details: { + frequency: '8', + timeframe: '120', + if_matched_sid: '3108', + same_source_ip: '', + }, pci_dss: ['11.4'], gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], @@ -562,22 +702,30 @@ export const arrayMitreRules = [ { filename: '0025-sendmail_rules.xml', relative_dirname: 'ruleset/rules', - id: 3191, + id: '3191', level: 6, status: 'enabled', - details: { if_sid: '3190', match: '^sender check failed|^sender check tempfailed' }, + details: { + if_sid: '3190', + match: '^sender check failed|^sender check tempfailed', + }, pci_dss: ['11.4'], gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['smf-sav', 'spam', 'syslog', 'sendmail'], - description: 'sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED).', + description: + 'sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED).', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3301, + id: '3301', level: 6, status: 'enabled', details: { if_sid: '3300', id: '^554$' }, @@ -586,14 +734,19 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: Attempt to use mail server as relay (client host rejected).', + description: + 'Postfix: Attempt to use mail server as relay (client host rejected).', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3302, + id: '3302', level: 6, status: 'enabled', details: { if_sid: '3300', id: '^550$' }, @@ -602,14 +755,19 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: Rejected by access list (Requested action not taken).', + description: + 'Postfix: Rejected by access list (Requested action not taken).', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3303, + id: '3303', level: 5, status: 'enabled', details: { if_sid: '3300', id: '^450$' }, @@ -618,14 +776,19 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: Sender domain is not found (450: Requested mail action not taken).', + description: + 'Postfix: Sender domain is not found (450: Requested mail action not taken).', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3304, + id: '3304', level: 5, status: 'enabled', details: { if_sid: '3300', id: '^503$' }, @@ -634,7 +797,11 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'postfix'], description: 'Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands).', @@ -642,7 +809,7 @@ export const arrayMitreRules = [ { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3305, + id: '3305', level: 5, status: 'enabled', details: { if_sid: '3300', id: '^504$' }, @@ -651,7 +818,11 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'postfix'], description: 'Postfix: Recipient address must contain FQDN (504: Command parameter not implemented).', @@ -659,7 +830,7 @@ export const arrayMitreRules = [ { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3306, + id: '3306', level: 6, status: 'enabled', details: { if_sid: '3301, 3302', match: ' blocked using ' }, @@ -668,14 +839,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'postfix'], description: 'Postfix: IP Address black-listed by anti-spam (blocked).', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3330, + id: '3330', level: 10, status: 'enabled', details: { @@ -691,14 +866,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6'], tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + mitre: { + tactic: ['Impact'], + id: ['T1499'], + technique: ['Endpoint Denial of Service'], + }, groups: ['service_availability', 'syslog', 'postfix'], description: 'Postfix process error.', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3335, + id: '3335', level: 6, status: 'enabled', details: { if_sid: '3320', match: '^too many ' }, @@ -707,14 +886,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'postfix'], description: 'Postfix: too many errors after RCPT from unknown', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3351, + id: '3351', level: 6, status: 'enabled', details: { @@ -739,7 +922,7 @@ export const arrayMitreRules = [ { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3352, + id: '3352', level: 6, status: 'enabled', details: { @@ -758,12 +941,13 @@ export const arrayMitreRules = [ technique: ['Email Collection', 'Endpoint Denial of Service'], }, groups: ['multiple_spam', 'syslog', 'postfix'], - description: 'Postfix: Multiple attempts to send e-mail from a rejected sender IP (access).', + description: + 'Postfix: Multiple attempts to send e-mail from a rejected sender IP (access).', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3353, + id: '3353', level: 10, status: 'enabled', details: { @@ -783,12 +967,13 @@ export const arrayMitreRules = [ technique: ['Email Collection', 'Endpoint Denial of Service'], }, groups: ['multiple_spam', 'syslog', 'postfix'], - description: 'Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain.', + description: + 'Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain.', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3354, + id: '3354', level: 12, status: 'enabled', details: { @@ -802,14 +987,19 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['multiple_spam', 'syslog', 'postfix'], - description: 'Postfix: Multiple misuse of SMTP service (bad sequence of commands).', + description: + 'Postfix: Multiple misuse of SMTP service (bad sequence of commands).', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3355, + id: '3355', level: 10, status: 'enabled', details: { @@ -835,7 +1025,7 @@ export const arrayMitreRules = [ { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3356, + id: '3356', level: 10, status: 'enabled', details: { @@ -850,7 +1040,11 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + mitre: { + tactic: ['Impact'], + id: ['T1499'], + technique: ['Endpoint Denial of Service'], + }, groups: ['multiple_spam', 'syslog', 'postfix'], description: 'Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked).', @@ -858,7 +1052,7 @@ export const arrayMitreRules = [ { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3357, + id: '3357', level: 10, status: 'enabled', details: { @@ -873,14 +1067,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7', 'SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + mitre: { + tactic: ['Credential Access'], + id: ['T1110'], + technique: ['Brute Force'], + }, groups: ['authentication_failures', 'syslog', 'postfix'], description: 'Postfix: Multiple SASL authentication failures.', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3396, + id: '3396', level: 6, status: 'enabled', details: { if_sid: '3395', match: 'verification' }, @@ -889,14 +1087,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'postfix'], description: 'Postfix: hostname verification failed', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3397, + id: '3397', level: 6, status: 'enabled', details: { if_sid: '3395', match: 'RBL' }, @@ -905,14 +1107,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'postfix'], description: 'Postfix: RBL lookup error: Host or domain name not found', }, { filename: '0030-postfix_rules.xml', relative_dirname: 'ruleset/rules', - id: 3398, + id: '3398', level: 6, status: 'enabled', details: { if_sid: '3395', match: 'MAIL|does not resolve to address' }, @@ -921,14 +1127,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + mitre: { + tactic: ['Collection'], + id: ['T1114'], + technique: ['Email Collection'], + }, groups: ['spam', 'syslog', 'postfix'], description: 'Postfix: Illegal address from unknown sender', }, { filename: '0040-imapd_rules.xml', relative_dirname: 'ruleset/rules', - id: 3602, + id: '3602', level: 3, status: 'enabled', details: { if_sid: '3600', match: 'Authenticated user=' }, @@ -938,14 +1148,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'syslog', 'imapd'], description: 'Imapd user login.', }, { filename: '0040-imapd_rules.xml', relative_dirname: 'ruleset/rules', - id: 3651, + id: '3651', level: 10, status: 'enabled', details: { @@ -960,17 +1174,26 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7', 'SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + mitre: { + tactic: ['Credential Access'], + id: ['T1110'], + technique: ['Brute Force'], + }, groups: ['authentication_failures', 'syslog', 'imapd'], description: 'Imapd Multiple failed logins from same source ip.', }, { filename: '0045-mailscanner_rules.xml', relative_dirname: 'ruleset/rules', - id: 3751, + id: '3751', level: 6, status: 'enabled', - details: { frequency: '8', timeframe: '180', if_matched_sid: '3702', same_source_ip: '' }, + details: { + frequency: '8', + timeframe: '180', + if_matched_sid: '3702', + same_source_ip: '', + }, pci_dss: ['10.6.1'], gpg13: ['4.12'], gdpr: ['IV_35.7.d'], @@ -988,7 +1211,7 @@ export const arrayMitreRules = [ { filename: '0050-ms-exchange_rules.xml', relative_dirname: 'ruleset/rules', - id: 3851, + id: '3851', level: 9, status: 'enabled', details: { @@ -1015,7 +1238,7 @@ export const arrayMitreRules = [ { filename: '0050-ms-exchange_rules.xml', relative_dirname: 'ruleset/rules', - id: 3852, + id: '3852', level: 9, status: 'enabled', details: { @@ -1042,7 +1265,7 @@ export const arrayMitreRules = [ { filename: '0055-courier_rules.xml', relative_dirname: 'ruleset/rules', - id: 3904, + id: '3904', level: 3, status: 'enabled', details: { if_sid: '3900', match: '^LOGIN,' }, @@ -1052,47 +1275,69 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'syslog', 'courier'], description: 'Courier (imap/pop3) authentication success.', }, { filename: '0055-courier_rules.xml', relative_dirname: 'ruleset/rules', - id: 3910, + id: '3910', level: 10, status: 'enabled', - details: { frequency: '12', timeframe: '30', if_matched_sid: '3902', same_source_ip: '' }, + details: { + frequency: '12', + timeframe: '30', + if_matched_sid: '3902', + same_source_ip: '', + }, pci_dss: ['10.2.4', '10.2.5', '11.4'], gpg13: ['7.1'], gdpr: ['IV_35.7.d', 'IV_32.2'], hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7', 'SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + mitre: { + tactic: ['Credential Access'], + id: ['T1110'], + technique: ['Brute Force'], + }, groups: ['authentication_failures', 'syslog', 'courier'], description: 'Courier brute force (multiple failed logins).', }, { filename: '0055-courier_rules.xml', relative_dirname: 'ruleset/rules', - id: 3911, + id: '3911', level: 10, status: 'enabled', - details: { frequency: '17', timeframe: '30', if_matched_sid: '3901', same_source_ip: '' }, + details: { + frequency: '17', + timeframe: '30', + if_matched_sid: '3901', + same_source_ip: '', + }, pci_dss: ['10.6.1', '11.4'], gdpr: ['IV_35.7.d'], hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + mitre: { + tactic: ['Credential Access'], + id: ['T1110'], + technique: ['Brute Force'], + }, groups: ['recon', 'syslog', 'courier'], description: 'Courier: Multiple connection attempts from same source.', }, { filename: '0065-pix_rules.xml', relative_dirname: 'ruleset/rules', - id: 4323, + id: '4323', level: 3, status: 'enabled', details: { if_sid: '4314', id: '^6-605005' }, @@ -1102,14 +1347,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'syslog', 'pix'], description: 'PIX: Successful login.', }, { filename: '0065-pix_rules.xml', relative_dirname: 'ruleset/rules', - id: 4325, + id: '4325', level: 8, status: 'enabled', details: { if_sid: '4313', id: '^4-405001' }, @@ -1130,7 +1379,7 @@ export const arrayMitreRules = [ { filename: '0065-pix_rules.xml', relative_dirname: 'ruleset/rules', - id: 4335, + id: '4335', level: 3, status: 'enabled', details: { if_sid: '4314', id: '^6-113004' }, @@ -1140,14 +1389,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'syslog', 'pix'], description: 'PIX: AAA (VPN) authentication successful.', }, { filename: '0065-pix_rules.xml', relative_dirname: 'ruleset/rules', - id: 4336, + id: '4336', level: 8, status: 'enabled', details: { if_sid: '4314', id: '^6-113006' }, @@ -1157,14 +1410,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1133'], technique: ['External Remote Services'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1133'], + technique: ['External Remote Services'], + }, groups: ['authentication_failed', 'syslog', 'pix'], description: 'PIX: AAA (VPN) user locked out.', }, { filename: '0065-pix_rules.xml', relative_dirname: 'ruleset/rules', - id: 4337, + id: '4337', level: 8, status: 'enabled', details: { if_sid: '4312', id: '^3-201008' }, @@ -1174,14 +1431,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6'], tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1133'], technique: ['External Remote Services'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1133'], + technique: ['External Remote Services'], + }, groups: ['service_availability', 'syslog', 'pix'], description: 'PIX: The PIX is disallowing new connections.', }, { filename: '0065-pix_rules.xml', relative_dirname: 'ruleset/rules', - id: 4339, + id: '4339', level: 8, status: 'enabled', details: { if_sid: '4314', id: '^5-111003' }, @@ -1191,14 +1452,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.a.1', '164.312.b'], nist_800_53: ['CM.3', 'CM.5', 'AU.8'], tsc: ['CC8.1', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, + mitre: { + tactic: ['Defense Evasion'], + id: ['T1089'], + technique: ['Disabling Security Tools'], + }, groups: ['config_changed', 'syslog', 'pix'], description: 'PIX: Firewall configuration deleted.', }, { filename: '0065-pix_rules.xml', relative_dirname: 'ruleset/rules', - id: 4340, + id: '4340', level: 8, status: 'enabled', details: { if_sid: '4314', id: '^5-111005|^5-111004|^5-111002|^5-111007' }, @@ -1208,14 +1473,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.a.1', '164.312.b'], nist_800_53: ['CM.3', 'CM.5', 'AU.8'], tsc: ['CC8.1', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, + mitre: { + tactic: ['Defense Evasion'], + id: ['T1089'], + technique: ['Disabling Security Tools'], + }, groups: ['config_changed', 'syslog', 'pix'], description: 'PIX: Firewall configuration changed.', }, { filename: '0065-pix_rules.xml', relative_dirname: 'ruleset/rules', - id: 4342, + id: '4342', level: 8, status: 'enabled', details: { if_sid: '4314', id: '^5-502101|^5-502102' }, @@ -1236,10 +1505,15 @@ export const arrayMitreRules = [ { filename: '0065-pix_rules.xml', relative_dirname: 'ruleset/rules', - id: 4386, + id: '4386', level: 10, status: 'enabled', - details: { frequency: '10', timeframe: '240', if_matched_sid: '4334', same_source_ip: '' }, + details: { + frequency: '10', + timeframe: '240', + if_matched_sid: '4334', + same_source_ip: '', + }, pci_dss: ['11.4', '10.2.4', '10.2.5'], gpg13: ['7.1'], gdpr: ['IV_35.7.d', 'IV_32.2'], @@ -1257,7 +1531,7 @@ export const arrayMitreRules = [ { filename: '0070-netscreenfw_rules.xml', relative_dirname: 'ruleset/rules', - id: 4505, + id: '4505', level: 11, status: 'enabled', details: { if_sid: '4503', id: '^00027' }, @@ -1266,14 +1540,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.a.1', '164.312.b'], nist_800_53: ['SC.7', 'AU.6'], tsc: ['CC6.7', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1485'], technique: ['Data Destruction'] }, + mitre: { + tactic: ['Impact'], + id: ['T1485'], + technique: ['Data Destruction'], + }, groups: ['service_availability', 'netscreenfw'], description: 'Netscreen Erase sequence started.', }, { filename: '0070-netscreenfw_rules.xml', relative_dirname: 'ruleset/rules', - id: 4506, + id: '4506', level: 8, status: 'enabled', details: { if_sid: '4501', id: '^00002' }, @@ -1283,14 +1561,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7', 'AC.6'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'netscreenfw'], description: 'Netscreen firewall: Successfull admin login', }, { filename: '0070-netscreenfw_rules.xml', relative_dirname: 'ruleset/rules', - id: 4507, + id: '4507', level: 8, status: 'enabled', details: { if_sid: '4502', id: '^00515' }, @@ -1300,14 +1582,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7', 'AC.6'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'netscreenfw'], description: 'Netscreen firewall: Successfull admin login', }, { filename: '0070-netscreenfw_rules.xml', relative_dirname: 'ruleset/rules', - id: 4509, + id: '4509', level: 8, status: 'enabled', details: { if_sid: '4504', id: '^00767' }, @@ -1317,14 +1603,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.a.1'], nist_800_53: ['CM.3', 'CM.5'], tsc: ['CC8.1'], - mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, + mitre: { + tactic: ['Defense Evasion'], + id: ['T1089'], + technique: ['Disabling Security Tools'], + }, groups: ['config_changed', 'netscreenfw'], description: 'Netscreen firewall: configuration changed.', }, { filename: '0070-netscreenfw_rules.xml', relative_dirname: 'ruleset/rules', - id: 4550, + id: '4550', level: 10, status: 'enabled', details: { @@ -1340,25 +1630,39 @@ export const arrayMitreRules = [ hipaa: ['164.312.a.1', '164.312.b'], nist_800_53: ['SC.7', 'AU.6', 'SI.4'], tsc: ['CC6.7', 'CC6.8', 'CC7.2', 'CC7.3', 'CC6.1'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + mitre: { + tactic: ['Impact'], + id: ['T1499'], + technique: ['Endpoint Denial of Service'], + }, groups: ['netscreenfw'], - description: 'Netscreen firewall: Multiple critical messages from same source IP.', + description: + 'Netscreen firewall: Multiple critical messages from same source IP.', }, { filename: '0070-netscreenfw_rules.xml', relative_dirname: 'ruleset/rules', - id: 4551, + id: '4551', level: 10, status: 'enabled', - details: { frequency: '8', timeframe: '180', ignore: '60', if_matched_sid: '4503' }, - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + details: { + frequency: '8', + timeframe: '180', + ignore: '60', + if_matched_sid: '4503', + }, + mitre: { + tactic: ['Impact'], + id: ['T1499'], + technique: ['Endpoint Denial of Service'], + }, groups: ['netscreenfw'], description: 'Netscreen firewall: Multiple critical messages.', }, { filename: '0075-cisco-ios_rules.xml', relative_dirname: 'ruleset/rules', - id: 4722, + id: '4722', level: 3, status: 'enabled', details: { if_sid: '4715', id: '^%SEC_LOGIN-5-LOGIN_SUCCESS' }, @@ -1368,14 +1672,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'syslog', 'cisco_ios'], description: 'Cisco IOS: Successful login to the router.', }, { filename: '0080-sonicwall_rules.xml', relative_dirname: 'ruleset/rules', - id: 4810, + id: '4810', level: 3, status: 'enabled', details: { if_sid: '4806', id: '^236$' }, @@ -1385,48 +1693,68 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'syslog', 'sonicwall'], description: 'SonicWall: Firewall administrator login.', }, { filename: '0080-sonicwall_rules.xml', relative_dirname: 'ruleset/rules', - id: 4851, + id: '4851', level: 10, status: 'enabled', - details: { frequency: '8', timeframe: '120', ignore: '60', if_matched_sid: '4803' }, + details: { + frequency: '8', + timeframe: '120', + ignore: '60', + if_matched_sid: '4803', + }, pci_dss: ['10.6.1'], gpg13: ['3.5'], gdpr: ['IV_35.7.d'], hipaa: ['164.312.b'], nist_800_53: ['AU.6'], tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + mitre: { + tactic: ['Impact'], + id: ['T1499'], + technique: ['Endpoint Denial of Service'], + }, groups: ['service_availability', 'syslog', 'sonicwall'], description: 'SonicWall: Multiple firewall error messages.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5103, + id: '5103', level: 9, status: 'enabled', details: { if_sid: '5100', match: 'Oversized packet received from' }, gdpr: ['IV_35.7.d'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + mitre: { + tactic: ['Impact'], + id: ['T1499'], + technique: ['Endpoint Denial of Service'], + }, groups: ['syslog', 'linuxkernel'], description: 'Error message from the kernel. Ping of death attack.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5104, + id: '5104', level: 8, status: 'enabled', details: { if_sid: '5100', - regex: ['Promiscuous mode enabled|', 'device S+ entered promiscuous mode'], + regex: [ + 'Promiscuous mode enabled|', + 'device S+ entered promiscuous mode', + ], }, pci_dss: ['10.6.1', '11.4'], gpg13: ['4.13'], @@ -1434,14 +1762,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6', 'SI.4'], tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Discovery'], id: ['T1040'], technique: ['Network Sniffing'] }, + mitre: { + tactic: ['Discovery'], + id: ['T1040'], + technique: ['Network Sniffing'], + }, groups: ['promisc', 'syslog', 'linuxkernel'], description: 'Interface entered in promiscuous(sniffing) mode.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5108, + id: '5108', level: 12, status: 'enabled', details: { if_sid: '5100', match: 'Out of Memory: ' }, @@ -1451,14 +1783,19 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6'], tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + mitre: { + tactic: ['Impact'], + id: ['T1499'], + technique: ['Endpoint Denial of Service'], + }, groups: ['service_availability', 'syslog', 'linuxkernel'], - description: 'System running out of memory. Availability of the system is in risk.', + description: + 'System running out of memory. Availability of the system is in risk.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5113, + id: '5113', level: 7, status: 'enabled', details: { if_sid: '5100', match: 'Kernel log daemon terminating' }, @@ -1468,36 +1805,51 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.6'], tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1529'], technique: ['System Shutdown/Reboot'] }, + mitre: { + tactic: ['Impact'], + id: ['T1529'], + technique: ['System Shutdown/Reboot'], + }, groups: ['system_shutdown', 'syslog', 'linuxkernel'], description: 'System is shutting down.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5132, + id: '5132', level: 11, status: 'enabled', details: { if_sid: '5100', match: 'module verification failed' }, - mitre: { tactic: ['Persistence'], id: ['T1215'], technique: ['Kernel Modules and Extensions'] }, + mitre: { + tactic: ['Persistence'], + id: ['T1215'], + technique: ['Kernel Modules and Extensions'], + }, groups: ['syslog', 'linuxkernel'], description: 'Unsigned kernel module was loaded', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5133, + id: '5133', level: 11, status: 'enabled', - details: { if_sid: '5100', match: 'PKCS#7 signature not signed with a trusted key' }, - mitre: { tactic: ['Persistence'], id: ['T1215'], technique: ['Kernel Modules and Extensions'] }, + details: { + if_sid: '5100', + match: 'PKCS#7 signature not signed with a trusted key', + }, + mitre: { + tactic: ['Persistence'], + id: ['T1215'], + technique: ['Kernel Modules and Extensions'], + }, groups: ['syslog', 'linuxkernel'], description: 'Signed but untrusted kernel module was loaded', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5302, + id: '5302', level: 9, status: 'enabled', details: { if_sid: '5301', user: '^root' }, @@ -1507,14 +1859,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3', 'CC7.4'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + mitre: { + tactic: ['Privilege Escalation'], + id: ['T1169'], + technique: ['Sudo'], + }, groups: ['authentication_failed', 'syslog', 'su'], description: 'User missed the password to change UID to root.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5303, + id: '5303', level: 3, status: 'enabled', details: { @@ -1530,19 +1886,26 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'syslog', 'su'], description: 'User successfully changed UID to root.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5304, + id: '5304', level: 3, status: 'enabled', details: { if_sid: '5300', - regex: ['session opened for user|succeeded for|', '^+|^S+ to |^SU S+ S+ + '], + regex: [ + 'session opened for user|succeeded for|', + '^+|^S+ to |^SU S+ S+ + ', + ], }, pci_dss: ['10.2.5'], gpg13: ['7.6', '7.8'], @@ -1550,14 +1913,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'syslog', 'su'], description: 'User successfully changed UID.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5401, + id: '5401', level: 5, status: 'enabled', details: { if_sid: '5400', match: 'incorrect password attempt' }, @@ -1567,42 +1934,57 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + mitre: { + tactic: ['Privilege Escalation'], + id: ['T1169'], + technique: ['Sudo'], + }, groups: ['syslog', 'sudo'], description: 'Failed attempt to run sudo.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5402, + id: '5402', level: 3, status: 'enabled', - details: { if_sid: '5400', regex: ' ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND=' }, + details: { + if_sid: '5400', + regex: ' ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND=', + }, pci_dss: ['10.2.5', '10.2.2'], gpg13: ['7.6', '7.8', '7.13'], gdpr: ['IV_32.2'], hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7', 'AC.6'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + mitre: { + tactic: ['Privilege Escalation'], + id: ['T1169'], + technique: ['Sudo'], + }, groups: ['syslog', 'sudo'], description: 'Successful sudo to ROOT executed.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5403, + id: '5403', level: 4, status: 'enabled', details: { if_sid: '5400', if_fts: '' }, - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + mitre: { + tactic: ['Privilege Escalation'], + id: ['T1169'], + technique: ['Sudo'], + }, groups: ['syslog', 'sudo'], description: 'First time user executed sudo.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5404, + id: '5404', level: 10, status: 'enabled', details: { if_sid: '5401', match: '3 incorrect password attempts' }, @@ -1612,14 +1994,18 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + mitre: { + tactic: ['Privilege Escalation'], + id: ['T1169'], + technique: ['Sudo'], + }, groups: ['syslog', 'sudo'], description: 'Three failed attempts to run sudo', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5405, + id: '5405', level: 5, status: 'enabled', details: { if_sid: '5400', match: 'user NOT in sudoers' }, @@ -1629,29 +2015,40 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.6', 'AC.7'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + mitre: { + tactic: ['Privilege Escalation'], + id: ['T1169'], + technique: ['Sudo'], + }, groups: ['syslog', 'sudo'], description: 'Unauthorized user attempted to use sudo.', }, { filename: '0020-syslog_rules.xml', relative_dirname: 'ruleset/rules', - id: 5407, + id: '5407', level: 3, status: 'enabled', - details: { if_sid: '5400', regex: ' ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND=' }, + details: { + if_sid: '5400', + regex: ' ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND=', + }, pci_dss: ['10.2.5', '10.2.2'], gpg13: ['7.6', '7.8', '7.13'], gdpr: ['IV_32.2'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + mitre: { + tactic: ['Privilege Escalation'], + id: ['T1169'], + technique: ['Sudo'], + }, groups: ['syslog', 'sudo'], description: 'Successful sudo executed.', }, { filename: '0085-pam_rules.xml', relative_dirname: 'ruleset/rules', - id: 5501, + id: '5501', level: 3, status: 'enabled', details: { if_sid: '5500', match: 'session opened for user ' }, @@ -1661,31 +2058,44 @@ export const arrayMitreRules = [ hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7'], tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + mitre: { + tactic: ['Initial Access'], + id: ['T1078'], + technique: ['Valid Accounts'], + }, groups: ['authentication_success', 'pam', 'syslog'], description: 'PAM: Login session opened.', }, { filename: '0085-pam_rules.xml', relative_dirname: 'ruleset/rules', - id: 5551, + id: '5551', level: 10, status: 'enabled', - details: { frequency: '8', timeframe: '180', if_matched_sid: '5503', same_source_ip: '' }, + details: { + frequency: '8', + timeframe: '180', + if_matched_sid: '5503', + same_source_ip: '', + }, pci_dss: ['10.2.4', '10.2.5', '11.4'], gpg13: ['7.8'], gdpr: ['IV_35.7.d', 'IV_32.2'], hipaa: ['164.312.b'], nist_800_53: ['AU.14', 'AC.7', 'SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + mitre: { + tactic: ['Credential Access'], + id: ['T1110'], + technique: ['Brute Force'], + }, groups: ['authentication_failures', 'pam', 'syslog'], description: 'PAM: Multiple failed logins in a small period of time.', }, { filename: '0090-telnetd_rules.xml', relative_dirname: 'ruleset/rules', - id: 5601, + id: '5601', level: 5, status: 'enabled', details: { if_sid: '5600', match: 'refused connect from ' }, @@ -1701,19 +2111,29 @@ export const arrayMitreRules = [ { filename: '0090-telnetd_rules.xml', relative_dirname: 'ruleset/rules', - id: 5631, + id: '5631', level: 10, status: 'enabled', - details: { frequency: '6', timeframe: '120', if_matched_sid: '5602', same_source_ip: '' }, + details: { + frequency: '6', + timeframe: '120', + if_matched_sid: '5602', + same_source_ip: '', + }, gdpr: ['IV_35.7.d', 'IV_32.2'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + mitre: { + tactic: ['Credential Access'], + id: ['T1110'], + technique: ['Brute Force'], + }, groups: ['syslog', 'telnetd'], - description: 'telnetd: Multiple connection attempts from same source (possible scan).', + description: + 'telnetd: Multiple connection attempts from same source (possible scan).', }, { filename: '0095-sshd_rules.xml', relative_dirname: 'ruleset/rules', - id: 5701, + id: '5701', level: 8, status: 'enabled', details: { if_sid: '5700', match: 'Bad protocol version identification' }, @@ -1728,28 +2148,39 @@ export const arrayMitreRules = [ technique: ['Exploit Public-Facing Application'], }, groups: ['recon', 'syslog', 'sshd'], - description: 'sshd: Possible attack on the ssh server (or version gathering).', + description: + 'sshd: Possible attack on the ssh server (or version gathering).', }, { filename: '0095-sshd_rules.xml', relative_dirname: 'ruleset/rules', - id: 5703, + id: '5703', level: 10, status: 'enabled', - details: { frequency: '6', timeframe: '360', if_matched_sid: '5702', same_source_ip: '' }, + details: { + frequency: '6', + timeframe: '360', + if_matched_sid: '5702', + same_source_ip: '', + }, pci_dss: ['11.4'], gpg13: ['4.12'], gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + mitre: { + tactic: ['Credential Access'], + id: ['T1110'], + technique: ['Brute Force'], + }, groups: ['syslog', 'sshd'], - description: 'sshd: Possible breakin attempt (high number of reverse lookup errors).', + description: + 'sshd: Possible breakin attempt (high number of reverse lookup errors).', }, { filename: '0095-sshd_rules.xml', relative_dirname: 'ruleset/rules', - id: 5705, + id: '5705', level: 10, status: 'enabled', details: { frequency: '6', timeframe: '360', if_matched_sid: '5704' }, @@ -1764,24 +2195,36 @@ export const arrayMitreRules = [ technique: ['Exploit Public-Facing Application', 'Brute Force'], }, groups: ['syslog', 'sshd'], - description: 'sshd: Possible scan or breakin attempt (high number of login timeouts).', + description: + 'sshd: Possible scan or breakin attempt (high number of login timeouts).', }, { filename: '0095-sshd_rules.xml', relative_dirname: 'ruleset/rules', - id: 5706, + id: '5706', level: 6, status: 'enabled', - details: { if_sid: '5700', match: 'Did not receive identification string from' }, + details: { + if_sid: '5700', + match: 'Did not receive identification string from', + }, pci_dss: ['11.4'], gpg13: ['4.12'], gdpr: ['IV_35.7.d'], nist_800_53: ['SI.4'], tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Command and Control'], id: ['T1043'], technique: ['Commonly Used Port'] }, + mitre: { + tactic: ['Command and Control'], + id: ['T1043'], + technique: ['Commonly Used Port'], + }, groups: ['recon', 'syslog', 'sshd'], description: 'sshd: insecure connection attempt (scan).', }, ]; -export const arrayLocation = ['EventChannel', '/var/log/auth.log', '/var/log/secure']; +module.exports.arrayLocation = [ + 'EventChannel', + '/var/log/auth.log', + '/var/log/secure', +]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/office.js b/plugins/main/server/lib/generate-alerts/sample-data/office.js index 2227338976..11648e01c3 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/office.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/office.js @@ -10,17 +10,20 @@ * Find more information about this on the LICENSE file. */ -export const arrayOfficeGroups = ['office365', 'AzureActiveDirectoryStsLogon']; +module.exports.arrayOfficeGroups = [ + 'office365', + 'AzureActiveDirectoryStsLogon', +]; -export const arrayLocationOffice = 'office365'; +module.exports.arrayLocationOffice = 'office365'; -export const arrayDecoderOffice = [ +module.exports.arrayDecoderOffice = [ { name: 'json', }, ]; -export const arrayUuidOffice = [ +module.exports.arrayUuidOffice = [ 'a8080009-aa85-4d65-a0f0-74fe0331edce', '4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00', 'd14aa5cb-b070-42f8-8709-0f8afd942fc0', @@ -43,7 +46,7 @@ export const arrayUuidOffice = [ '29f96271-5c1b-47ec-9652-a41d5cb17cb4', ]; -export const arrayDevicePropertiesOffice = [ +module.exports.arrayDevicePropertiesOffice = [ { Name: 'BrowserType', Value: 'Chrome', @@ -58,7 +61,7 @@ export const arrayDevicePropertiesOffice = [ }, ]; -export const arrayIp = [ +module.exports.arrayIp = [ '77.231.182.17', '172.217.204.94', '108.177.13.101', @@ -68,21 +71,21 @@ export const arrayIp = [ '13.226.52.89', '140.82.113.3', ]; -export const arrayUserId = [ +module.exports.arrayUserId = [ 'smith@wazuh.com', 'williams@wazuh.com', 'frank@wazuh.com', 'jones@wazuh.com', 'brown@wazuh.com', ]; -export const arrayTargetOffice = [ +module.exports.arrayTargetOffice = [ { ID: '797f4846-ba00-4fd7-ba43-dac1f8f63013', Type: 0, }, ]; -export const arrayActorOffice = [ +module.exports.arrayActorOffice = [ { ID: 'a39dd957-d295-4548-b537-2055469bafbb', Type: 0, @@ -93,7 +96,7 @@ export const arrayActorOffice = [ }, ]; -export const arrayExtendedPropertiesOffice = [ +module.exports.arrayExtendedPropertiesOffice = [ { Name: 'ResultStatusDetail', Value: 'Success', @@ -109,7 +112,7 @@ export const arrayExtendedPropertiesOffice = [ }, ]; -export const officeRules = { +module.exports.officeRules = { 1: { data: { office365: { @@ -123,7 +126,13 @@ export const officeRules = { id: '91533', mail: false, firedtimes: 3, - groups: ['office365', 'ExchangeAdmin', 'hipaa_164.312.b', 'pci_dss_10.2.2', 'pci_dss_10.6.1'], + groups: [ + 'office365', + 'ExchangeAdmin', + 'hipaa_164.312.b', + 'pci_dss_10.2.2', + 'pci_dss_10.6.1', + ], }, }, 2: { @@ -140,7 +149,12 @@ export const officeRules = { id: '91534', mail: false, firedtimes: 3, - groups: ['office365', 'ExchangeItem', 'hipaa_164.312.b', 'pci_dss_10.6.2'], + groups: [ + 'office365', + 'ExchangeItem', + 'hipaa_164.312.b', + 'pci_dss_10.6.2', + ], }, }, 4: { @@ -195,7 +209,12 @@ export const officeRules = { id: '91539', mail: false, firedtimes: 3, - groups: ['office365', 'AzureActiveDirectory', 'hipaa_164.312.b', 'pci_dss_10.6.2'], + groups: [ + 'office365', + 'AzureActiveDirectory', + 'hipaa_164.312.b', + 'pci_dss_10.6.2', + ], }, }, 14: { @@ -223,7 +242,8 @@ export const officeRules = { }, rule: { level: 3, - description: 'Office 365: Secure Token Service (STS) logon events in Azure Active Directory.', + description: + 'Office 365: Secure Token Service (STS) logon events in Azure Active Directory.', id: '91545', mail: false, firedtimes: 3, @@ -246,7 +266,8 @@ export const officeRules = { }, rule: { level: 5, - description: 'Office 365: Admin actions from the Security and Compliance Center.', + description: + 'Office 365: Admin actions from the Security and Compliance Center.', id: '91548', mail: false, firedtimes: 3, @@ -272,7 +293,12 @@ export const officeRules = { id: '91564', mail: false, firedtimes: 3, - groups: ['office365', 'SharePointListOperation', 'hipaa_164.312.b', 'pci_dss_10.6.2'], + groups: [ + 'office365', + 'SharePointListOperation', + 'hipaa_164.312.b', + 'pci_dss_10.6.2', + ], }, }, 52: { @@ -288,11 +314,16 @@ export const officeRules = { id: '91580', mail: false, firedtimes: 4, - groups: ['office365', 'DataInsightsRestApiAudit', 'hipaa_164.312.b', 'pci_dss_10.6.2'], + groups: [ + 'office365', + 'DataInsightsRestApiAudit', + 'hipaa_164.312.b', + 'pci_dss_10.6.2', + ], }, }, }; -export const arrayLogs = [ +module.exports.arrayLogs = [ { Id: '35ab8b89-cfea-4214-5249-08d91a06e537', Operation: 'SearchDataInsightsSubscription', @@ -689,7 +720,8 @@ export const arrayLogs = [ }, { Name: 'Included Updated Properties', - NewValue: 'AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential', + NewValue: + 'AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential', OldValue: '', }, { @@ -1182,7 +1214,8 @@ export const arrayLogs = [ Version: 1, Workload: 'SharePoint', ClientIP: '190.16.9.176', - ObjectId: 'https://wazuh.sharepoint.com/sites/TestSharePoint/SitePages/Home.aspx', + ObjectId: + 'https://wazuh.sharepoint.com/sites/TestSharePoint/SitePages/Home.aspx', UserId: 'fake@email.not', CorrelationId: '48d1c99f-f03c-2000-df13-38983a6608f8', EventSource: 'SharePoint', @@ -1245,7 +1278,8 @@ export const arrayLogs = [ Version: 1, Workload: 'SharePoint', ClientIP: '190.16.9.176', - ObjectId: 'https://wazuh.sharepoint.com/sites/TestSharePoint/SitePages/Home.aspx', + ObjectId: + 'https://wazuh.sharepoint.com/sites/TestSharePoint/SitePages/Home.aspx', UserId: 'fake@email.not', CorrelationId: '53d1c99f-b0aa-2000-df13-3efea9e41071', CustomUniqueId: false, @@ -1269,7 +1303,8 @@ export const arrayLogs = [ Version: 1, Workload: 'SharePoint', ClientIP: '190.16.9.176', - ObjectId: 'https://wazuh.sharepoint.com/sites/TestSharePoint/SitePages/Home.aspx', + ObjectId: + 'https://wazuh.sharepoint.com/sites/TestSharePoint/SitePages/Home.aspx', UserId: 'fake@email.not', CorrelationId: '62d1c99f-d09c-2000-df13-37ddf480e717', DoNotDistributeEvent: true, @@ -1480,8 +1515,7 @@ export const arrayLogs = [ Item: { Attachments: 'warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)', - Id: - 'RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ', + Id: 'RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ', InternetMessageId: '', IsRecord: false, @@ -1547,7 +1581,8 @@ export const arrayLogs = [ }, { Name: 'EmailAddresses', - Value: 'smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com', + Value: + 'smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com', }, { Name: 'IncludeSoftDeletedObjects', @@ -1578,7 +1613,8 @@ export const arrayLogs = [ Parameters: [ { Name: 'Identity', - Value: '0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c', + Value: + '0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c', }, { Name: 'SyncMailboxLocationGuids', diff --git a/plugins/main/server/lib/generate-alerts/sample-data/openscap.js b/plugins/main/server/lib/generate-alerts/sample-data/openscap.js index e9862bae73..e7a8e77b0e 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/openscap.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/openscap.js @@ -10,1500 +10,1537 @@ * Find more information about this on the LICENSE file. */ +const { DECODER } = require('./common'); + // OpenSCAP -export const scanProfileTitle = ["xccdf_org.ssgproject.content_profile_standard", "xccdf_org.ssgproject.content_profile_pci-dss", "xccdf_org.ssgproject.content_profile_common", "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal"]; -export const checkSeverity = ["low", "medium", "high"]; -export const checkResult = ["fail"]; -export const scanContent = ["ssg-centos-7-ds.xml", "ssg-centos-6-ds.xml", "ssg-rhel6-ds.xml", "ssg-ubuntu18-ds.xml", "ssg-debian-ds.xml", "ssg-fedora-ds.xml"]; -export const checkTitle = ["Record Attempts to Alter the localtime File", "Record Attempts to Alter Time Through clock_settime", "Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)", "Ensure auditd Collects System Administrator Actions", "Ensure auditd Collects File Deletion Events by User"]; +module.exports.scanProfileTitle = [ + 'xccdf_org.ssgproject.content_profile_standard', + 'xccdf_org.ssgproject.content_profile_pci-dss', + 'xccdf_org.ssgproject.content_profile_common', + 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal', +]; +module.exports.checkSeverity = ['low', 'medium', 'high']; +module.exports.checkResult = ['fail']; +module.exports.scanContent = [ + 'ssg-centos-7-ds.xml', + 'ssg-centos-6-ds.xml', + 'ssg-rhel6-ds.xml', + 'ssg-ubuntu18-ds.xml', + 'ssg-debian-ds.xml', + 'ssg-fedora-ds.xml', +]; +module.exports.checkTitle = [ + 'Record Attempts to Alter the localtime File', + 'Record Attempts to Alter Time Through clock_settime', + 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)', + 'Ensure auditd Collects System Administrator Actions', + 'Ensure auditd Collects File Deletion Events by User', +]; -export const decoder = { - parent: "oscap", - name: "oscap" -}; +module.exports.decoder = DECODER.OSCAP; -export const location = 'wodle_open-scap'; +module.exports.location = 'wodle_open-scap'; -export const data = [ +module.exports.data = [ { // "input": { // "type": "log" // }, - "data": { - "oscap": { - "scan": { - "score": "99.814812", - "profile": { - "id": "No profile", - "title": "No profile" - }, - "id": "0001587604016", - "content": "cve-redhat-7-ds.xml", - "benchmark": { - "id": "xccdf_com.redhat.rhsa_benchmark_generated-xccdf" - } - } - } - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 3, - "pci_dss": ["2.2"], - "description": "OpenSCAP Report overview.", - "groups": ["oscap","oscap-report"], - "id": "81540", - "nist_800_53": ["CM.1"] - }, - "full_log": "oscap: msg: \"xccdf-overview\", scan-id: \"{data.oscap.scan.id}\", content: \"{data.oscap.scan.content}\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"{data.oscap.scan.profile.id}\", profile-title: \"{data.oscap.scan.profile.title}\", score: \"{data.oscap.scan.score}\".", + data: { + oscap: { + scan: { + score: '99.814812', + profile: { + id: 'No profile', + title: 'No profile', + }, + id: '0001587604016', + content: 'cve-redhat-7-ds.xml', + benchmark: { + id: 'xccdf_com.redhat.rhsa_benchmark_generated-xccdf', + }, + }, + }, + }, + rule: { + firedtimes: 1, + mail: false, + level: 3, + pci_dss: ['2.2'], + description: 'OpenSCAP Report overview.', + groups: ['oscap', 'oscap-report'], + id: '81540', + nist_800_53: ['CM.1'], + }, + full_log: + 'oscap: msg: "xccdf-overview", scan-id: "{data.oscap.scan.id}", content: "{data.oscap.scan.content}", benchmark-id: "{data.oscap.scan.benhmark.id}", profile-id: "{data.oscap.scan.profile.id}", profile-title: "{data.oscap.scan.profile.title}", score: "{data.oscap.scan.score}".', }, { - "data": { - "oscap": { - "scan": { - "score": "75.000000", - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - } - } - }, - "rule": { - "firedtimes": 2, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP Report overview: Score less than 80", - "groups": ["oscap","oscap-report"], - "id": "81542", - "nist_800_53": ["CM.1"] - }, - "full_log": "oscap: msg: \"xccdf-overview\", scan-id: \"{data.oscap.scan.id}\", content: \"{data.oscap.scan.content}\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"{data.oscap.scan.profile.id}\", profile-title: \"{data.oscap.scan.profile.title}\", score: \"{data.oscap.scan.score}\".", - "timestamp": "2020-04-23T01:06:56.060+0000" + data: { + oscap: { + scan: { + score: '75.000000', + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + }, + }, + rule: { + firedtimes: 2, + mail: false, + level: 5, + pci_dss: ['2.2'], + description: 'OpenSCAP Report overview: Score less than 80', + groups: ['oscap', 'oscap-report'], + id: '81542', + nist_800_53: ['CM.1'], + }, + full_log: + 'oscap: msg: "xccdf-overview", scan-id: "{data.oscap.scan.id}", content: "{data.oscap.scan.content}", benchmark-id: "{data.oscap.scan.benhmark.id}", profile-id: "{data.oscap.scan.profile.id}", profile-title: "{data.oscap.scan.profile.title}", score: "{data.oscap.scan.score}".', + timestamp: '2020-04-23T01:06:56.060+0000', }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "No profile", - "title": "No profile" - }, - "id": "0001587604016", - "content": "cve-redhat-7-ds.xml", - "benchmark": { - "id": "xccdf_com.redhat.rhsa_benchmark_generated-xccdf" - } - }, - "check": { - "result": "fail", - "severity": "high", - "identifiers": "CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)", - "oval": { - "id": "oval:com.redhat.rhsa:def:20170372" - }, - "id": "xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372", - "title": "RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)" - } - } - }, - "rule": { - "firedtimes": 3, - "mail": false, - "level": 9, - "pci_dss": ["2.2"], - "description": "OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81531", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'No profile', + title: 'No profile', + }, + id: '0001587604016', + content: 'cve-redhat-7-ds.xml', + benchmark: { + id: 'xccdf_com.redhat.rhsa_benchmark_generated-xccdf', + }, + }, + check: { + result: 'fail', + severity: 'high', + identifiers: + 'CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)', + oval: { + id: 'oval:com.redhat.rhsa:def:20170372', + }, + id: 'xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372', + title: + 'RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)', + }, + }, + }, + rule: { + firedtimes: 3, + mail: false, + level: 9, + pci_dss: ['2.2'], + description: + 'OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81531', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_sysadmin_actions:def:1" - }, - "description": "At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions", - "title": "Ensure auditd Collects System Administrator Actions", - "rationale": "The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes." - } - } - }, - "rule": { - "firedtimes": 41, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'low', + references: + 'RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_sysadmin_actions:def:1', + }, + description: + 'At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions', + title: 'Ensure auditd Collects System Administrator Actions', + rationale: + 'The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.', + }, + }, + }, + rule: { + firedtimes: 41, + mail: false, + level: 5, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81529', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_kernel_module_loading:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading", - "title": "Ensure auditd Collects Information on Kernel Module Loading and Unloading", - "rationale": "The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel." - } - } - }, - "rule": { - "firedtimes": 34, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_kernel_module_loading:def:1', + }, + description: + 'If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading', + title: + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading', + rationale: + 'The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.', + }, + }, + }, + rule: { + firedtimes: 34, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_kernel_module_loading:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading", - "title": "Ensure auditd Collects Information on Kernel Module Loading and Unloading", - "rationale": "The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel." - } - } - }, - "rule": { - "firedtimes": 34, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_kernel_module_loading:def:1', + }, + description: + 'If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading', + title: + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading', + rationale: + 'The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.', + }, + }, + }, + rule: { + firedtimes: 34, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_file_deletion_events:def:1" - }, - "description": "At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events", - "title": "Ensure auditd Collects File Deletion Events by User", - "rationale": "Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence." - } - } - }, - "rule": { - "firedtimes": 33, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_file_deletion_events:def:1', + }, + description: + 'At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events', + title: 'Ensure auditd Collects File Deletion Events by User', + rationale: + 'Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.', + }, + }, + }, + rule: { + firedtimes: 33, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_media_export:def:1" - }, - "description": "At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_media_export", - "title": "Ensure auditd Collects Information on Exporting to Media (successful)", - "rationale": "The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss." - } - } - }, - "rule": { - "firedtimes": 32, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_media_export:def:1', + }, + description: + 'At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_media_export', + title: + 'Ensure auditd Collects Information on Exporting to Media (successful)', + rationale: + 'The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.', + }, + }, + }, + rule: { + firedtimes: 32, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_privileged_commands:def:1" - }, - "description": "At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands", - "title": "Ensure auditd Collects Information on the Use of Privileged Commands", - "rationale": "Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity." - } - } - }, - "rule": { - "firedtimes": 31, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_privileged_commands:def:1', + }, + description: + 'At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands', + title: + 'Ensure auditd Collects Information on the Use of Privileged Commands', + rationale: + 'Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.', + }, + }, + }, + rule: { + firedtimes: 31, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_unsuccessful_file_modification:def:1" - }, - "description": "At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification", - "title": "Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)", - "rationale": "Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise." - } - } - }, - "rule": { - "firedtimes": 30, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_unsuccessful_file_modification:def:1', + }, + description: + 'At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification', + title: + 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)', + rationale: + 'Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.', + }, + }, + }, + rule: { + firedtimes: 30, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_dac_modification_chown:def:1" - }, - "description": "At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown", - "title": "Record Events that Modify the System's Discretionary Access Controls - chown", - "rationale": "The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - } - } - }, - "rule": { - "firedtimes": 32, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'low', + references: + 'RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_dac_modification_chown:def:1', + }, + description: + 'At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown', + title: + "Record Events that Modify the System's Discretionary Access Controls - chown", + rationale: + 'The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.', + }, + }, + }, + rule: { + firedtimes: 32, + mail: false, + level: 5, + pci_dss: ['2.2'], + description: + "OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)", + groups: ['oscap', 'oscap-result'], + id: '81529', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_dac_modification_removexattr:def:1" - }, - "description": "At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr", - "title": "Record Events that Modify the System's Discretionary Access Controls - removexattr", - "rationale": "The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - } - } - }, - "rule": { - "firedtimes": 29, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_dac_modification_removexattr:def:1', + }, + description: + 'At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr', + title: + "Record Events that Modify the System's Discretionary Access Controls - removexattr", + rationale: + 'The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.', + }, + }, + }, + rule: { + firedtimes: 29, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + "OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)", + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_networkconfig_modification:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification", - "title": "Record Events that Modify the System's Network Environment", - "rationale": "The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited." - } - } - }, - "rule": { - "firedtimes": 29, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Events that Modify the System's Network Environment (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'low', + references: + 'AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_networkconfig_modification:def:1', + }, + description: + 'If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification', + title: "Record Events that Modify the System's Network Environment", + rationale: + 'The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.', + }, + }, + }, + rule: { + firedtimes: 29, + mail: false, + level: 5, + pci_dss: ['2.2'], + description: + "OpenSCAP: Record Events that Modify the System's Network Environment (not passed)", + groups: ['oscap', 'oscap-result'], + id: '81529', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_usergroup_modification:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification", - "title": "Record Events that Modify User/Group Information", - "rationale": "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." - } - } - }, - "rule": { - "firedtimes": 28, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Events that Modify User/Group Information (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'low', + references: + 'RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_usergroup_modification:def:1', + }, + description: + 'If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification', + title: 'Record Events that Modify User/Group Information', + rationale: + 'In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.', + }, + }, + }, + rule: { + firedtimes: 28, + mail: false, + level: 5, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Record Events that Modify User/Group Information (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81529', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_time_watch_localtime:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime", - "title": "Record Attempts to Alter the localtime File", - "rationale": "Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - } - } - }, - "rule": { - "firedtimes": 27, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Attempts to Alter the localtime File (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'low', + references: + 'AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_time_watch_localtime:def:1', + }, + description: + 'If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime', + title: 'Record Attempts to Alter the localtime File', + rationale: + 'Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.', + }, + }, + }, + rule: { + firedtimes: 27, + mail: false, + level: 5, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Record Attempts to Alter the localtime File (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81529', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_time_clock_settime:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime", - "title": "Record Attempts to Alter Time Through clock_settime", - "rationale": "Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - } - } - }, - "rule": { - "firedtimes": 26, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'low', + references: + 'AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_time_clock_settime:def:1', + }, + description: + 'If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime', + title: 'Record Attempts to Alter Time Through clock_settime', + rationale: + 'Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.', + }, + }, + }, + rule: { + firedtimes: 26, + mail: false, + level: 5, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81529', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_time_settimeofday:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday", - "title": "Record attempts to alter time through settimeofday", - "rationale": "Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - } - } - }, - "rule": { - "firedtimes": 25, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record attempts to alter time through settimeofday (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_common', + title: 'Common Profile for General-Purpose Systems', + }, + id: '0001587603934', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'low', + references: + 'AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_time_settimeofday:def:1', + }, + description: + 'If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday', + title: 'Record attempts to alter time through settimeofday', + rationale: + 'Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.', + }, + }, + }, + rule: { + firedtimes: 25, + mail: false, + level: 5, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Record attempts to alter time through settimeofday (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81529', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_file_deletion_events:def:1" - }, - "description": "At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events", - "title": "Ensure auditd Collects File Deletion Events by User", - "rationale": "Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence." - } - } - }, - "rule": { - "firedtimes": 24, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_file_deletion_events:def:1', + }, + description: + 'At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events', + title: 'Ensure auditd Collects File Deletion Events by User', + rationale: + 'Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.', + }, + }, + }, + rule: { + firedtimes: 24, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_login_events:def:1" - }, - "description": "The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_login_events", - "title": "Record Attempts to Alter Logon and Logout Events", - "rationale": "Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion." - } - } - }, - "rule": { - "firedtimes": 20, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_login_events:def:1', + }, + description: + 'The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_login_events', + title: 'Record Attempts to Alter Logon and Logout Events', + rationale: + 'Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.', + }, + }, + }, + rule: { + firedtimes: 20, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_usergroup_modification:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification", - "title": "Record Events that Modify User/Group Information", - "rationale": "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." - } - } - }, - "rule": { - "firedtimes": 6, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Events that Modify User/Group Information (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81529", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'low', + references: + 'RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-audit_rules_usergroup_modification:def:1', + }, + description: + 'If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification', + id: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification', + title: 'Record Events that Modify User/Group Information', + rationale: + 'In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.', + }, + }, + }, + rule: { + firedtimes: 6, + mail: false, + level: 5, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Record Events that Modify User/Group Information (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81529', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-auditd_audispd_syslog_plugin_activated:def:1" - }, - "description": "To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart", - "id": "xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated", - "title": "Configure auditd to use audispd's syslog plugin", - "rationale": "The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server" - } - } - }, - "rule": { - "firedtimes": 16, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-auditd_audispd_syslog_plugin_activated:def:1', + }, + description: + 'To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart', + id: 'xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated', + title: "Configure auditd to use audispd's syslog plugin", + rationale: + 'The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server', + }, + }, + }, + rule: { + firedtimes: 16, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + "OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)", + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)", - "identifiers": "CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-smartcard_auth:def:1" - }, - "description": "To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273", - "id": "xccdf_org.ssgproject.content_rule_smartcard_auth", - "title": "Enable Smart Card Login", - "rationale": "Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials." - } - } - }, - "rule": { - "firedtimes": 11, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Enable Smart Card Login (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)', + identifiers: 'CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-smartcard_auth:def:1', + }, + description: + 'To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273', + id: 'xccdf_org.ssgproject.content_rule_smartcard_auth', + title: 'Enable Smart Card Login', + rationale: + 'Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.', + }, + }, + }, + rule: { + firedtimes: 11, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: 'OpenSCAP: Enable Smart Card Login (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_password_pam_unix_remember:def:1" - }, - "description": "Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.", - "id": "xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember", - "title": "Limit Password Reuse", - "rationale": "Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user." - } - } - }, - "rule": { - "firedtimes": 10, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Limit Password Reuse (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-accounts_password_pam_unix_remember:def:1', + }, + description: + 'Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.', + id: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember', + title: 'Limit Password Reuse', + rationale: + 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.', + }, + }, + }, + rule: { + firedtimes: 10, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: 'OpenSCAP: Limit Password Reuse (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1" - }, - "description": "To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so", - "id": "xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time", - "title": "Set Lockout Time For Failed Password Attempts", - "rationale": "Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations." - } - } - }, - "rule": { - "firedtimes": 9, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1', + }, + description: + 'To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so', + id: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time', + title: 'Set Lockout Time For Failed Password Attempts', + rationale: + 'Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.', + }, + }, + }, + rule: { + firedtimes: 9, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_passwords_pam_faillock_deny:def:1" - }, - "description": "To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so", - "id": "xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny", - "title": "Set Deny For Failed Password Attempts", - "rationale": "Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks." - } - } - }, - "rule": { - "firedtimes": 8, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Deny For Failed Password Attempts (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-accounts_passwords_pam_faillock_deny:def:1', + }, + description: + 'To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so', + id: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny', + title: 'Set Deny For Failed Password Attempts', + rationale: + 'Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.', + }, + }, + }, + rule: { + firedtimes: 8, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Set Deny For Failed Password Attempts (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)", - "identifiers": "CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_password_pam_lcredit:def:1" - }, - "description": "The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.", - "id": "xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit", - "title": "Set Password Strength Minimum Lowercase Characters", - "rationale": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space." - } - } - }, - "rule": { - "firedtimes": 7, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)', + identifiers: 'CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-accounts_password_pam_lcredit:def:1', + }, + description: + "The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.", + id: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit', + title: 'Set Password Strength Minimum Lowercase Characters', + rationale: + 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.', + }, + }, + }, + rule: { + firedtimes: 7, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)", - "identifiers": "CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_password_pam_ucredit:def:1" - }, - "description": "The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.", - "id": "xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit", - "title": "Set Password Strength Minimum Uppercase Characters", - "rationale": "Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." - } - } - }, - "rule": { - "firedtimes": 6, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)', + identifiers: 'CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-accounts_password_pam_ucredit:def:1', + }, + description: + "The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.", + id: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit', + title: 'Set Password Strength Minimum Uppercase Characters', + rationale: + 'Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.', + }, + }, + }, + rule: { + firedtimes: 6, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)", - "identifiers": "CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_password_pam_minlen:def:1" - }, - "description": "The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.", - "id": "xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen", - "title": "Set Password Minimum Length", - "rationale": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password." - } - } - }, - "rule": { - "firedtimes": 5, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Password Minimum Length (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)', + identifiers: 'CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-accounts_password_pam_minlen:def:1', + }, + description: + "The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.", + id: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen', + title: 'Set Password Minimum Length', + rationale: + 'The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.', + }, + }, + }, + rule: { + firedtimes: 5, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: 'OpenSCAP: Set Password Minimum Length (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)", - "identifiers": "CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_password_pam_dcredit:def:1" - }, - "description": "The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.", - "id": "xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit", - "title": "Set Password Strength Minimum Digit Characters", - "rationale": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space." - } - } - }, - "rule": { - "firedtimes": 4, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)', + identifiers: 'CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-accounts_password_pam_dcredit:def:1', + }, + description: + "The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.", + id: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit', + title: 'Set Password Strength Minimum Digit Characters', + rationale: + 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.', + }, + }, + }, + rule: { + firedtimes: 4, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_maximum_age_login_defs:def:1" - }, - "description": "To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .", - "id": "xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs", - "title": "Set Password Maximum Age", - "rationale": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise." - } - } - }, - "rule": { - "firedtimes": 3, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Password Maximum Age (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-accounts_maximum_age_login_defs:def:1', + }, + description: + 'To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .', + id: 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs', + title: 'Set Password Maximum Age', + rationale: + 'Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.', + }, + }, + }, + rule: { + firedtimes: 3, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: 'OpenSCAP: Set Password Maximum Age (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "high", - "references": "RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-no_empty_passwords:def:1" - }, - "description": "If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.", - "id": "xccdf_org.ssgproject.content_rule_no_empty_passwords", - "title": "Prevent Log In to Accounts With Empty Password", - "rationale": "If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments." - } - } - }, - "rule": { - "firedtimes": 2, - "mail": false, - "level": 9, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81531", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'high', + references: + 'RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-no_empty_passwords:def:1', + }, + description: + 'If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.', + id: 'xccdf_org.ssgproject.content_rule_no_empty_passwords', + title: 'Prevent Log In to Accounts With Empty Password', + rationale: + 'If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.', + }, + }, + }, + rule: { + firedtimes: 2, + mail: false, + level: 9, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81531', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "high", - "references": "RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-rpm_verify_permissions:def:1" - }, - "description": "Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME", - "id": "xccdf_org.ssgproject.content_rule_rpm_verify_permissions", - "title": "Verify and Correct File Permissions with RPM", - "rationale": "Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated." - } - } - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 9, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Verify and Correct File Permissions with RPM (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81531", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'high', + references: + 'RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)', + identifiers: 'CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-rpm_verify_permissions:def:1', + }, + description: + "Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME", + id: 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions', + title: 'Verify and Correct File Permissions with RPM', + rationale: + 'Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.', + }, + }, + }, + rule: { + firedtimes: 1, + mail: false, + level: 9, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Verify and Correct File Permissions with RPM (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81531', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)", - "identifiers": "CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-aide_periodic_cron_checking:def:1" - }, - "description": "At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.", - "id": "xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking", - "title": "Configure Periodic Execution of AIDE", - "rationale": "By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item." - } - } - }, - "rule": { - "firedtimes": 2, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Configure Periodic Execution of AIDE (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)', + identifiers: 'CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-aide_periodic_cron_checking:def:1', + }, + description: + 'At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.', + id: 'xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking', + title: 'Configure Periodic Execution of AIDE', + rationale: + "By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.", + }, + }, + }, + rule: { + firedtimes: 2, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: + 'OpenSCAP: Configure Periodic Execution of AIDE (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)", - "identifiers": "CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-package_aide_installed:def:1" - }, - "description": "Install the AIDE package with the command: $ sudo yum install aide", - "id": "xccdf_org.ssgproject.content_rule_package_aide_installed", - "title": "Install AIDE", - "rationale": "The AIDE package must be installed if it is to be available for integrity checking." - } - } - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Install AIDE (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } + data: { + oscap: { + scan: { + profile: { + id: 'xccdf_org.ssgproject.content_profile_pci-dss', + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7', + }, + id: '0001587603717', + content: 'ssg-rhel-7-ds.xml', + benchmark: { + id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7', + }, + }, + check: { + result: 'fail', + severity: 'medium', + references: + 'CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)', + identifiers: 'CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)', + oval: { + id: 'oval:ssg-package_aide_installed:def:1', + }, + description: + 'Install the AIDE package with the command: $ sudo yum install aide', + id: 'xccdf_org.ssgproject.content_rule_package_aide_installed', + title: 'Install AIDE', + rationale: + 'The AIDE package must be installed if it is to be available for integrity checking.', + }, + }, + }, + rule: { + firedtimes: 1, + mail: false, + level: 7, + pci_dss: ['2.2'], + description: 'OpenSCAP: Install AIDE (not passed)', + groups: ['oscap', 'oscap-result'], + id: '81530', + nist_800_53: ['CM.1'], + }, }, { - "data": { - "oscap": { - "scan": { - "score": "99.814812", - "profile": { - "id": "No profile", - "title": "No profile" - }, - "id": "0001587574647", - "content": "cve-redhat-7-ds.xml", - "benchmark": { - "id": "xccdf_com.redhat.rhsa_benchmark_generated-xccdf" - } - } - } - }, - "manager": { - "name": "ip-10-0-0-219.us-west-1.compute.internal" - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 3, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP Report overview.", - "groups": [ - "oscap", - "oscap-report" - ], - "id": "81540", - "nist_800_53": [ - "CM.1" - ] - } - } -] + data: { + oscap: { + scan: { + score: '99.814812', + profile: { + id: 'No profile', + title: 'No profile', + }, + id: '0001587574647', + content: 'cve-redhat-7-ds.xml', + benchmark: { + id: 'xccdf_com.redhat.rhsa_benchmark_generated-xccdf', + }, + }, + }, + }, + manager: { + name: 'ip-10-0-0-219.us-west-1.compute.internal', + }, + rule: { + firedtimes: 1, + mail: false, + level: 3, + pci_dss: ['2.2'], + description: 'OpenSCAP Report overview.', + groups: ['oscap', 'oscap-report'], + id: '81540', + nist_800_53: ['CM.1'], + }, + }, +]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/osquery.js b/plugins/main/server/lib/generate-alerts/sample-data/osquery.js index 0d3e4375a4..902594046d 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/osquery.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/osquery.js @@ -10,381 +10,393 @@ * Find more information about this on the LICENSE file. */ -export const dataOsquery = [{ +module.exports.dataOsquery = [ + { osquery: { calendarTime: new Date(), - subquery: "osquery_info", + subquery: 'osquery_info', columns: { - counter: "43", - uuid: "EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366", - version: "3.3.2", + counter: '43', + uuid: 'EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366', + version: '3.3.2', }, - name: "pack_osquery-monitoring_osquery_info", - action: "added", - epoch: "0", - counter: "1836", - pack: "osquery-monitoring" + name: 'pack_osquery-monitoring_osquery_info', + action: 'added', + epoch: '0', + counter: '1836', + pack: 'osquery-monitoring', }, rule: { firedtimes: 2, mail: false, level: 4, - description: 'osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial' - } + description: + 'osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial', + }, }, { osquery: { calendarTime: new Date(), - subquery: "iptables", + subquery: 'iptables', columns: { - chain: "POSTROUTING", - filter_name: "nat", - dst_mask: "0.0.0.0", - match: "yes", - src_mask: "255.255.0.0", - dst_ip: "0.0.0.0", - packets: "43092", - target: "MASQUERADE", - src_ip: "172.17.0.0", - protocol: "0", - outiface_mask: "FFFFFFFFFFFFFFFF", - bytes: "3271628", - iniface: "all", - outiface: "docker0", - policy: "ACCEPT" + chain: 'POSTROUTING', + filter_name: 'nat', + dst_mask: '0.0.0.0', + match: 'yes', + src_mask: '255.255.0.0', + dst_ip: '0.0.0.0', + packets: '43092', + target: 'MASQUERADE', + src_ip: '172.17.0.0', + protocol: '0', + outiface_mask: 'FFFFFFFFFFFFFFFF', + bytes: '3271628', + iniface: 'all', + outiface: 'docker0', + policy: 'ACCEPT', }, - name: "pack_incident-response_iptables", - action: "added", - epoch: "0", - counter: "282", - pack: "incident-response" + name: 'pack_incident-response_iptables', + action: 'added', + epoch: '0', + counter: '282', + pack: 'incident-response', }, rule: { firedtimes: 17, mail: false, level: 4, - description: "osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092", - } + description: + 'osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092', + }, }, { osquery: { calendarTime: new Date(), - subquery: "iptables", + subquery: 'iptables', columns: { - chain: "PREROUTING", - filter_name: "nat", - dst_mask: "0.0.0.0", - match: "yes", - src_mask: "0.0.0.0", - dst_ip: "0.0.0.0", - packets: "34553", - target: "DOCKER", - src_ip: "0.0.0.0", - protocol: "0", - bytes: "2065050", - iniface: "all", - outiface: "all", - policy: "ACCEPT" + chain: 'PREROUTING', + filter_name: 'nat', + dst_mask: '0.0.0.0', + match: 'yes', + src_mask: '0.0.0.0', + dst_ip: '0.0.0.0', + packets: '34553', + target: 'DOCKER', + src_ip: '0.0.0.0', + protocol: '0', + bytes: '2065050', + iniface: 'all', + outiface: 'all', + policy: 'ACCEPT', }, - name: "pack_incident-response_iptables", - action: "added", - epoch: "0", - counter: "282", - pack: "incident-response" + name: 'pack_incident-response_iptables', + action: 'added', + epoch: '0', + counter: '282', + pack: 'incident-response', }, rule: { firedtimes: 17, mail: false, level: 4, - description: "osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553", - } + description: + 'osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553', + }, }, { osquery: { calendarTime: new Date(), - subquery: "schedule", + subquery: 'schedule', columns: { - average_memory: "0", - avg_system_time: "0", - executions: "177", - output_size: "0", - name: "pack_ossec-rootkit_zk_rootkit", - interval: "3600", - avg_user_time: "0", - last_executed: "1587482079", - wall_time: "0" + average_memory: '0', + avg_system_time: '0', + executions: '177', + output_size: '0', + name: 'pack_ossec-rootkit_zk_rootkit', + interval: '3600', + avg_user_time: '0', + last_executed: '1587482079', + wall_time: '0', }, - name: "pack_osquery-monitoring_schedule", - action: "added", - epoch: "0", - counter: "282", - pack: "osquery-monitoring" + name: 'pack_osquery-monitoring_schedule', + action: 'added', + epoch: '0', + counter: '282', + pack: 'osquery-monitoring', }, rule: { firedtimes: 82, mail: false, level: 4, - description: "osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ", - } + description: + 'osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ', + }, }, { osquery: { calendarTime: new Date(), - subquery: "osquery_info", + subquery: 'osquery_info', columns: { - watcher: "18596", - system_time: "86740", - config_valid: "1", - pid: "18631", - counter: "33", - uuid: "EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366", - version: "3.3.2", - config_hash: "8423af1820e09cef21c8ed5594827b13ea8af90d", - build_platform: "ubuntu", - start_time: "1586893611", - extensions: "active", - instance_id: "29ebc250-4d9d-4420-b46f-127ff9e2437d", - build_distro: "xenial", - resident_size: "66664000", - user_time: "124490" + watcher: '18596', + system_time: '86740', + config_valid: '1', + pid: '18631', + counter: '33', + uuid: 'EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366', + version: '3.3.2', + config_hash: '8423af1820e09cef21c8ed5594827b13ea8af90d', + build_platform: 'ubuntu', + start_time: '1586893611', + extensions: 'active', + instance_id: '29ebc250-4d9d-4420-b46f-127ff9e2437d', + build_distro: 'xenial', + resident_size: '66664000', + user_time: '124490', }, - name: "pack_osquery-monitoring_osquery_info", - action: "added", - epoch: "0", - counter: "1789", - pack: "osquery-monitoring" + name: 'pack_osquery-monitoring_osquery_info', + action: 'added', + epoch: '0', + counter: '1789', + pack: 'osquery-monitoring', }, rule: { firedtimes: 82, mail: false, level: 4, - description: "osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ", - } + description: + 'osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ', + }, }, { osquery: { calendarTime: new Date(), - subquery: "mounts", + subquery: 'mounts', columns: { - path: "/", - blocks: "5239803", - inodes: "10484720", - flags: "rw,seclabel,relatime,attr2,inode64,noquota", - inodes_free: "10436261", - blocks_size: "4096", - blocks_available: "3940776", - type: "xfs", - device: "/dev/xvda2", - device_alias: "/dev/xvda2", - blocks_free: "3940776" + path: '/', + blocks: '5239803', + inodes: '10484720', + flags: 'rw,seclabel,relatime,attr2,inode64,noquota', + inodes_free: '10436261', + blocks_size: '4096', + blocks_available: '3940776', + type: 'xfs', + device: '/dev/xvda2', + device_alias: '/dev/xvda2', + blocks_free: '3940776', }, - name: "pack_incident-response_mounts", - action: "added", - epoch: "0", - counter: "278", - pack: "incident-response" + name: 'pack_incident-response_mounts', + action: 'added', + epoch: '0', + counter: '278', + pack: 'incident-response', }, rule: { firedtimes: 82, mail: false, level: 4, - description: "osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ", - } + description: + 'osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ', + }, }, { osquery: { calendarTime: new Date(), - subquery: "iptables", + subquery: 'iptables', columns: { - memory_free: "156012544", - memory_free_perc: "0.039271301812363", - threshold: "10%", - memory_total: "3972685824" + memory_free: '156012544', + memory_free_perc: '0.039271301812363', + threshold: '10%', + memory_total: '3972685824', }, - name: "low_free_memory", - action: "added", - epoch: "0", - counter: "548", + name: 'low_free_memory', + action: 'added', + epoch: '0', + counter: '548', }, rule: { firedtimes: 82, mail: false, level: 4, - description: "osquery: System memory is under 10%", - } + description: 'osquery: System memory is under 10%', + }, }, { osquery: { calendarTime: new Date(), - subquery: "iptables", + subquery: 'iptables', columns: { - memory_free: "156012544", - memory_free_perc: "0.039271301812363", - threshold: "15%", - memory_total: "3972685824" + memory_free: '156012544', + memory_free_perc: '0.039271301812363', + threshold: '15%', + memory_total: '3972685824', }, - name: "low_free_memory", - action: "added", - epoch: "0", - counter: "548", + name: 'low_free_memory', + action: 'added', + epoch: '0', + counter: '548', }, rule: { firedtimes: 82, mail: false, level: 4, - description: "osquery: System memory is under 15%", - } + description: 'osquery: System memory is under 15%', + }, }, { osquery: { calendarTime: new Date(), - subquery: "process_memory", + subquery: 'process_memory', columns: { - inode: "0", - offset: "0", - permissions: "r-xp", - start: "0xffffffffff600000", - end: "0xffffffffff601000", - pid: "644", - device: "00:00", - pseudo: "1" + inode: '0', + offset: '0', + permissions: 'r-xp', + start: '0xffffffffff600000', + end: '0xffffffffff601000', + pid: '644', + device: '00:00', + pseudo: '1', }, - name: "pack_incident-response_process_memory", - action: "added", - epoch: "0", - counter: "12", + name: 'pack_incident-response_process_memory', + action: 'added', + epoch: '0', + counter: '12', }, rule: { firedtimes: 7621, mail: false, level: 4, - description: "osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000", - } + description: + 'osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000', + }, }, { osquery: { calendarTime: new Date(), - subquery: "iptables", + subquery: 'iptables', columns: { - chain: "POSTROUTING", - filter_name: "nat", - dst_mask: "0.0.0.0", - match: "yes", - src_mask: "255.255.0.0", - dst_ip: "0.0.0.0", - packets: "43294", - target: "MASQUERADE", - src_ip: "172.17.0.0", - protocol: "0", - outiface_mask: "FFFFFFFFFFFFFFFF", - bytes: "3287370", - iniface: "all", - outiface: "docker0", - policy: "ACCEPT" + chain: 'POSTROUTING', + filter_name: 'nat', + dst_mask: '0.0.0.0', + match: 'yes', + src_mask: '255.255.0.0', + dst_ip: '0.0.0.0', + packets: '43294', + target: 'MASQUERADE', + src_ip: '172.17.0.0', + protocol: '0', + outiface_mask: 'FFFFFFFFFFFFFFFF', + bytes: '3287370', + iniface: 'all', + outiface: 'docker0', + policy: 'ACCEPT', }, - name: "pack_incident-response_iptables", - action: "added", - epoch: "0", - counter: "283", + name: 'pack_incident-response_iptables', + action: 'added', + epoch: '0', + counter: '283', }, rule: { firedtimes: 18, mail: false, level: 4, - description: "osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294", - } + description: + 'osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294', + }, }, { osquery: { calendarTime: new Date(), - subquery: "process_env", + subquery: 'process_env', columns: { - pid: "26151", - value: "244", - key: "GENERATION" + pid: '26151', + value: '244', + key: 'GENERATION', }, - name: "pack_incident-response_process_env", - action: "added", - epoch: "0", - counter: "11", + name: 'pack_incident-response_process_env', + action: 'added', + epoch: '0', + counter: '11', }, rule: { firedtimes: 18, mail: false, level: 4, - description: "osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244", - } + description: + 'osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244', + }, }, { osquery: { calendarTime: new Date(), - subquery: "device_nodes", + subquery: 'device_nodes', columns: { - mode: "0666", - path: "/dev/ptmx", - uid: "0", - atime: "0", - gid: "5", - ctime: "1586444340", - mtime: "1587489592", - type: "character", - block_size: "4096" + mode: '0666', + path: '/dev/ptmx', + uid: '0', + atime: '0', + gid: '5', + ctime: '1586444340', + mtime: '1587489592', + type: 'character', + block_size: '4096', }, - name: "pack_hardware-monitoring_device_nodes", - action: "added", - epoch: "0", - counter: "138", - pack: "hardware-monitoring" + name: 'pack_hardware-monitoring_device_nodes', + action: 'added', + epoch: '0', + counter: '138', + pack: 'hardware-monitoring', }, rule: { firedtimes: 6, mail: false, level: 4, - description: "osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character", - } + description: + 'osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character', + }, }, { osquery: { calendarTime: new Date(), - subquery: "last", + subquery: 'last', columns: { - tty: "pts/0", - pid: "25728", - time: "1587494777", - type: "8" + tty: 'pts/0', + pid: '25728', + time: '1587494777', + type: '8', }, - name: "pack_incident-response_last", - action: "added", - epoch: "0", - counter: "1", - pack: "incident-response" + name: 'pack_incident-response_last', + action: 'added', + epoch: '0', + counter: '1', + pack: 'incident-response', }, rule: { firedtimes: 2, mail: false, level: 4, - description: "osquery: incident-response last: User host", - } + description: 'osquery: incident-response last: User host', + }, }, { osquery: { calendarTime: new Date(), - subquery: "open_files", + subquery: 'open_files', columns: { - path: "/var/osquery/osquery.db/MANIFEST-016679", - pid: "18631" + path: '/var/osquery/osquery.db/MANIFEST-016679', + pid: '18631', }, - name: "pack_incident-response_open_files", - action: "added", - epoch: "0", - counter: "11", - pack: "incident-response" + name: 'pack_incident-response_open_files', + action: 'added', + epoch: '0', + counter: '11', + pack: 'incident-response', }, rule: { firedtimes: 2, mail: false, level: 4, - description: "osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened", - } + description: + 'osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened', + }, }, -] +]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/policy-monitoring.js b/plugins/main/server/lib/generate-alerts/sample-data/policy-monitoring.js index f1a3bcf11e..9a0a211382 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/policy-monitoring.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/policy-monitoring.js @@ -10,73 +10,121 @@ * Find more information about this on the LICENSE file. */ +const { DECODER } = require('./common'); + // Policy monitoring -export const title = ["Trojaned version of file detected."]; -export const ruleDescription = ["Host-based anomaly detection event (rootcheck).", "System Audit event."]; +module.exports.title = ['Trojaned version of file detected.']; +module.exports.ruleDescription = [ + 'Host-based anomaly detection event (rootcheck).', + 'System Audit event.', +]; -export const location = 'rootcheck'; +module.exports.location = 'rootcheck'; -export const decoder = { - name: "rootcheck" -}; +module.exports.decoder = DECODER.ROOTCHECK; -export const rootkits = { +module.exports.rootkits = { Bash: ['/tmp/mcliZokhb', '/tmp/mclzaKmfa'], Adore: ['/dev/.shit/red.tgz', '/usr/lib/libt', '/usr/bin/adore'], - TRK: ['usr/bin/soucemask','/usr/bin/sourcemask'], + TRK: ['usr/bin/soucemask', '/usr/bin/sourcemask'], Volc: ['/usr/lib/volc', '/usr/bin/volc'], - Ramen: ['/usr/lib/ldlibps.so','/usr/lib/ldliblogin.so', '/tmp/ramen.tgz'], + Ramen: ['/usr/lib/ldlibps.so', '/usr/lib/ldliblogin.so', '/tmp/ramen.tgz'], Monkit: ['/lib/defs', '/usr/lib/libpikapp.a'], RSHA: ['usr/bin/kr4p', 'usr/bin/n3tstat', 'usr/bin/chsh2'], Omega: ['/dev/chr'], - "Rh-Sharpe": ['/usr/bin/.ps', '/bin/.lpstree', '/bin/ldu', '/bin/lkillall'], - Showtee: ['/usr/lib/.wormie','/usr/lib/.kinetic','/usr/include/addr.h'], + 'Rh-Sharpe': ['/usr/bin/.ps', '/bin/.lpstree', '/bin/ldu', '/bin/lkillall'], + Showtee: ['/usr/lib/.wormie', '/usr/lib/.kinetic', '/usr/include/addr.h'], LDP: ['/dev/.kork', '/bin/.login', '/bin/.ps'], - Slapper: ['/tmp/.bugtraq','/tmp/.bugtraq.c', '/tmp/.b', '/tmp/httpd', '/tmp/.font-unix/.cinik'], + Slapper: [ + '/tmp/.bugtraq', + '/tmp/.bugtraq.c', + '/tmp/.b', + '/tmp/httpd', + '/tmp/.font-unix/.cinik', + ], Knark: ['/dev/.pizda', '/proc/knark'], ZK: ['/usr/share/.zk', 'etc/1ssue.net', 'usr/X11R6/.zk/xfs'], - Suspicious: ['etc/rc.d/init.d/rc.modules', 'lib/ldd.so', 'usr/bin/ddc', 'usr/bin/ishit', 'lib/.so', 'usr/bin/atm', 'tmp/.cheese', 'dev/srd0', 'dev/hd7', 'usr/man/man3/psid'] + Suspicious: [ + 'etc/rc.d/init.d/rc.modules', + 'lib/ldd.so', + 'usr/bin/ddc', + 'usr/bin/ishit', + 'lib/.so', + 'usr/bin/atm', + 'tmp/.cheese', + 'dev/srd0', + 'dev/hd7', + 'usr/man/man3/psid', + ], }; -export const rootkitsData = { - "data": { - "title": "Rootkit '{_rootkit_category}' detected by the presence of file '{_rootkit_file}'." +module.exports.rootkitsData = { + data: { + title: + "Rootkit '{_rootkit_category}' detected by the presence of file '{_rootkit_file}'.", }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 7, - "description": "Host-based anomaly detection event (rootcheck).", - "groups": ["wazuh","rootcheck"], - "id": "510", - "gdpr": ["IV_35.7.d"] + rule: { + firedtimes: 1, + mail: false, + level: 7, + description: 'Host-based anomaly detection event (rootcheck).', + groups: ['wazuh', 'rootcheck'], + id: '510', + gdpr: ['IV_35.7.d'], }, - "full_log": "Rootkit '{_rootkit_category}' detected by the presence of file '{_rootkit_file}'.", + full_log: + "Rootkit '{_rootkit_category}' detected by the presence of file '{_rootkit_file}'.", }; -export const trojans = [ - {file: '/usr/bin/grep', signature: 'bash|givemer'}, - {file: '/usr/bin/egrep', signature: 'bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh'}, - {file: '/usr/bin/find', signature: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h'}, - {file: '/usr/bin/lsof', signature: '/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp'}, - {file: '/usr/bin/netstat', signature: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h'}, - {file: '/usr/bin/top', signature: '/dev/[^npi3st%]|proc\.h|/prof/'}, - {file: '/usr/bin/ps', signature: '/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh'}, - {file: '/usr/bin/tcpdump', signature: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh'}, - {file: '/usr/bin/pidof', signature: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh'}, - {file: '/usr/bin/fuser', signature: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh'}, - {file: '/usr/bin/w', signature: 'uname -a|proc\.h|bash'}, +module.exports.trojans = [ + { file: '/usr/bin/grep', signature: 'bash|givemer' }, + { + file: '/usr/bin/egrep', + signature: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/|^/bin/.*sh', + }, + { + file: '/usr/bin/find', + signature: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file\\.h', + }, + { + file: '/usr/bin/lsof', + signature: + '/prof|/dev/[^apcmnfk]|proc\\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp', + }, + { + file: '/usr/bin/netstat', + signature: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\\.h', + }, + { file: '/usr/bin/top', signature: '/dev/[^npi3st%]|proc\\.h|/prof/' }, + { + file: '/usr/bin/ps', + signature: '/dev/ttyo|\\.1proc|proc\\.h|bash|^/bin/sh', + }, + { + file: '/usr/bin/tcpdump', + signature: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^bu]|^/bin/.*sh', + }, + { + file: '/usr/bin/pidof', + signature: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^f]|^/bin/.*sh', + }, + { + file: '/usr/bin/fuser', + signature: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[a-dtz]|^/bin/.*sh', + }, + { file: '/usr/bin/w', signature: 'uname -a|proc\\.h|bash' }, ]; -export const trojansData = { - "rule": { - "firedtimes": 2, - "mail": false, - "level": 7, - "description": "Host-based anomaly detection event (rootcheck).", - "groups": ["wazuh","rootcheck"], - "id": "510", - "gdpr": ["IV_35.7.d"] +module.exports.trojansData = { + rule: { + firedtimes: 2, + mail: false, + level: 7, + description: 'Host-based anomaly detection event (rootcheck).', + groups: ['wazuh', 'rootcheck'], + id: '510', + gdpr: ['IV_35.7.d'], }, - "full_log": "Trojaned version of file '{data.file}' detected. Signature used: '{_trojan_signature}' (Generic).", + full_log: + "Trojaned version of file '{data.file}' detected. Signature used: '{_trojan_signature}' (Generic).", }; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/regulatory-compliance.js b/plugins/main/server/lib/generate-alerts/sample-data/regulatory-compliance.js index c7a6e42801..e94cf8ee7c 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/regulatory-compliance.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/regulatory-compliance.js @@ -11,9 +11,161 @@ */ // Regulatory compliance -export const PCI_DSS = ["1.1.1","1.3.4","1.4","10.1","10.2.1","10.2.2","10.2.4","10.2.5","10.2.6","10.2.7","10.4","10.5.2","10.5.5","10.6","10.6.1","11.2.1","11.2.3","11.4","11.5","2.2","2.2.3","4.1","5.1","5.2","6.2","6.5","6.5.1","6.5.10","6.5.2","6.5.5","6.5.7","6.5.8","6.6","8.1.2","8.1.4","8.1.5","8.1.6","8.1.8","8.2.4","8.7"]; -export const GDPR = ["IV_35.7.d", "II_5.1.f", "IV_32.2", "IV_30.1.g"]; -export const HIPAA = ["164.312.a.1","164.312.a.2.I","164.312.a.2.II","164.312.a.2.III","164.312.a.2.IV","164.312.b","164.312.c.1","164.312.c.2","164.312.d","164.312.e.1","164.312.e.2.I","164.312.e.2.II"]; -export const NIST_800_53 = ["AC.12","AC.2","AC.6","AC.7","AU.12","AU.14","AU.5","AU.6","AU.8","AU.9","CA.3","CM.1","CM.3","CM.5","IA.4","IA.5","SA.11","SC.2","SC.5","SC.7","SC.8","SI.2","SI.3","SI.4","SI.7"]; -export const GPG13 = ["7.8", "7.9"]; -export const tsc = ["CC1.1","CC1.2","CC1.3","CC1.4","CC1.5","CC2.1","CC2.2","CC2.3","CC3.1","CC3.2","CC3.3","CC3.4","CC4.1","CC4.2","CC5.1","CC5.2","CC5.3","CC6.1","CC6.2","CC6.3","CC6.4","CC6.5","CC6.6","CC6.7","CC6.8","CC7.1","CC7.2","CC7.3","CC7.4","CC7.5","CC8.1","CC9.1","CC9.2","A1.1","A1.2","A1.3","C1.1","C1.2","PI1.1","PI1.2","PI1.3","PI1.4","PI1.5","P1.0","P1.1","P2.0","P2.1","P3.0","P3.1","P3.2","P4.0","P4.1","P4.2","P4.3","P5.0","P5.1","P5.2","P6.0","P6.1","P6.2","P6.3","P6.4","P6.5","P6.6","P6.7","P7.0","P7.1","P8.0","P8.1"]; \ No newline at end of file +module.exports.PCI_DSS = [ + '1.1.1', + '1.3.4', + '1.4', + '10.1', + '10.2.1', + '10.2.2', + '10.2.4', + '10.2.5', + '10.2.6', + '10.2.7', + '10.4', + '10.5.2', + '10.5.5', + '10.6', + '10.6.1', + '11.2.1', + '11.2.3', + '11.4', + '11.5', + '2.2', + '2.2.3', + '4.1', + '5.1', + '5.2', + '6.2', + '6.5', + '6.5.1', + '6.5.10', + '6.5.2', + '6.5.5', + '6.5.7', + '6.5.8', + '6.6', + '8.1.2', + '8.1.4', + '8.1.5', + '8.1.6', + '8.1.8', + '8.2.4', + '8.7', +]; +module.exports.GDPR = ['IV_35.7.d', 'II_5.1.f', 'IV_32.2', 'IV_30.1.g']; +module.exports.HIPAA = [ + '164.312.a.1', + '164.312.a.2.I', + '164.312.a.2.II', + '164.312.a.2.III', + '164.312.a.2.IV', + '164.312.b', + '164.312.c.1', + '164.312.c.2', + '164.312.d', + '164.312.e.1', + '164.312.e.2.I', + '164.312.e.2.II', +]; +module.exports.NIST_800_53 = [ + 'AC.12', + 'AC.2', + 'AC.6', + 'AC.7', + 'AU.12', + 'AU.14', + 'AU.5', + 'AU.6', + 'AU.8', + 'AU.9', + 'CA.3', + 'CM.1', + 'CM.3', + 'CM.5', + 'IA.4', + 'IA.5', + 'SA.11', + 'SC.2', + 'SC.5', + 'SC.7', + 'SC.8', + 'SI.2', + 'SI.3', + 'SI.4', + 'SI.7', +]; +module.exports.GPG13 = ['7.8', '7.9']; +module.exports.tsc = [ + 'CC1.1', + 'CC1.2', + 'CC1.3', + 'CC1.4', + 'CC1.5', + 'CC2.1', + 'CC2.2', + 'CC2.3', + 'CC3.1', + 'CC3.2', + 'CC3.3', + 'CC3.4', + 'CC4.1', + 'CC4.2', + 'CC5.1', + 'CC5.2', + 'CC5.3', + 'CC6.1', + 'CC6.2', + 'CC6.3', + 'CC6.4', + 'CC6.5', + 'CC6.6', + 'CC6.7', + 'CC6.8', + 'CC7.1', + 'CC7.2', + 'CC7.3', + 'CC7.4', + 'CC7.5', + 'CC8.1', + 'CC9.1', + 'CC9.2', + 'A1.1', + 'A1.2', + 'A1.3', + 'C1.1', + 'C1.2', + 'PI1.1', + 'PI1.2', + 'PI1.3', + 'PI1.4', + 'PI1.5', + 'P1.0', + 'P1.1', + 'P2.0', + 'P2.1', + 'P3.0', + 'P3.1', + 'P3.2', + 'P4.0', + 'P4.1', + 'P4.2', + 'P4.3', + 'P5.0', + 'P5.1', + 'P5.2', + 'P6.0', + 'P6.1', + 'P6.2', + 'P6.3', + 'P6.4', + 'P6.5', + 'P6.6', + 'P6.7', + 'P7.0', + 'P7.1', + 'P8.0', + 'P8.1', +]; +module.exports.PCI = ['10.6']; +module.exports.FREQUENCY = [4, 6, 8, 10, 12, 14, 17]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/regulatory-compliance.test.js b/plugins/main/server/lib/generate-alerts/sample-data/regulatory-compliance.test.js new file mode 100644 index 0000000000..213fd4a9ef --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/sample-data/regulatory-compliance.test.js @@ -0,0 +1,7 @@ +const { FREQUENCY } = require('./regulatory-compliance'); + +describe('regulatory-compliance', () => { + it('should_verify_all_values_in_frequency_are_integers', () => { + expect(FREQUENCY.every(value => Number.isInteger(value))).toBe(true); + }); +}); diff --git a/plugins/main/server/lib/generate-alerts/sample-data/ssh.js b/plugins/main/server/lib/generate-alerts/sample-data/ssh.js index 6ab6c15b55..36197e1e06 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/ssh.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/ssh.js @@ -10,83 +10,94 @@ * Find more information about this on the LICENSE file. */ -export const reverseLoockupError = { - location: "/var/log/secure", +module.exports.reverseLoockupError = { + location: '/var/log/secure', rule: { - "mail": false, - "level": 5, - "pci_dss": ["11.4"], - "description": "sshd: Reverse lookup error (bad ISP or attack).", - "groups": ["syslog","sshd"], - "mitre": { - "tactic": ["Lateral Movement"], - "id": ["T1021"] + mail: false, + level: 5, + pci_dss: ['11.4'], + description: 'sshd: Reverse lookup error (bad ISP or attack).', + groups: ['syslog', 'sshd'], + mitre: { + tactic: ['Lateral Movement'], + id: ['T1021'], }, - "id": "5702", - "nist_800_53": ["SI.4"], - "gpg13": ["4.12"], - "gdpr": ["IV_35.7.d"] + id: '5702', + nist_800_53: ['SI.4'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], }, - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[15409]: reverse mapping checking getaddrinfo for {data.srcip}.static.impsat.com.co [{data.srcip}] failed - POSSIBLE BREAK-IN ATTEMPT!" + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[15409]: reverse mapping checking getaddrinfo for {data.srcip}.static.impsat.com.co [{data.srcip}] failed - POSSIBLE BREAK-IN ATTEMPT!', }; -export const insecureConnectionAttempt = { +module.exports.insecureConnectionAttempt = { rule: { mail: false, level: 6, - pci_dss: ["11.4"], - description: "sshd: insecure connection attempt (scan).", - groups: ["syslog","sshd","recon"], - id: "5706", - nist_800_53: ["SI.4"], - gpg13: ["4.12"], - gdpr: ["IV_35.7.d"] + pci_dss: ['11.4'], + description: 'sshd: insecure connection attempt (scan).', + groups: ['syslog', 'sshd', 'recon'], + id: '5706', + nist_800_53: ['SI.4'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], }, - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[15225]: Did not receive identification string from {data.srcip} port {data.srcport}", - location: "/var/log/secure" + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[15225]: Did not receive identification string from {data.srcip} port {data.srcport}', + location: '/var/log/secure', }; -export const possibleAttackServer = { +module.exports.possibleAttackServer = { rule: { mail: false, level: 8, - pci_dss: ["11.4"], - description: "sshd: Possible attack on the ssh server (or version gathering).", - groups: ["syslog","sshd","recon"], + pci_dss: ['11.4'], + description: + 'sshd: Possible attack on the ssh server (or version gathering).', + groups: ['syslog', 'sshd', 'recon'], mitre: { - tactic: ["Lateral Movement"], - technique: ["Brute Force","Remove Services"], - id: ["T1021"] + tactic: ['Lateral Movement'], + technique: ['Brute Force', 'Remove Services'], + id: ['T1021'], }, - id: "5701", - nist_800_53: ["SI.4"], - gpg13: ["4.12"], - gdpr: ["IV_35.7.d"] + id: '5701', + nist_800_53: ['SI.4'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], }, - location: "/var/log/secure", - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[15122]: Bad protocol version identification '\\003' from {data.srcip} port {data.srcport}", -} + location: '/var/log/secure', + full_log: + "{predecoder.timestamp} {predecoder.hostname} sshd[15122]: Bad protocol version identification '\\003' from {data.srcip} port {data.srcport}", +}; -export const possibleBreakinAttempt = { +module.exports.possibleBreakinAttempt = { rule: { mail: false, level: 10, - pci_dss: ["11.4"], - description: "sshd: Possible breakin attempt (high number of reverse lookup errors).", - groups: ["syslog","sshd"], + pci_dss: ['11.4'], + description: + 'sshd: Possible breakin attempt (high number of reverse lookup errors).', + groups: ['syslog', 'sshd'], mitre: { - tactic: ["Lateral Movement"], - technique: ["Brute Force","Remove Services"], - id: ["T1021"] + tactic: ['Lateral Movement'], + technique: ['Brute Force', 'Remove Services'], + id: ['T1021'], }, - id: "5703", - nist_800_53: ["SI.4"], + id: '5703', + nist_800_53: ['SI.4'], frequency: 6, - gpg13: ["4.12"], - gdpr: ["IV_35.7.d"] + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], }, - location: "/var/log/secure", - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[10385]: reverse mapping checking getaddrinfo for . [{data.srcip}] failed - POSSIBLE BREAK-IN ATTEMPT!", + location: '/var/log/secure', + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[10385]: reverse mapping checking getaddrinfo for . [{data.srcip}] failed - POSSIBLE BREAK-IN ATTEMPT!', }; -export const data = [reverseLoockupError, insecureConnectionAttempt, possibleAttackServer, possibleBreakinAttempt]; \ No newline at end of file +module.exports.data = [ + module.exports.reverseLoockupError, + module.exports.insecureConnectionAttempt, + module.exports.possibleAttackServer, + module.exports.possibleBreakinAttempt, +]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/virustotal.js b/plugins/main/server/lib/generate-alerts/sample-data/virustotal.js index 7bfbe66cb8..13c29ed812 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/virustotal.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/virustotal.js @@ -11,6 +11,24 @@ */ // Virustotal -export const sourceFile = ['/usr/share/sample/program', "/etc/data/file", "/etc/sample/script", "/root/super-script", "/tmp/virus/notavirus", "/var/opt/amazing-file"]; -export const permalink = ['https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection', "https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection", "https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection", "https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection", "https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection", "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564", "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411", "https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229", "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233", "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465"]; -export const malicious = [0, 1]; \ No newline at end of file +module.exports.sourceFile = [ + '/usr/share/sample/program', + '/etc/data/file', + '/etc/sample/script', + '/root/super-script', + '/tmp/virus/notavirus', + '/var/opt/amazing-file', +]; +module.exports.permalink = [ + 'https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection', + 'https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection', + 'https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection', + 'https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection', + 'https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection', + 'https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564', + 'https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411', + 'https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229', + 'https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233', + 'https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465', +]; +module.exports.malicious = [0, 1]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/vulnerabilities.js b/plugins/main/server/lib/generate-alerts/sample-data/vulnerabilities.js index a0a217e3e4..e894e8ece5 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/vulnerabilities.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/vulnerabilities.js @@ -1,6 +1,6 @@ // Vulnerability -export const data = [ +module.exports.data = [ { rule: { level: 7, diff --git a/plugins/main/server/lib/generate-alerts/sample-data/web.js b/plugins/main/server/lib/generate-alerts/sample-data/web.js index 2437adfea4..74a22928dc 100644 --- a/plugins/main/server/lib/generate-alerts/sample-data/web.js +++ b/plugins/main/server/lib/generate-alerts/sample-data/web.js @@ -10,14 +10,33 @@ * Find more information about this on the LICENSE file. */ -export const Protocols = ['GET']; +const { DECODER } = require('./common'); -export const urls = ['/', '/index.asp', '/remote/login?lang=en', '/index.php?lang=en', '/phpmyadmin2020/index.php?lang=en', '/pma2020/index.php?lang=en', '/administrator/admin/index.php?lang=en', ' /administrator/pma/index.php?lang=en', '/administrator/db/index.php?lang=en', '/db/phpMyAdmin-3/index.php?lang=en', -'/db/myadmin/index.php?lang=en', '/sql/phpMyAdmin/index.php?lang=en', '/sql/phpmyadmin2/index.php?lang=en', '/sql/sqlweb/index.php?lang=en', '/mysql/web/index.php?lang=en', '/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en', '/shopdb/index.php?lang=en'] +module.exports.Protocols = ['GET']; +module.exports.urls = [ + '/', + '/index.asp', + '/remote/login?lang=en', + '/index.php?lang=en', + '/phpmyadmin2020/index.php?lang=en', + '/pma2020/index.php?lang=en', + '/administrator/admin/index.php?lang=en', + ' /administrator/pma/index.php?lang=en', + '/administrator/db/index.php?lang=en', + '/db/phpMyAdmin-3/index.php?lang=en', + '/db/myadmin/index.php?lang=en', + '/sql/phpMyAdmin/index.php?lang=en', + '/sql/phpmyadmin2/index.php?lang=en', + '/sql/sqlweb/index.php?lang=en', + '/mysql/web/index.php?lang=en', + '/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en', + '/shopdb/index.php?lang=en', +]; -export const userAgents = [ // https://deviceatlas.com/blog/list-of-user-agent-strings - // Desktop +module.exports.userAgents = [ + // https://deviceatlas.com/blog/list-of-user-agent-strings + // Desktop 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246', 'Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36', @@ -25,14 +44,14 @@ export const userAgents = [ // https://deviceatlas.com/blog/list-of-user-agent-s 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36', // Smartphones - 'Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36' , + 'Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36', 'Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36', 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1', 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1', 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1', 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1', - // Tablets + // Tablets 'Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36', 'Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36', 'Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36', @@ -55,52 +74,51 @@ export const userAgents = [ // https://deviceatlas.com/blog/list-of-user-agent-s 'Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586', 'Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)', 'Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2', - 'Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU' + 'Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU', ]; -export const data = [ +module.exports.data = [ { - "rule": { - "firedtimes": 6, - "mail": false, - "level": 5, - "pci_dss": ["6.5","11.4"], - "description": "Web server 400 error code.", - "groups": ["web","accesslog","attack"], - "id": "31101", - "nist_800_53": ["SA.11","SI.4"], - "gdpr": ["IV_35.7.d"] - }, - "location": "/var/log/httpd/access_log", - "decoder": { - "name": "web-accesslog" + rule: { + firedtimes: 6, + mail: false, + level: 5, + pci_dss: ['6.5', '11.4'], + description: 'Web server 400 error code.', + groups: ['web', 'accesslog', 'attack'], + id: '31101', + nist_800_53: ['SA.11', 'SI.4'], + gdpr: ['IV_35.7.d'], }, - "full_log": "{data.srcip} - - [{_date}] \"{data.protocol} {data.url} HTTP/1.1\" {data.id} 219 \"-\" \"{_user_agent}\"", + location: '/var/log/httpd/access_log', + decoder: DECODER.WEB_ACCESSLOG, + full_log: + '{data.srcip} - - [{_date}] "{data.protocol} {data.url} HTTP/1.1" {data.id} 219 "-" "{_user_agent}"', }, { - "previous_output": "94.111.43.1 - - [24/Apr/2020:07:34:21 +0000] \"GET /phpmyadmin2019/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:20 +0000] \"GET /phpmyadmin2018/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:20 +0000] \"GET /phpmyadmin2017/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] \"GET /phpmyadmin2016/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] \"GET /phpmyadmin2015/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] \"GET /phpmyadmin2014/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] \"GET /phpmyadmin2013/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:18 +0000] \"GET /phpmyadmin2012/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:18 +0000] \"GET /phpmyadmin2011/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:17 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 215 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:17 +0000] \"GET /pma2019/index.php?lang=en HTTP/1.1\" 404 215 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"", + previous_output: + '94.111.43.1 - - [24/Apr/2020:07:34:21 +0000] "GET /phpmyadmin2019/index.php?lang=en HTTP/1.1" 404 222 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"\n94.111.43.1 - - [24/Apr/2020:07:34:20 +0000] "GET /phpmyadmin2018/index.php?lang=en HTTP/1.1" 404 222 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"\n94.111.43.1 - - [24/Apr/2020:07:34:20 +0000] "GET /phpmyadmin2017/index.php?lang=en HTTP/1.1" 404 222 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] "GET /phpmyadmin2016/index.php?lang=en HTTP/1.1" 404 222 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] "GET /phpmyadmin2015/index.php?lang=en HTTP/1.1" 404 222 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] "GET /phpmyadmin2014/index.php?lang=en HTTP/1.1" 404 222 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] "GET /phpmyadmin2013/index.php?lang=en HTTP/1.1" 404 222 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"\n94.111.43.1 - - [24/Apr/2020:07:34:18 +0000] "GET /phpmyadmin2012/index.php?lang=en HTTP/1.1" 404 222 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"\n94.111.43.1 - - [24/Apr/2020:07:34:18 +0000] "GET /phpmyadmin2011/index.php?lang=en HTTP/1.1" 404 222 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"\n94.111.43.1 - - [24/Apr/2020:07:34:17 +0000] "GET /pma2020/index.php?lang=en HTTP/1.1" 404 215 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"\n94.111.43.1 - - [24/Apr/2020:07:34:17 +0000] "GET /pma2019/index.php?lang=en HTTP/1.1" 404 215 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"', // "data": { // "protocol": "GET", // "srcip": "94.111.43.1", // "id": "404", // "url": "/phpmyadmin2020/index.php?lang=en" // }, - "rule": { - "firedtimes": 8, - "mail": false, - "level": 10, - "pci_dss": ["6.5","11.4"], - "description": "Multiple web server 400 error codes from same source ip.", - "groups": ["web","accesslog","web_scan","recon"], - "id": "31151", - "nist_800_53": ["SA.11","SI.4"], - "frequency": 14, - "gdpr": ["IV_35.7.d"] - }, - "decoder": { - "name": "web-accesslog" + rule: { + firedtimes: 8, + mail: false, + level: 10, + pci_dss: ['6.5', '11.4'], + description: 'Multiple web server 400 error codes from same source ip.', + groups: ['web', 'accesslog', 'web_scan', 'recon'], + id: '31151', + nist_800_53: ['SA.11', 'SI.4'], + frequency: 14, + gdpr: ['IV_35.7.d'], }, - "full_log": "{data.srcip} - - [{_date}] \"{data.protocol} {data.url} HTTP/1.1\" {data.id} 222 \"-\" \"{_user_agent}\"", - "location": "/var/log/httpd/access_log", - } -] \ No newline at end of file + decoder: DECODER.WEB_ACCESSLOG, + full_log: + '{data.srcip} - - [{_date}] "{data.protocol} {data.url} HTTP/1.1" {data.id} 222 "-" "{_user_agent}"', + location: '/var/log/httpd/access_log', + }, +]; diff --git a/plugins/main/server/lib/generate-alerts/sample-data/yara.js b/plugins/main/server/lib/generate-alerts/sample-data/yara.js new file mode 100644 index 0000000000..9234f769a7 --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/sample-data/yara.js @@ -0,0 +1,85 @@ +const { Random } = require('../helpers/random'); +const { RuleGenerator } = require('../helpers/rule-generator'); + +/* + ┌─────────────────────────────────────────────────────────────────────────┐ + │ CONSTANTS │ + └─────────────────────────────────────────────────────────────────────────┘ + */ + +const GROUPS = ['yara']; +const SCANNED_FILE = ['webshell', 'exploit', 'backdoor']; +const TAGS = ['DEMO', 'LINUX', 'SCRIPT', 'T1505_003', 'WEBSHELL']; +const FILE_EXTENSIONS = ['php', 'html', 'js', 'txt']; +const RULE_BASE = 'Webshell'; +const RULE_STATE = ['Worse', 'Better']; +const RULE_AUTHOR = [ + 'Lilli Pfister', + 'Niina Nyholm', + 'Salma Sundqvist', + 'Bety Guzman', + 'Itumeleng Smit', +]; +const LOG_TYPES = ['INFO', 'WARNING', 'ERROR']; +const API_CUSTOMERS = ['demo', 'test', 'prod']; +const DESCRIPTION = ['File "" is a positive match. Yara rule: ']; +const LOCATION = '/var/ossec/logs/active-responses.log'; + +/* + ┌─────────────────────────────────────────────────────────────────────────┐ + │ GENERATORS │ + └─────────────────────────────────────────────────────────────────────────┘ + */ + +const generateRuleDescription = () => + `Web Shell - file ${Random.arrayItem(RULE_STATE)}.${Random.arrayItem( + FILE_EXTENSIONS, + )}`; + +const generateRuleName = () => + `${RULE_BASE}_${Random.arrayItem(RULE_STATE)}_Linux_Shell_${Random.number( + 1, + 10, + )}_RID${Random.number(100, 999)}`; + +const generateScannedFile = () => + `/home/wazuh-user/yara/malware/${Random.arrayItem( + SCANNED_FILE, + )}/${Random.arrayItem(FILE_EXTENSIONS)}`; + +const generateRule = () => ({ + level: RuleGenerator.level(), + id: RuleGenerator.id(), + description: Random.arrayItem(DESCRIPTION), + firedtimes: RuleGenerator.firedtimes(), + mail: RuleGenerator.mail(), + groups: GROUPS, +}); + +const generateData = () => ({ + YARA: { + reference: Random.createHash(32), + api_customer: Random.arrayItem(API_CUSTOMERS), + log_type: Random.arrayItem(LOG_TYPES), + scanned_file: generateScannedFile(), + rule_author: Random.arrayItem(RULE_AUTHOR), + rule_name: generateRuleName(), + rule_description: generateRuleDescription(), + tags: Random.uniqueValues(Random.number(1, TAGS.length), TAGS), + published_date: Random.date(), + }, +}); + +/* + ┌─────────────────────────────────────────────────────────────────────────┐ + │ EXPORTS │ + └─────────────────────────────────────────────────────────────────────────┘ + */ + +module.exports.createAlert = () => { + return { + location: LOCATION, + rule: generateRule(), + data: generateData(), + }; +}; diff --git a/plugins/main/server/lib/generate-alerts/types.d.ts b/plugins/main/server/lib/generate-alerts/types.d.ts new file mode 100644 index 0000000000..57a6f4b6a0 --- /dev/null +++ b/plugins/main/server/lib/generate-alerts/types.d.ts @@ -0,0 +1,221 @@ +export interface Rule { + id: string; + level: number; + description: string; + groups: string[]; + firedtimes?: number; + mail?: boolean; + gdpr?: string[]; + pci_dss?: string[]; + tsc?: string[]; + hipaa?: string[]; + nist_800_53?: string[]; + nist_800_83?: string[]; + gpg13?: string[]; + pci?: string[]; + frequency?: number; + info?: string; +} + +export interface Agent { + id: string; + name: string; + ip: string; +} + +export interface Manager { + name: string; +} + +export interface Cluster { + name: string; + node: string; +} + +export interface Decoder { + parent?: string; + name: string; +} + +export interface Input { + type: string; +} + +export interface Location { + lat: number; + lon: number; +} + +export interface Field { + timestamp: string; +} + +export type GeoLocation = { + country_name: string; + location: Location; + region_name: string; + city_name: string; +}; + +export interface Process { + name: string; + id: number; + ppid: number; +} + +export interface User { + name: string; + id: number; +} + +export interface Audit { + process: Process; + effective_user: User; + user: User; + group: User; +} + +export interface SysCheck { + event: string; + path: string; + uname_after: string; + gname_after: string; + mtime_before: Date; + mtime_after: Date; + size_after: number; + uid_after: string; + gid_after: string; + perm_after: string; + inode_before: number; + inode_after: number; + sha1_after: string; + changed_attributes: string[]; + md5_after: string; + sha256_after: string; + tags: string[]; + audit: Audit; +} + +type DataKeys = + | 'integration' + | 'aws' + | 'office365' + | 'gcp' + | 'audit' + | 'oscap' + | 'title' + | 'file' + | 'virustotal' + | 'vulnerability' + | 'osquery' + | 'srcip' + | 'srcuser' + | 'srcport' + | 'win' + | 'dstuser' + | 'uid' + | 'euid' + | 'tty' + | 'github' + | 'system_name' + | 'id' + | 'protocol' + | 'url' + | 'extra_data' + | 'type' + | 'status' + | 'YARA' + | 'cis'; + +export type Data = Partial>; + +export type PreDecoder = { + program_name: string; + timestamp: string; + hostname?: string; +}; + +export interface Alert { + id: string; + agent: Agent; + cluster: Cluster; + data: Data; + decoder: Decoder; + location: string; + manager: Manager; + rule: Rule; + timestamp: string; + predecoder?: PreDecoder; + fields?: Field; + full_log?: string; + GeoLocation?: GeoLocation; + input?: Input; + previous_output?: string; + syscheck?: Partial; +} + +export interface SampleAlert extends Alert { + '@timestamp': string; + '@sampledata': true; +} + +/* params to configure the alert */ +export type Params = { + manager: Manager; + cluster: Cluster; + /* if true, set aws fields */ + aws: boolean; + /* if true, set office fields */ + office: boolean; + /* if true, set GCP fields */ + gcp: boolean; + /* if true, set System Auditing fields */ + audit: boolean; + /* if true, set CIS-CAT fields */ + ciscat: boolean; + /* if true, set Docker fields */ + docker: boolean; + /* if true, set Mitre att&ck fields */ + mitre: boolean; + /* if true, set OpenSCAP fields */ + openscap: boolean; + /* if true, set Policy monitoring fields */ + rootcheck: boolean; + /* if true, set integrity monitoring fields (IMF) */ + syscheck: boolean; + /* if true, set VirusTotal fields */ + virustotal: boolean; + /* if true, set vulnerabilities fields */ + vulnerabilities: boolean; + /* if true, set Osquery fields */ + osquery: boolean; + /* if true, set pci_dss fields */ + pci_dss: boolean; + /* if true, set gdpr fields */ + gdpr: boolean; + /* if true, set gpg13 fields */ + gpg13: boolean; + /* if true, set hipaa fields */ + hipaa: boolean; + /* if true, set nist_800_83 fields */ + nist_800_83: boolean; + /* if true, set Regulatory compliance fields */ + regulatory_compliance: boolean; + /* if true, set authentication fields */ + authentication: boolean; + /* if true, set ssh fields */ + ssh: boolean; + /* if true, set apache fields */ + apache: boolean; + /* if true, set web fields */ + web: boolean; + /* if true, set windows fields */ + github: boolean; + /* if true, set YARA fields */ + yara: boolean; + /* if true, set windows fields */ + windows: { + service_control_manager: boolean; + }; + random_probability_regulatory_compliance: number; +}; diff --git a/plugins/wazuh-core/common/constants.ts b/plugins/wazuh-core/common/constants.ts index e4ad9aa1ab..4511259c78 100644 --- a/plugins/wazuh-core/common/constants.ts +++ b/plugins/wazuh-core/common/constants.ts @@ -82,6 +82,7 @@ export const WAZUH_SAMPLE_ALERTS_CATEGORIES_TYPE_ALERTS = { { audit: true }, { openscap: true }, { ciscat: true }, + { yara: true }, ], [WAZUH_SAMPLE_ALERTS_CATEGORY_THREAT_DETECTION]: [ { vulnerabilities: true }, diff --git a/scripts/wazuh-alerts-generator/cli.js b/scripts/wazuh-alerts-generator/cli.js index 5e3b9e6b68..960cb418df 100644 --- a/scripts/wazuh-alerts-generator/cli.js +++ b/scripts/wazuh-alerts-generator/cli.js @@ -90,6 +90,7 @@ osquery: { osquery: true }, docker: { docker: true }, mitre: { mitre: true }, + yara: { yara: true }, }; // Define the alert module categories diff --git a/scripts/wazuh-alerts-generator/lib/common.js b/scripts/wazuh-alerts-generator/lib/common.js deleted file mode 100644 index 04e70137af..0000000000 --- a/scripts/wazuh-alerts-generator/lib/common.js +++ /dev/null @@ -1,213 +0,0 @@ -/* - * Wazuh app - Common data to generate - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -// Common data -module.exports.IPs = [ - '141.98.81.37', - '54.10.24.5', - '187.80.4.18', - '134.87.21.47', - '40.220.102.15', - '45.124.37.241', - '45.75.196.15', - '16.4.20.20', -]; -module.exports.Users = [ - 'root', - 'ec2-user', - 'SYSTEM', - 'wazuh', - 'Administrators', - 'suricata', - 'LOCAL Service', - 'NETWORK Service', -]; -module.exports.Ports = [ - '22', - '55047', - '26874', - '8905', - '3014', - '2222', - '4547', - '3475', - '7558', - '4277', - '3527', - '5784', - '7854', -]; -module.exports.Win_Hostnames = [ - 'Win_Server_01', - 'Win_Server_02', - 'Win_Server_03', - 'Win_Server_04', -]; -module.exports.Paths = ['/home/user/sample', '/tmp/sample', '/etc/sample']; - -// Agents -module.exports.Agents = [ - // { id: '000', name: 'master', ip: '120.17.47.10' }, - { - id: '001', - name: 'RHEL7', - ip: '187.54.247.68', - }, - { - id: '002', - name: 'Amazon', - ip: '145.80.240.15', - }, - { - id: '003', - name: 'ip-10-0-0-180.us-west-1.compute.internal', - ip: '10.0.0.180', - }, - { - id: '004', - name: 'Ubuntu', - ip: '47.204.15.21', - }, - { - id: '005', - name: 'Centos', - ip: '197.17.1.4', - }, - { - id: '006', - name: 'Windows', - ip: '207.45.34.78', - }, - { - id: '007', - name: 'Debian', - ip: '24.243.97.14', - }, -]; - -// Geolocation {country_name, location: {lat, lon }, region_name} -module.exports.GeoLocation = [ - { - country_name: 'Spain', - location: { - lat: 37.1881714, - lon: -3.6066699, - }, - region_name: 'Andalucía', - city_name: 'Granada', - }, - { - country_name: 'France', - location: { - lat: 48.8534088, - lon: 2.3487999, - }, - region_name: 'Paris', - city_name: 'Paris', - }, - { - country_name: 'England', - location: { - lat: 51.5085297, - lon: -0.12574, - }, - region_name: 'London', - city_name: 'London', - }, - { - country_name: 'Germany', - location: { - lat: 52.524, - lon: 13.411, - }, - region_name: 'Berlin', - city_name: 'Berlin', - }, - { - country_name: 'United States of America', - location: { - lat: 40.7142715, - lon: -74.0059662, - }, - region_name: 'New York', - city_name: 'New York', - }, - { - country_name: 'Canada', - location: { - lat: 49.2496605, - lon: -123.119339, - }, - region_name: 'Vancouver', - city_name: 'Vancouver', - }, - { - country_name: 'Brasil', - location: { - lat: -22.9064198, - lon: -43.1822319, - }, - region_name: 'Río de Janeiro', - city_name: 'Río de Janeiro', - }, - { - country_name: 'India', - location: { - lat: 19.0728302, - lon: 72.8826065, - }, - region_name: 'Bombay', - city_name: 'Bombay', - }, - { - country_name: 'Australia', - location: { - lat: -33.8678513, - lon: 151.2073212, - }, - region_name: 'Sydney', - city_name: 'Sydney', - }, - { - country_name: 'China', - location: { - lat: 31.222, - lon: 121.458, - }, - region_name: 'Shanghai', - city_name: 'Shanghai', - }, -]; - -/** - * Get a random element of an array - * @param {[]} array - Array to get a randomized element - * @returns {any} - Element randomized - */ -function randomStrItem(str) { - let array = str.split(''); - return array[Math.floor(array.length * Math.random())]; -} - -module.exports.randomElements = (length, elements) => { - let hash = ''; - - for (let i = 0; i < length; i++) { - hash += randomStrItem(elements); - } - - return hash; -}; - -module.exports.randomArrayItem = array => { - return array[Math.floor(array.length * Math.random())]; -}; diff --git a/scripts/wazuh-alerts-generator/lib/index.js b/scripts/wazuh-alerts-generator/lib/index.js index 68dbe76c1f..d0470d08f7 100644 --- a/scripts/wazuh-alerts-generator/lib/index.js +++ b/scripts/wazuh-alerts-generator/lib/index.js @@ -1,1306 +1,6 @@ -// General const { - IPs, - Users, - Ports, - Paths, - Win_Hostnames, - GeoLocation, - Agents, - randomElements, - randomArrayItem, -} = require('./common'); - -const { - PCI_DSS, - GDPR, - HIPAA, - GPG13, - NIST_800_53, - tsc, -} = require('./modules/regulatory-compliance'); - -const Audit = require('./modules/audit'); -const Authentication = require('./modules/authentication'); -const AWS = require('./modules/aws'); -const IntegrityMonitoring = require('./modules/integrity-monitoring'); -const CISCAT = require('./modules/ciscat'); -const GCP = require('./modules/gcp'); -const Docker = require('./modules/docker'); -const Mitre = require('./modules/mitre'); -const Osquery = require('./modules/osquery'); -const OpenSCAP = require('./modules/openscap'); -const PolicyMonitoring = require('./modules/policy-monitoring'); -const Virustotal = require('./modules/virustotal'); -const Vulnerability = require('./modules/vulnerabilities'); -const SSH = require('./modules/ssh'); -const Apache = require('./modules/apache'); -const Web = require('./modules/web'); -const GitHub = require('./modules/github'); -const Office = require('./modules/office'); - -//Alert -const alertIDMax = 6000; - -// Rule -const ruleDescription = [ - 'Sample alert 1', - 'Sample alert 2', - 'Sample alert 3', - 'Sample alert 4', - 'Sample alert 5', -]; -const ruleMaxLevel = 15; - -/** - * Generate a alert - * @param {any} params - params to configure the alert - * @param {boolean} params.aws - if true, set aws fields - * @param {boolean} params.audit - if true, set System Auditing fields - * @param {boolean} params.office - if true, set office fields - * @param {boolean} params.ciscat - if true, set CIS-CAT fields - * @param {boolean} params.gcp - if true, set GCP fields - * @param {boolean} params.docker - if true, set Docker fields - * @param {boolean} params.mitre - if true, set Mitre att&ck fields - * @param {boolean} params.openscap - if true, set OpenSCAP fields - * @param {boolean} params.osquery - if true, set Osquery fields - * @param {boolean} params.rootcheck - if true, set Policy monitoring fields - * @param {boolean} params.syscheck - if true, set integrity monitoring fields - * @param {boolean} params.virustotal - if true, set VirusTotal fields - * @param {boolean} params.vulnerabilities - if true, set vulnerabilities fields - * @param {boolean} params.pci_dss - if true, set pci_dss fields - * @param {boolean} params.gdpr - if true, set gdpr fields - * @param {boolean} params.gpg13 - if true, set gpg13 fields - * @param {boolean} params.hipaa - if true, set hipaa fields - * @param {boolean} params.nist_800_53 - if true, set nist_800_53 fields - * @param {boolean} params.nist_800_53 - if true, set nist_800_53 fields - * @param {boolean} params.win_authentication_failed - if true, add win_authentication_failed to rule.groups - * @param {number} params.probability_win_authentication_failed - probability to add win_authentication_failed to rule.groups. Example: 20 will be 20% of probability to add this to rule.groups - * @param {boolean} params.authentication_failed - if true, add win_authentication_failed to rule.groups - * @param {number} params.probability_authentication_failed - probability to add authentication_failed to rule.groups - * @param {boolean} params.authentication_failures - if true, add win_authentication_failed to rule.groups - * @param {number} params.probability_authentication_failures - probability to add authentication_failures to rule.groups - * @return {any} - Alert generated - */ -function generateAlert(params) { - let alert = { - ['@sampledata']: true, - timestamp: '2020-01-27T11:08:47.777+0000', - rule: { - level: 3, - description: 'Sample alert', - id: '5502', - mail: false, - groups: [], - }, - agent: { - id: '000', - name: 'master', - }, - manager: { - name: 'master', - }, - cluster: { - name: 'wazuh', - }, - id: '1580123327.49031', - predecoder: {}, - decoder: {}, - data: {}, - location: '', - }; - alert.agent = randomArrayItem(Agents); - alert.rule.description = randomArrayItem(ruleDescription); - alert.rule.id = `${randomIntervalInteger(1, alertIDMax)}`; - alert.rule.level = randomIntervalInteger(1, ruleMaxLevel); - - alert.timestamp = randomDate(); - - if (params.manager) { - if (params.manager.name) { - alert.manager.name = params.manager.name; - } - } - - if (params.cluster) { - if (params.cluster.name) { - alert.cluster.name = params.cluster.name; - } - if (params.cluster.node) { - alert.cluster.node = params.cluster.node; - } - } - - if (params.aws) { - let randomType = randomArrayItem([ - 'guarddutyPortProbe', - 'apiCall', - 'networkConnection', - 'iamPolicyGrantGlobal', - ]); - - const beforeDate = new Date( - new Date(alert.timestamp) - 3 * 24 * 60 * 60 * 1000, - ); - switch (randomType) { - case 'guarddutyPortProbe': { - const typeAlert = AWS.guarddutyPortProbe; - - alert.data = { ...typeAlert.data }; - alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); - alert.data.aws.resource.instanceDetails = { - ...randomArrayItem(AWS.instanceDetails), - }; - alert.data.aws.resource.instanceDetails.iamInstanceProfile.arn = - interpolateAlertProps( - typeAlert.data.aws.resource.instanceDetails.iamInstanceProfile.arn, - alert, - ); - alert.data.aws.title = interpolateAlertProps( - alert.data.aws.title, - alert, - ); - alert.data.aws.accountId = randomArrayItem(AWS.accountId); - alert.data.aws.service.eventFirstSeen = formatDate( - beforeDate, - 'Y-M-DTh:m:s.lZ', - ); - alert.data.aws.service.eventLastSeen = formatDate( - new Date(alert.timestamp), - 'Y-M-DTh:m:s.lZ', - ); - alert.data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails = - { - ...randomArrayItem(AWS.remoteIpDetails), - }; - alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `guardduty/${formatDate( - new Date(alert.timestamp), - 'Y/M/D/h', - )}/firehose_guardduty-1-${formatDate( - new Date(alert.timestamp), - 'Y-M-D-h-m-s-l', - )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, - }; - alert.data.aws.service.count = `${randomIntervalInteger(400, 4000)}`; - alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - - alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 50); - alert.rule.description = interpolateAlertProps( - typeAlert.rule.description, - alert, - ); - - alert.decoder = { ...typeAlert.decoder }; - alert.location = typeAlert.location; - break; - } - case 'apiCall': { - const typeAlert = AWS.apiCall; - - alert.data = { ...typeAlert.data }; - alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); - alert.data.aws.resource.accessKeyDetails.userName = - randomArrayItem(Users); - alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `guardduty/${formatDate( - new Date(alert.timestamp), - 'Y/M/D/h', - )}/firehose_guardduty-1-${formatDate( - new Date(alert.timestamp), - 'Y-M-D-h-m-s-l', - )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, - }; - alert.data.aws.accountId = randomArrayItem(AWS.accountId); - alert.data.aws.service.action.awsApiCallAction.remoteIpDetails = { - ...randomArrayItem(AWS.remoteIpDetails), - }; - alert.data.aws.service.eventFirstSeen = formatDate( - beforeDate, - 'Y-M-DTh:m:s.lZ', - ); - alert.data.aws.service.eventLastSeen = formatDate( - new Date(alert.timestamp), - 'Y-M-DTh:m:s.lZ', - ); - alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - alert.data.aws.title = interpolateAlertProps( - alert.data.aws.title, - alert, - ); - alert.data.aws.description = interpolateAlertProps( - alert.data.aws.description, - alert, - ); - const count = `${randomIntervalInteger(400, 4000)}`; - alert.data.aws.service.additionalInfo.recentApiCalls.count = count; - alert.data.aws.service.count = count; - - alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 50); - alert.rule.description = interpolateAlertProps( - typeAlert.rule.description, - alert, - ); - - alert.decoder = { ...typeAlert.decoder }; - alert.location = typeAlert.location; - break; - } - case 'networkConnection': { - const typeAlert = AWS.networkConnection; - - alert.data = { ...typeAlert.data }; - alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); - alert.data.aws.resource.instanceDetails = { - ...randomArrayItem(AWS.instanceDetails), - }; - alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `guardduty/${formatDate( - new Date(alert.timestamp), - 'Y/M/D/h', - )}/firehose_guardduty-1-${formatDate( - new Date(alert.timestamp), - 'Y-M-D-h-m-s-l', - )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, - }; - alert.data.aws.description = interpolateAlertProps( - alert.data.aws.description, - alert, - ); - alert.data.aws.title = interpolateAlertProps( - alert.data.aws.title, - alert, - ); - alert.data.aws.accountId = randomArrayItem(AWS.accountId); - alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - alert.data.aws.service.action.networkConnectionAction.remoteIpDetails = - { - ...randomArrayItem(AWS.remoteIpDetails), - }; - alert.data.aws.service.eventFirstSeen = formatDate( - beforeDate, - 'Y-M-DTh:m:s.lZ', - ); - alert.data.aws.service.eventLastSeen = formatDate( - new Date(alert.timestamp), - 'Y-M-DTh:m:s.lZ', - ); - alert.data.aws.service.additionalInfo = { - localPort: `${randomArrayItem(Ports)}`, - outBytes: `${randomIntervalInteger(1000, 3000)}`, - inBytes: `${randomIntervalInteger(1000, 10000)}`, - unusual: `${randomIntervalInteger(1000, 10000)}`, - }; - alert.data.aws.service.count = `${randomIntervalInteger(400, 4000)}`; - alert.data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4 = - alert.data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress; - alert.data.aws.arn = interpolateAlertProps( - typeAlert.data.aws.arn, - alert, - ); - alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 50); - alert.rule.description = interpolateAlertProps( - typeAlert.rule.description, - alert, - ); - - alert.decoder = { ...typeAlert.decoder }; - alert.location = typeAlert.location; - break; - } - case 'iamPolicyGrantGlobal': { - const typeAlert = AWS.iamPolicyGrantGlobal; - - alert.data = { ...typeAlert.data }; - alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); - alert.data.aws.summary.Timestamps = formatDate( - beforeDate, - 'Y-M-DTh:m:s.lZ', - ); - alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `macie/${formatDate( - new Date(alert.timestamp), - 'Y/M/D/h', - )}/firehose_macie-1-${formatDate( - new Date(alert.timestamp), - 'Y-M-D-h-m-s', - )}-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-${formatDate( - new Date(alert.timestamp), - 'Y-M-D-h-m-s-l', - )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, - }; - alert.data.aws['created-at'] = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - alert.data.aws.url = interpolateAlertProps( - typeAlert.data.aws.url, - alert, - ); - alert.data.aws['alert-arn'] = interpolateAlertProps( - typeAlert.data.aws['alert-arn'], - alert, - ); - - alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 50); - - alert.decoder = { ...typeAlert.decoder }; - alert.location = typeAlert.location; - break; - } - default: { - } - } - alert.input = { type: 'log' }; - alert.GeoLocation = randomArrayItem(GeoLocation); - } - - if (params.office) { - alert.agent = { - id: '000', - ip: alert.agent.ip, - name: alert.agent.name, - }; - - if (params.manager && params.manager.name) { - alert.agent.name = params.manager.name; - } - - const beforeDate = new Date( - new Date(alert.timestamp) - 3 * 24 * 60 * 60 * 1000, - ); - const IntraID = randomArrayItem(Office.arrayUuidOffice); - const OrgID = randomArrayItem(Office.arrayUuidOffice); - const objID = randomArrayItem(Office.arrayUuidOffice); - const userKey = randomArrayItem(Office.arrayUuidOffice); - const userID = randomArrayItem(Office.arrayUserId); - const userType = randomArrayItem([0, 2, 4]); - const resultStatus = randomArrayItem([ - 'Succeeded', - 'PartiallySucceeded', - 'Failed', - ]); - const log = randomArrayItem(Office.arrayLogs); - const ruleData = Office.officeRules[log.RecordType]; - - alert.agent.id = '000'; - alert.rule = ruleData.rule; - alert.decoder = randomArrayItem(Office.arrayDecoderOffice); - alert.GeoLocation = randomArrayItem(GeoLocation); - alert.data.integration = 'Office365'; - alert.location = Office.arrayLocationOffice; - alert.data.office365 = { - ...log, - ...ruleData.data.office365, - Id: IntraID, - CreationTime: formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'), - OrganizationId: OrgID, - UserType: userType, - UserKey: userKey, - ResultStatus: resultStatus, - ObjectId: objID, - UserId: userID, - ClientIP: randomArrayItem(Office.arrayIp), - }; - } - - if (params.gcp) { - alert.rule = randomArrayItem(GCP.arrayRules); - alert.data.integration = 'gcp'; - alert.data.gcp = { - insertId: 'uk1zpe23xcj', - jsonPayload: { - authAnswer: - GCP.arrayAuthAnswer[ - Math.floor(GCP.arrayAuthAnswer.length * Math.random()) - ], - protocol: - GCP.arrayProtocol[ - Math.floor(GCP.arrayProtocol.length * Math.random()) - ], - queryName: - GCP.arrayQueryName[ - Math.floor(GCP.arrayQueryName.length * Math.random()) - ], - queryType: - GCP.arrayQueryType[ - Math.floor(GCP.arrayQueryType.length * Math.random()) - ], - responseCode: - GCP.arrayResponseCode[ - Math.floor(GCP.arrayResponseCode.length * Math.random()) - ], - sourceIP: - GCP.arraySourceIP[ - Math.floor(GCP.arraySourceIP.length * Math.random()) - ], - vmInstanceId: '4980113928800839680.000000', - vmInstanceName: '531339229531.instance-1', - }, - logName: 'projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries', - receiveTimestamp: '2019-11-11T02:42:05.05853152Z', - resource: { - labels: { - location: - GCP.arrayLocation[ - Math.floor(GCP.arrayLocation.length * Math.random()) - ], - project_id: - GCP.arrayProject[ - Math.floor(GCP.arrayProject.length * Math.random()) - ], - source_type: - GCP.arraySourceType[ - Math.floor(GCP.arraySourceType.length * Math.random()) - ], - target_type: 'external', - }, - type: GCP.arrayType[Math.floor(GCP.arrayType.length * Math.random())], - }, - severity: - GCP.arraySeverity[Math.floor(GCP.arraySeverity.length * Math.random())], - timestamp: '2019-11-11T02:42:04.34921449Z', - }; - - alert.GeoLocation = randomArrayItem(GeoLocation); - } - - if (params.audit) { - let dataAudit = randomArrayItem(Audit.dataAudit); - alert.data = dataAudit.data; - alert.data.audit.file - ? alert.data.audit.file.name === '' - ? (alert.data.audit.file.name = randomArrayItem(Audit.fileName)) - : null - : null; - alert.rule = dataAudit.rule; - } - - if (params.ciscat) { - alert.rule.groups.push('ciscat'); - alert.data.cis = {}; - - alert.data.cis.group = randomArrayItem(CISCAT.group); - alert.data.cis.fail = randomIntervalInteger(0, 100); - alert.data.cis.rule_title = randomArrayItem(CISCAT.ruleTitle); - alert.data.cis.notchecked = randomIntervalInteger(0, 100); - alert.data.cis.score = randomIntervalInteger(0, 100); - alert.data.cis.pass = randomIntervalInteger(0, 100); - alert.data.cis.timestamp = new Date(randomDate()); - alert.data.cis.error = randomIntervalInteger(0, 1); - alert.data.cis.benchmark = randomArrayItem(CISCAT.benchmark); - alert.data.cis.unknown = randomIntervalInteger(0, 100); - alert.data.cis.notchecked = randomIntervalInteger(0, 5); - alert.data.cis.result = randomArrayItem(CISCAT.result); - } - - if (params.docker) { - const dataDocker = randomArrayItem(Docker.dataDocker); - alert.data = {}; - alert.data = dataDocker.data; - alert.rule = dataDocker.rule; - } - - if (params.mitre) { - alert.rule = randomArrayItem(Mitre.arrayMitreRules); - alert.location = randomArrayItem(Mitre.arrayLocation); - } - - if (params.openscap) { - alert.data = {}; - alert.data.oscap = {}; - const typeAlert = { ...randomArrayItem(OpenSCAP.data) }; - alert.data = { ...typeAlert.data }; - alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(2, 10); - alert.input = { - type: 'log', - }; - alert.decoder = { ...OpenSCAP.decoder }; - alert.location = OpenSCAP.location; - if (typeAlert.full_log) { - alert.full_log = interpolateAlertProps(typeAlert.full_log, alert); - } - } - - if (params.rootcheck) { - alert.location = PolicyMonitoring.location; - alert.decoder = { ...PolicyMonitoring.decoder }; - alert.input = { - type: 'log', - }; - - const alertCategory = randomArrayItem(['Rootkit', 'Trojan']); - - switch (alertCategory) { - case 'Rootkit': { - const rootkitCategory = randomArrayItem( - Object.keys(PolicyMonitoring.rootkits), - ); - const rootkit = randomArrayItem( - PolicyMonitoring.rootkits[rootkitCategory], - ); - alert.data = { - title: interpolateAlertProps( - PolicyMonitoring.rootkitsData.data.title, - alert, - { - _rootkit_category: rootkitCategory, - _rootkit_file: rootkit, - }, - ), - }; - alert.rule = { ...PolicyMonitoring.rootkitsData.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 10); - alert.full_log = alert.data.title; - break; - } - case 'Trojan': { - const trojan = randomArrayItem(PolicyMonitoring.trojans); - alert.data = { - file: trojan.file, - title: 'Trojaned version of file detected.', - }; - alert.rule = { ...PolicyMonitoring.trojansData.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 10); - alert.full_log = interpolateAlertProps( - PolicyMonitoring.trojansData.full_log, - alert, - { - _trojan_signature: trojan.signature, - }, - ); - break; - } - default: { - } - } - } - - if (params.syscheck) { - alert.rule.groups.push('syscheck'); - alert.syscheck = {}; - alert.syscheck.event = randomArrayItem(IntegrityMonitoring.events); - alert.syscheck.path = randomArrayItem( - alert.agent.name === 'Windows' - ? IntegrityMonitoring.pathsWindows - : IntegrityMonitoring.pathsLinux, - ); - alert.syscheck.uname_after = randomArrayItem(Users); - alert.syscheck.gname_after = 'root'; - alert.syscheck.mtime_after = new Date(randomDate()); - alert.syscheck.size_after = randomIntervalInteger(0, 65); - alert.syscheck.uid_after = randomArrayItem(IntegrityMonitoring.uid_after); - alert.syscheck.gid_after = randomArrayItem(IntegrityMonitoring.gid_after); - alert.syscheck.perm_after = 'rw-r--r--'; - alert.syscheck.inode_after = randomIntervalInteger(0, 100000); - switch (alert.syscheck.event) { - case 'added': - alert.rule = IntegrityMonitoring.regulatory[0]; - break; - case 'modified': - alert.rule = IntegrityMonitoring.regulatory[1]; - alert.syscheck.mtime_before = new Date( - alert.syscheck.mtime_after.getTime() - 1000 * 60, - ); - alert.syscheck.inode_before = randomIntervalInteger(0, 100000); - alert.syscheck.sha1_after = randomElements(40, 'abcdef0123456789'); - alert.syscheck.changed_attributes = [ - randomArrayItem(IntegrityMonitoring.attributes), - ]; - alert.syscheck.md5_after = randomElements(32, 'abcdef0123456789'); - alert.syscheck.sha256_after = randomElements(64, 'abcdef0123456789'); - break; - case 'deleted': - alert.rule = IntegrityMonitoring.regulatory[2]; - alert.syscheck.tags = [randomArrayItem(IntegrityMonitoring.tags)]; - alert.syscheck.sha1_after = randomElements(40, 'abcdef0123456789'); - alert.syscheck.audit = { - process: { - name: randomArrayItem(Paths), - id: randomIntervalInteger(0, 100000), - ppid: randomIntervalInteger(0, 100000), - }, - effective_user: { - name: randomArrayItem(Users), - id: randomIntervalInteger(0, 100), - }, - user: { - name: randomArrayItem(Users), - id: randomIntervalInteger(0, 100), - }, - group: { - name: randomArrayItem(Users), - id: randomIntervalInteger(0, 100), - }, - }; - alert.syscheck.md5_after = randomElements(32, 'abcdef0123456789'); - alert.syscheck.sha256_after = randomElements(64, 'abcdef0123456789'); - break; - default: { - } - } - } - - if (params.virustotal) { - alert.rule.groups.push('virustotal'); - alert.location = 'virustotal'; - alert.data.virustotal = {}; - alert.data.virustotal.found = randomArrayItem(['0', '1', '1', '1']); - - alert.data.virustotal.source = { - sha1: randomElements(40, 'abcdef0123456789'), - file: randomArrayItem(Virustotal.sourceFile), - alert_id: `${randomElements(10, '0123456789')}.${randomElements( - 7, - '0123456789', - )}`, - md5: randomElements(32, 'abcdef0123456789'), - }; - - if (alert.data.virustotal.found === '1') { - alert.data.virustotal.malicious = randomArrayItem(Virustotal.malicious); - alert.data.virustotal.positives = `${randomIntervalInteger(0, 65)}`; - alert.data.virustotal.total = - alert.data.virustotal.malicious + alert.data.virustotal.positives; - alert.rule.description = `VirusTotal: Alert - ${alert.data.virustotal.source.file} - ${alert.data.virustotal.positives} engines detected this file`; - alert.data.virustotal.permalink = randomArrayItem(Virustotal.permalink); - alert.data.virustotal.scan_date = new Date( - Date.parse(alert.timestamp) - 4 * 60000, - ); - } else { - alert.data.virustotal.malicious = '0'; - alert.rule.description = - 'VirusTotal: Alert - No records in VirusTotal database'; - } - } - - if (params.vulnerabilities) { - const dataVulnerability = randomArrayItem(Vulnerability.data); - alert.rule = { - ...dataVulnerability.rule, - mail: false, - groups: ['vulnerability-detector'], - gdpr: ['IV_35.7.d'], - pci_dss: ['11.2.1', '11.2.3'], - tsc: ['CC7.1', 'CC7.2'], - }; - alert.location = 'vulnerability-detector'; - alert.decoder = { name: 'json' }; - alert.data = { - ...dataVulnerability.data, - }; - } - - if (params.osquery) { - alert.rule.groups.push('osquery'); - alert.data.osquery = {}; - if (randomIntervalInteger(0, 5) === 0) { - alert.rule.description = 'osquery error message'; - } else { - let dataOsquery = randomArrayItem(Osquery.dataOsquery); - alert.data.osquery = dataOsquery.osquery; - alert.data.osquery.calendarTime = alert.timestamp; - alert.rule.description = dataOsquery.rule.description; - randomIntervalInteger(0, 99) === 0 - ? (alert.data.osquery.action = 'removed') - : null; - } - } - - // Regulatory compliance - if ( - params.pci_dss || - params.regulatory_compliance || - (params.random_probability_regulatory_compliance && - randomProbability(params.random_probability_regulatory_compliance)) - ) { - alert.rule.pci_dss = [randomArrayItem(PCI_DSS)]; - } - if ( - params.gdpr || - params.regulatory_compliance || - (params.random_probability_regulatory_compliance && - randomProbability(params.random_probability_regulatory_compliance)) - ) { - alert.rule.gdpr = [randomArrayItem(GDPR)]; - } - if ( - params.gpg13 || - params.regulatory_compliance || - (params.random_probability_regulatory_compliance && - randomProbability(params.random_probability_regulatory_compliance)) - ) { - alert.rule.gpg13 = [randomArrayItem(GPG13)]; - } - if ( - params.hipaa || - params.regulatory_compliance || - (params.random_probability_regulatory_compliance && - randomIntervalInteger(params.random_probability_regulatory_compliance)) - ) { - alert.rule.hipaa = [randomArrayItem(HIPAA)]; - } - if ( - params.nist_800_83 || - params.regulatory_compliance || - (params.random_probability_regulatory_compliance && - randomIntervalInteger(params.random_probability_regulatory_compliance)) - ) { - alert.rule.nist_800_53 = [randomArrayItem(NIST_800_53)]; - } - - if (params.authentication) { - alert.data = { - srcip: randomArrayItem(IPs), - srcuser: randomArrayItem(Users), - srcport: randomArrayItem(Ports), - }; - alert.GeoLocation = randomArrayItem(GeoLocation); - alert.decoder = { - name: 'sshd', - parent: 'sshd', - }; - alert.input = { - type: 'log', - }; - alert.predecoder = { - program_name: 'sshd', - timestamp: formatDate(new Date(alert.timestamp), 'N D h:m:s'), - hostname: alert.manager.name, - }; - let typeAlert = randomArrayItem([ - 'invalidLoginPassword', - 'invalidLoginUser', - 'multipleAuthenticationFailures', - 'windowsInvalidLoginPassword', - 'userLoginFailed', - 'passwordCheckFailed', - 'nonExistentUser', - 'bruteForceTryingAccessSystem', - 'authenticationSuccess', - 'maximumAuthenticationAttemptsExceeded', - ]); - - switch (typeAlert) { - case 'invalidLoginPassword': { - alert.location = Authentication.invalidLoginPassword.location; - alert.rule = { ...Authentication.invalidLoginPassword.rule }; - alert.rule.groups = [ - ...Authentication.invalidLoginPassword.rule.groups, - ]; - alert.full_log = interpolateAlertProps( - Authentication.invalidLoginPassword.full_log, - alert, - ); - break; - } - case 'invalidLoginUser': { - alert.location = Authentication.invalidLoginUser.location; - alert.rule = { ...Authentication.invalidLoginUser.rule }; - alert.rule.groups = [...Authentication.invalidLoginUser.rule.groups]; - alert.full_log = interpolateAlertProps( - Authentication.invalidLoginUser.full_log, - alert, - ); - break; - } - case 'multipleAuthenticationFailures': { - alert.location = Authentication.multipleAuthenticationFailures.location; - alert.rule = { ...Authentication.multipleAuthenticationFailures.rule }; - alert.rule.groups = [ - ...Authentication.multipleAuthenticationFailures.rule.groups, - ]; - alert.rule.frequency = randomIntervalInteger(5, 50); - alert.full_log = interpolateAlertProps( - Authentication.multipleAuthenticationFailures.full_log, - alert, - ); - break; - } - case 'windowsInvalidLoginPassword': { - alert.location = Authentication.windowsInvalidLoginPassword.location; - alert.rule = { ...Authentication.windowsInvalidLoginPassword.rule }; - alert.rule.groups = [ - ...Authentication.windowsInvalidLoginPassword.rule.groups, - ]; - alert.rule.frequency = randomIntervalInteger(5, 50); - alert.data.win = { - ...Authentication.windowsInvalidLoginPassword.data_win, - }; - alert.data.win.eventdata.ipAddress = randomArrayItem(IPs); - alert.data.win.eventdata.ipPort = randomArrayItem(Ports); - alert.data.win.system.computer = randomArrayItem(Win_Hostnames); - alert.data.win.system.eventID = `${randomIntervalInteger(1, 600)}`; - alert.data.win.system.eventRecordID = `${randomIntervalInteger( - 10000, - 50000, - )}`; - alert.data.win.system.processID = `${randomIntervalInteger(1, 1200)}`; - alert.data.win.system.systemTime = alert.timestamp; - alert.data.win.system.processID = `${randomIntervalInteger(1, 1200)}`; - alert.data.win.system.task = `${randomIntervalInteger(1, 1800)}`; - alert.data.win.system.threadID = `${randomIntervalInteger(1, 500)}`; - alert.full_log = interpolateAlertProps( - Authentication.windowsInvalidLoginPassword.full_log, - alert, - ); - break; - } - case 'userLoginFailed': { - alert.location = Authentication.userLoginFailed.location; - alert.rule = { ...Authentication.userLoginFailed.rule }; - alert.rule.groups = [...Authentication.userLoginFailed.rule.groups]; - alert.data = { - srcip: randomArrayItem(IPs), - dstuser: randomArrayItem(Users), - uid: `${randomIntervalInteger(0, 50)}`, - euid: `${randomIntervalInteger(0, 50)}`, - tty: 'ssh', - }; - alert.decoder = { ...Authentication.userLoginFailed.decoder }; - alert.full_log = interpolateAlertProps( - Authentication.userLoginFailed.full_log, - alert, - ); - break; - } - case 'passwordCheckFailed': { - alert.location = Authentication.passwordCheckFailed.location; - alert.rule = { ...Authentication.passwordCheckFailed.rule }; - alert.rule.groups = [...Authentication.passwordCheckFailed.rule.groups]; - alert.data = { - srcuser: randomArrayItem(Users), - }; - alert.predecoder.program_name = 'unix_chkpwd'; - alert.decoder = { ...Authentication.passwordCheckFailed.decoder }; - alert.full_log = interpolateAlertProps( - Authentication.passwordCheckFailed.full_log, - alert, - ); - break; - } - case 'nonExistentUser': { - alert.location = Authentication.nonExistentUser.location; - alert.rule = { ...Authentication.nonExistentUser.rule }; - alert.rule.groups = [...Authentication.nonExistentUser.rule.groups]; - alert.full_log = interpolateAlertProps( - Authentication.nonExistentUser.full_log, - alert, - ); - break; - } - case 'bruteForceTryingAccessSystem': { - alert.location = Authentication.bruteForceTryingAccessSystem.location; - alert.rule = { ...Authentication.bruteForceTryingAccessSystem.rule }; - alert.rule.groups = [ - ...Authentication.bruteForceTryingAccessSystem.rule.groups, - ]; - alert.full_log = interpolateAlertProps( - Authentication.bruteForceTryingAccessSystem.full_log, - alert, - ); - break; - } - case 'reverseLoockupError': { - alert.location = Authentication.reverseLoockupError.location; - alert.rule = { ...Authentication.reverseLoockupError.rule }; - alert.rule.groups = [...Authentication.reverseLoockupError.rule.groups]; - alert.data = { - srcip: randomArrayItem(IPs), - }; - alert.full_log = interpolateAlertProps( - Authentication.reverseLoockupError.full_log, - alert, - ); - } - case 'insecureConnectionAttempt': { - alert.location = Authentication.insecureConnectionAttempt.location; - alert.rule = { ...Authentication.insecureConnectionAttempt.rule }; - alert.rule.groups = [ - ...Authentication.insecureConnectionAttempt.rule.groups, - ]; - alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - }; - alert.full_log = interpolateAlertProps( - Authentication.insecureConnectionAttempt.full_log, - alert, - ); - } - case 'authenticationSuccess': { - alert.location = Authentication.authenticationSuccess.location; - alert.rule = { ...Authentication.authenticationSuccess.rule }; - alert.rule.groups = [ - ...Authentication.authenticationSuccess.rule.groups, - ]; - alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - dstuser: randomArrayItem(Users), - }; - alert.full_log = interpolateAlertProps( - Authentication.authenticationSuccess.full_log, - alert, - ); - } - case 'maximumAuthenticationAttemptsExceeded': { - alert.location = - Authentication.maximumAuthenticationAttemptsExceeded.location; - alert.rule = { - ...Authentication.maximumAuthenticationAttemptsExceeded.rule, - }; - alert.rule.groups = [ - ...Authentication.maximumAuthenticationAttemptsExceeded.rule.groups, - ]; - alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - dstuser: randomArrayItem(Users), - }; - alert.full_log = interpolateAlertProps( - Authentication.maximumAuthenticationAttemptsExceeded.full_log, - alert, - ); - } - default: { - } - } - alert.rule.firedtimes = randomIntervalInteger(2, 15); - alert.rule.tsc = [randomArrayItem(tsc)]; - } - - if (params.ssh) { - alert.data = { - srcip: randomArrayItem(IPs), - srcuser: randomArrayItem(Users), - srcport: randomArrayItem(Ports), - }; - alert.GeoLocation = randomArrayItem(GeoLocation); - alert.decoder = { - name: 'sshd', - parent: 'sshd', - }; - alert.input = { - type: 'log', - }; - alert.predecoder = { - program_name: 'sshd', - timestamp: formatDate(new Date(alert.timestamp), 'N D h:m:s'), - hostname: alert.manager.name, - }; - const typeAlert = randomArrayItem(SSH.data); - alert.location = typeAlert.location; - alert.rule = { ...typeAlert.rule }; - alert.rule.groups = [...typeAlert.rule.groups]; - alert.rule.firedtimes = randomIntervalInteger(1, 15); - alert.full_log = interpolateAlertProps(typeAlert.full_log, alert); - } - - if (params.windows) { - alert.rule.groups.push('windows'); - if (params.windows.service_control_manager) { - alert.predecoder = { - program_name: 'WinEvtLog', - timestamp: '2020 Apr 17 05:59:05', - }; - alert.input = { - type: 'log', - }; - alert.data = { - extra_data: 'Service Control Manager', - dstuser: 'SYSTEM', - system_name: randomArrayItem(Win_Hostnames), - id: '7040', - type: 'type', - status: 'INFORMATION', - }; - alert.rule.description = 'Windows: Service startup type was changed.'; - alert.rule.firedtimes = randomIntervalInteger(1, 20); - alert.rule.mail = false; - alert.rule.level = 3; - alert.rule.groups.push('windows', 'policy_changed'); - alert.rule.pci = ['10.6']; - alert.rule.hipaa = ['164.312.b']; - alert.rule.gdpr = ['IV_35.7.d']; - alert.rule.nist_800_53 = ['AU.6']; - alert.rule.info = 'This does not appear to be logged on Windows 2000.'; - alert.location = 'WinEvtLog'; - alert.decoder = { - parent: 'windows', - name: 'windows', - }; - alert.full_log = `2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: ${alert.data.system_name}: Background Intelligent Transfer Service auto start demand start BITS `; //TODO: date - alert.id = 18145; - alert.fields = { - timestamp: alert.timestamp, - }; - } - } - - if (params.apache) { - const typeAlert = { ...Apache.data[0] }; // there is only one type alert in data array at the moment. Randomize if add more type of alerts to data array - alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - id: `AH${randomIntervalInteger(10000, 99999)}`, - }; - alert.GeoLocation = { ...randomArrayItem(GeoLocation) }; - alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(2, 10); - alert.input = { type: 'log' }; - alert.location = Apache.location; - alert.decoder = { ...Apache.decoder }; - - alert.full_log = interpolateAlertProps(typeAlert.full_log, alert, { - _timestamp_apache: formatDate( - new Date(alert.timestamp), - 'E N D h:m:s.l Y', - ), - _pi_id: randomIntervalInteger(10000, 30000), - }); - } - - if (params.web) { - alert.input = { - type: 'log', - }; - alert.data = { - protocol: 'GET', - srcip: randomArrayItem(IPs), - id: '404', - url: randomArrayItem(Web.urls), - }; - alert.GeoLocation = { ...randomArrayItem(GeoLocation) }; - - const typeAlert = randomArrayItem(Web.data); - const userAgent = randomArrayItem(Web.userAgents); - alert.rule = { ...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(1, 10); - alert.decoder = { ...typeAlert.decoder }; - alert.location = typeAlert.location; - alert.full_log = interpolateAlertProps(typeAlert.full_log, alert, { - _user_agent: userAgent, - _date: formatDate(new Date(alert.timestamp), 'D/N/Y:h:m:s +0000'), - }); - if (typeAlert.previous_output) { - const previousOutput = []; - const beforeSeconds = 4; - for (let i = beforeSeconds; i > 0; i--) { - const beforeDate = new Date(new Date(alert.timestamp) - (2 + i) * 1000); - previousOutput.push( - interpolateAlertProps(typeAlert.full_log, alert, { - _user_agent: userAgent, - _date: formatDate(new Date(beforeDate), 'D/N/Y:h:m:s +0000'), - }), - ); - } - alert.previous_output = previousOutput.join('\n'); - } - } - - if (params.github) { - alert.location = GitHub.LOCATION; - alert.decoder = GitHub.DECODER; - const alertType = randomArrayItem(GitHub.ALERT_TYPES); - const actor = randomArrayItem(GitHub.ACTORS); - alert.data = { - github: { ...alertType.data.github }, - }; - alert.data.github.org = randomArrayItem(GitHub.ORGANIZATION_NAMES); - alert.data.github.repo && - (alert.data.github.repo = `${alert.data.github.org}/${randomArrayItem( - GitHub.REPOSITORY_NAMES, - )}`); - alert.data.github.repository && - (alert.data.github.repository = `${ - alert.data.github.org - }/${randomArrayItem(GitHub.REPOSITORY_NAMES)}`); - alert.data.github.actor = actor.name; - alert.data.github.actor_location && - alert.data.github.actor_location.country_code && - (alert.data.github.actor_location.country_code = actor.country_code); - alert.data.github.user && - (alert.data.github.user = randomArrayItem(GitHub.USER_NAMES)); - alert.data.github.config && - alert.data.github.config.url && - (alert.data.github.config.url = randomArrayItem( - GitHub.SERVER_ADDRESS_WEBHOOK, - )); - alert.data.github['@timestamp'] = alert.timestamp; - alert.data.github.created_at && - (alert.data.github.created_at = alert.timestamp); - alert.rule = { - ...alertType.rule, - }; - } - - return alert; -} - -/** - * Get a random array with unique values - * @param {[]} array Array to extract the values - * @param {*} randomMaxRepetitions Number max of random extractions - * @param {function} sort Funciton to seort elements - * @return {*} Array with random values extracted of paramater array passed - */ -function randomUniqueValuesFromArray(array, randomMaxRepetitions = 1, sort) { - const repetitions = randomIntervalInteger(1, randomMaxRepetitions); - const set = new Set(); - for (let i = 0; i < repetitions; i++) { - set.add(array[randomIntervalInteger(0, array.length - 1)]); - } - return sort ? Array.from(set).sort(sort) : Array.from(set); -} - -/** - * Get a integer within a range - * @param {number} min - Minimum limit - * @param {number} max - Maximum limit - * @returns {number} - Randomized number in interval - */ -function randomIntervalInteger(min, max) { - return Math.floor(Math.random() * (max - (min - 1))) + min; -} - -/** - * Generate random alerts - * @param {*} params - * @param {number} numAlerts - Define number of alerts - * @return {*} - Random generated alerts defined with params - */ -function generateAlerts(params, numAlerts = 1) { - const alerts = []; - for (let i = 0; i < numAlerts; i++) { - alerts.push(generateAlert(params)); - } - return alerts; -} - -/** - * Get a random Date in range(7 days ago - now) - * @returns {date} - Random date in range (7 days ago - now) - */ -function randomDate(inf, sup) { - const nowTimestamp = Date.now(); - const time = randomIntervalInteger(0, 604800000); // Random 7 days in miliseconds - - const unix_timestamp = nowTimestamp - time; // Last 7 days = require( now - - const lastWeek = new Date(unix_timestamp); - return formatDate(lastWeek, 'Y-M-DTh:m:s.l+0000'); -} - -const formatterNumber = (number, zeros = 0) => - ('0'.repeat(zeros) + `${number}`).slice(-zeros); -const monthNames = { - long: [ - 'January', - 'February', - 'March', - 'April', - 'May', - 'June', - 'July', - 'August', - 'September', - 'October', - 'November', - 'December', - ], - short: [ - 'Jan', - 'Feb', - 'Mar', - 'Apr', - 'May', - 'Jun', - 'Jul', - 'Aug', - 'Sep', - 'Oct', - 'Nov', - 'Dec', - ], -}; - -const dayNames = { - long: [ - 'Sunday', - 'Monday', - 'Tuesday', - 'Wednesday', - 'Thursday', - 'Friday', - 'Saturday', - ], - short: ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'], -}; - -function formatDate(date, format) { - // It could use "moment" library to format strings too - const tokens = { - D: d => formatterNumber(d.getDate(), 2), // 01-31 - A: d => dayNames.long[d.getDay()], // 'Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday' - E: d => dayNames.short[d.getDay()], // 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' - M: d => formatterNumber(d.getMonth() + 1, 2), // 01-12 - J: d => monthNames.long[d.getMonth()], // 'January', 'February', 'March', 'April', 'May', 'June', 'July', 'August', 'September', 'October', 'November', 'December' - N: d => monthNames.short[d.getMonth()], // 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' - Y: d => d.getFullYear(), // 2020 - h: d => formatterNumber(d.getHours(), 2), // 00-23 - m: d => formatterNumber(d.getMinutes(), 2), // 00-59 - s: d => formatterNumber(d.getSeconds(), 2), // 00-59 - l: d => formatterNumber(d.getMilliseconds(), 3), // 000-999 - }; - - return format.split('').reduce((accum, token) => { - if (tokens[token]) { - return accum + tokens[token](date); - } - return accum + token; - }, ''); -} - -/** - * - * @param {string} str String with interpolations - * @param {*} alert Alert object - * @param {*} extra Extra parameters to interpolate what aren't in alert objet. Only admit one level of depth - */ -function interpolateAlertProps(str, alert, extra = {}) { - const matches = str.match(/{([\w\._]+)}/g); - return ( - (matches && - matches.reduce((accum, cur) => { - const match = cur.match(/{([\w\._]+)}/); - const items = match[1].split('.'); - const value = - items.reduce((a, c) => (a && a[c]) || extra[c] || undefined, alert) || - cur; - return accum.replace(cur, value); - }, str)) || - str - ); -} - -/** - * Return a random probability - * @param {number} probability - * @param {number[=100]} maximum - */ -function randomProbability(probability, maximum = 100) { - return randomIntervalInteger(0, maximum) <= probability; -} + generateAlert, + generateAlerts, +} = require('../../../plugins/main/server/lib/generate-alerts/generate-alerts-script'); module.exports = { generateAlert, generateAlerts }; diff --git a/scripts/wazuh-alerts-generator/lib/modules/apache.js b/scripts/wazuh-alerts-generator/lib/modules/apache.js deleted file mode 100644 index 26c264425d..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/apache.js +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Wazuh app - Apache sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -module.exports.location = '/var/log/httpd/error_log'; - -module.exports.decoder = { - parent: "apache-errorlog", - name: "apache-errorlog" -}; - -module.exports.data = [ - { - "rule": { - "firedtimes": 5, - "mail": false, - "level": 5, - "pci_dss": ["6.5.8","10.2.4"], - "hipaa": [ - "164.312.b" - ], - "description": "Apache: Attempt to access forbidden directory index.", - "groups": ["apache","web","access_denied"], - "id": "30306", - "nist_800_53": [ - "SA.11", - "AU.14", - "AC.7" - ], - "gdpr": ["IV_35.7.d"] - }, - "full_log": "[{_timestamp_apache}] [autoindex:error] [pid {_pi_id}] [client {data.srcip}:{data.srcport}] {data.id}: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive", - } -]; \ No newline at end of file diff --git a/scripts/wazuh-alerts-generator/lib/modules/audit.js b/scripts/wazuh-alerts-generator/lib/modules/audit.js deleted file mode 100644 index 4d56760fc3..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/audit.js +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Wazuh app - Audit sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -// Audit - -const { randomArrayItem } = require('../common'); - -module.exports.fileName = ["/etc/samplefile", "/etc/sample/file", "/var/sample"]; -const ruleId = ['80790', '80784', '80781', '80791']; -const auditType = ["SYSCALL", "EXECVE", "CWD", "NORMAL", "PATH", "PROCTITLE"]; - -module.exports.dataAudit = [{ - data: { - audit: { - file: { - name: '' - }, - exe: '/usr/sbin/sudo', - command: 'sudo', - success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), - }, - }, - rule: { - id: randomArrayItem(ruleId), - firedtimes: 12, - mail: false, - level: 3, - description: "Audit: Command: /usr/sbin/sudo", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] - }, - }, - { - data: { - audit: { - file: { - name: '' - }, - exe: '/usr/sbin/sshd', - command: 'ssh', - success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), - }, - }, - rule: { - id: randomArrayItem(ruleId), - firedtimes: 3, - mail: false, - level: 3, - description: "Audit: Command: /usr/sbin/ssh", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] - }, - }, - { - data: { - audit: { - file: { - name: '' - }, - exe: '/usr/sbin/crond', - command: 'cron', - success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), - }, - }, - rule: { - id: randomArrayItem(ruleId), - firedtimes: 1, - mail: false, - level: 3, - description: "Audit: Command: /usr/sbin/crond", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] - }, - }, - { - data: { - audit: { - file: { - name: '' - }, - exe: '/usr/sbin/ls', - command: 'ls', - success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), - }, - }, - rule: { - id: randomArrayItem(ruleId), - firedtimes: 6, - mail: false, - level: 3, - description: "Audit: Command: /usr/sbin/ls", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] - }, - }, - { - data: { - audit: { - file: { - name: '/sbin/consoletype' - }, - exe: '/usr/sbin/consoletype', - command: 'consoletype', - success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), - }, - }, - rule: { - id: randomArrayItem(ruleId), - firedtimes: 16, - mail: false, - level: 3, - description: "Audit: Command: /usr/sbin/consoletype", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] - }, - }, - { - data: { - audit: { - file: { - name: '/bin/bash' - }, - exe: '/usr/sbin/bash', - command: 'bash', - success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), - }, - }, - rule: { - id: randomArrayItem(ruleId), - firedtimes: 1, - mail: false, - level: 3, - description: "Audit: Command: /usr/sbin/bash", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] - }, - }, - { - data: { - audit: { - file: { - name: '/usr/bin/id' - }, - exe: '/usr/sbin/id', - command: 'id', - success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), - }, - }, - rule: { - id: randomArrayItem(ruleId), - firedtimes: 11, - mail: false, - level: 3, - description: "Audit: Command: /usr/sbin/id", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] - }, - }, - { - data: { - audit: { - file: { - name: '/usr/bin/grep' - }, - exe: '/usr/sbin/grep', - command: 'grep', - success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), - }, - }, - rule: { - id: randomArrayItem(ruleId), - firedtimes: 13, - mail: false, - level: 3, - description: "Audit: Command: /usr/sbin/grep", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] - }, - }, - { - data: { - audit: { - file: { - name: '/usr/bin/hostname' - }, - exe: '/usr/sbin/hostname', - command: 'hostname', - success: 'yes', - cwd: "/home/wazuh", - type: randomArrayItem(auditType), - }, - }, - rule: { - id: randomArrayItem(ruleId), - firedtimes: 13, - mail: false, - level: 3, - description: "Audit: Command: /usr/sbin/hostname", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] - }, - }, - { - data: { - audit: { - file: { - name: '/usr/bin/sh' - }, - exe: '/usr/sbin/sh', - command: 'sh', - success: 'yes', - cwd: "/home/sh", - type: randomArrayItem(auditType), - }, - }, - rule: { - id: randomArrayItem(ruleId), - firedtimes: 17, - mail: false, - level: 3, - description: "Audit: Command: /usr/sbin/sh", - groups: [ - "audit", - "audit_command" - ], - gdpr: [ - "IV_30.1.g" - ] - }, - }, -] diff --git a/scripts/wazuh-alerts-generator/lib/modules/authentication.js b/scripts/wazuh-alerts-generator/lib/modules/authentication.js deleted file mode 100644 index 721ccf3e2b..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/authentication.js +++ /dev/null @@ -1,274 +0,0 @@ -/* - * Wazuh app - Authentication sample alerts - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -module.exports.invalidLoginPassword = { - decoder: { - parent: 'sshd', - name: 'sshd', - }, - full_log: - '{predecoder.timestamp} {predecoder.hostname} sshd[5330]: Failed password for {data.srcuser} from {data.srcip} port {data.srcport} ssh2', - location: '/var/log/auth.log', - predecoder: { - program_name: 'sshd', - timestamp: 'Apr 17 00:17:52', - hostname: 'ip-10-0-1-50', - }, - rule: { - description: 'sshd: authentication failed.', - groups: ['syslog', 'sshd', 'invalid_login', 'authentication_failed'], - id: 5716, - level: 5, - mail: false, - pci_dss: ['10.2.4', '10.2.5'], - gpg13: ['7.1'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - }, -}; - -module.exports.invalidLoginUser = { - decoder: { - parent: 'sshd', - name: 'sshd', - }, - full_log: - '{predecoder.timestamp} {predecoder.hostname} sshd[10022]: Invalid user {data.srcuser} from {data.srcuser} from {data.srcip} port {data.srcport} ssh2', - location: '/var/log/secure', - predecoder: { - program_name: 'sshd', - timestamp: 'Apr 17 00:17:52', - hostname: 'ip-10-0-1-50', - }, - rule: { - description: 'sshd: Attempt to login using a non-existent user', - groups: ['syslog', 'sshd', 'invalid_login', 'authentication_failed'], - id: 5710, - level: 5, - pci_dss: ['10.2.4', '10.2.5', '10.6.1'], - gpg13: ['7.1'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7', 'AU.6'], - }, -}; - -module.exports.multipleAuthenticationFailures = { - decoder: { - parent: 'sshd', - name: 'sshd', - }, - full_log: `{predecoder.timestamp} {predecoder.hostname} sshd[5413]: Failed password for invalid user {data.srcuser} from {data.srcip} port {data.srcport} ssh2`, - location: '/var/log/secure', - rule: { - description: 'sshd: Multiple authentication failures.', - id: 5720, - level: 10, - frequency: 8, - groups: ['syslog', 'sshd', 'authentication_failures'], - pci_dss: ['10.2.4', '10.2.5', '11.4'], - gpg13: ['7.1'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7', 'SI.4'], - }, - predecoder: { - program_name: 'sshd', - timestamp: 'Apr 17 00:17:52', - hostname: 'ip-10-0-1-50', - }, -}; - -module.exports.windowsInvalidLoginPassword = { - full_log: `{predecoder.timestamp} {predecoder.hostname} sshd[5413]: Failed password for invalid user {data.srcuser} from {data.srcip} port {data.srcport} ssh2`, - data_win: { - eventdata: { - authenticationPackageName: 'NTLM', - failureReason: '%%2313', - keyLength: 0, - logonProcessName: 'NtLmSsp', - logonType: '3', - processId: '0x0', - status: '0xc000006d', - subStatus: '0xc0000064', - subjectLogonId: '0x0', - subjectUserSid: 'S-1-0-0', - targetUserName: 'DIRECTION', - }, - system: { - channel: 'Security', - keywords: '0x8010000000000000', - level: '0', - message: '', - opcode: '0', - providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', - providerName: 'Microsoft-Windows-Security-Auditing', - severityValue: 'AUDIT_FAILURE', - version: '0', - }, - }, - decoder: { - parent: 'sshd', - name: 'windows_eventchannel', - }, - location: 'EventChannel', - rule: { - description: 'Logon Failure - Unknown user or bad password', - groups: ['windows', 'windows_security', 'win_authentication_failed'], - id: 60122, - level: 5, - pci_dss: ['10.2.4', '10.2.5'], - gpg13: ['7.1'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.1', 'AC.7'], - }, -}; - -module.exports.userLoginFailed = { - rule: { - id: 5503, - level: 5, - description: 'PAM: User login failed.', - mail: false, - groups: ['pam', 'syslog', 'authentication_failed'], - pci_dss: ['10.2.4', '10.2.5'], - gpg13: ['7.8'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - }, - predecoder: { - program_name: 'sshd', - timestamp: 'Apr 17 00:04:40', - hostname: 'ip-10-0-1-178', - }, - decoder: { - name: 'pam', - }, - location: '/var/log/secure', - full_log: - '{predecoder.timestamp} {predecoder.hostname} sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid={data.uid} euid={data.euid} tty={data.tty} ruser= rhost={data.srcip} user={data.dstuser}', -}; - -module.exports.passwordCheckFailed = { - rule: { - level: 5, - description: 'unix_chkpwd: Password check failed.', - id: '5557', - mail: false, - groups: ['pam', 'syslog', 'authentication_failed'], - pci_dss: ['10.2.4', '10.2.5'], - gpg13: ['4.3'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - }, - predecoder: { - program_name: 'unix_chkpwd', - timestamp: 'Apr 17 00:07:04', - hostname: 'ip-10-0-1-132', - }, - decoder: { - name: 'unix_chkpwd', - }, - data: { srcuser: 'root' }, - location: '/var/log/secure', - full_log: - '{predecoder.timestamp} {predecoder.hostname} {decoder.name}[29593]: password check failed for user ({data.srcuser})', -}; - -module.exports.nonExistentUser = { - rule: { - mail: false, - level: 5, - pci_dss: ['10.2.4', '10.2.5', '10.6.1'], - hipaa: ['164.312.b'], - description: 'sshd: Attempt to login using a non-existent user', - groups: ['syslog', 'sshd', 'invalid_login', 'authentication_failed'], - id: '5710', - nist_800_53: ['AU.14', 'AC.7', 'AU.6'], - gpg13: ['7.1'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - }, - full_log: - '{predecoder.timestamp} {predecoder.hostname} sshd[15724]: Invalid user {data.srcuser} from {data.srcip} port {data.srcport}', - location: '/var/log/secure', -}; - -module.exports.bruteForceTryingAccessSystem = { - rule: { - mail: false, - level: 10, - pci_dss: ['11.4', '10.2.4', '10.2.5'], - hipaa: ['164.312.b'], - description: 'sshd: brute force trying to get access to the system.', - groups: ['syslog', 'sshd', 'authentication_failures'], - mitre: { - tactic: ['Credential Access', 'Lateral Movement'], - technique: ['Brute Force', 'Remove Services'], - id: ['T1110', 'T1021'], - }, - id: '5712', - nist_800_53: ['SI.4', 'AU.14', 'AC.7'], - frequency: 8, - gdpr: ['IV_35.7.d', 'IV_32.2'], - }, - full_log: - '{predecoder.timestamp} {predecoder.hostname} sshd[15722]: Invalid user {data.srcuser} from {data.srcip} port {data.srcport}', - location: '/var/log/secure', -}; - -module.exports.authenticationSuccess = { - data: { - srcip: '84.122.71.89', - dstuser: 'ec2-user', - }, - full_log: - '{predecoder.timestamp} {predecoder.hostname} sshd[12727]: Accepted publickey for {data.dstuser} from {data.srcip} port {data.srcport} ssh2: RSA SHA256:ET29+nbiHqrKs1gUewWTFRCHWdO/vMoRQXPESWn8ZG4', - input: { - type: 'log', - }, - location: '/var/log/secure', - rule: { - mail: false, - level: 3, - pci_dss: ['10.2.5'], - hipaa: ['164.312.b'], - description: 'sshd: authentication success.', - groups: ['syslog', 'sshd', 'authentication_success'], - id: '5715', - nist_800_53: ['AU.14', 'AC.7'], - gpg13: ['7.1', '7.2'], - gdpr: ['IV_32.2'], - }, -}; - -module.exports.maximumAuthenticationAttemptsExceeded = { - rule: { - mail: false, - level: 8, - description: 'Maximum authentication attempts exceeded.', - groups: ['syslog', 'sshd', 'authentication_failed'], - mitre: { - tactic: ['Credential Access', 'Lateral Movement'], - technique: ['Brute Force', 'Remove Services'], - id: ['T1110', 'T1021'], - }, - id: '5758', - gpg13: ['7.1'], - }, - location: '/var/log/secure', - full_log: - '{predecoder.timestamp} {predecoder.hostname} sshd[19767]: error: maximum authentication attempts exceeded for {data.dstuser} from {data.srcip} port {data.srcport} ssh2 [preauth]', -}; diff --git a/scripts/wazuh-alerts-generator/lib/modules/aws.js b/scripts/wazuh-alerts-generator/lib/modules/aws.js deleted file mode 100644 index 37098c367a..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/aws.js +++ /dev/null @@ -1,495 +0,0 @@ -/* - * Wazuh app - AWS sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - - // Amazon AWS services -module.exports.source = ["guardduty", "cloudtrail", "vpcflow", "config"]; -module.exports.accountId = ["186157501624", "117521235382", "150447125201", "18773455640", "186154171780", "250141701015"]; -module.exports.region = ["eu-west-1", "eu-west-2", "eu-west-3", "eu-north-1", "eu-central-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2", "me-south-1", "ap-east-1", "ap-east-2", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ap-northeast-1", "ca-central-1"]; // https://docs.aws.amazon.com/es_es/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions -module.exports.buckets = ["aws-sample-bucket-1", "aws-sample-bucket-2", "aws-sample-bucket-3", "aws-sample-bucket-4", "aws-sample-bucket-5", "aws-sample-bucket-6", "aws-sample-bucket-7", "aws-sample-bucket-8", "aws-sample-bucket-9"]; - -module.exports.instanceId = ['i-060bb01699dddc20c','i-060bb020479bedc20w', 'i-070eb020479bebf20a', 'i-070eb015479befb15d', 'i-057eb060779fdae15b']; - -module.exports.remoteIpDetails = [ - { - country: { - countryName: "Mexico" - }, - city: { - cityName: "Mérida" - }, - geoLocation: { - lon: "-89.616700", - lat: "20.950000" - }, - organization: { - asnOrg: "Internet Mexico Company", - org: "Internet Mexico Company", - isp: "Internet Mexico Company", - asn: "4257" - }, - ipAddressV4: "160.0.14.40" - }, - { - country: { - countryName: "Italy" - }, - city: { - cityName: "Savona" - }, - geoLocation: { - lon: "8.477200", - lat: "44.309000" - }, - organization: { - asnOrg: "Speedweb", - org: "Speedweb", - isp: "Speedweb", - asn: "42784" - }, - ipAddressV4: "2.25.80.45" - }, - { - country: { - countryName: "Mexico" - }, - city: { - cityName: "Colima" - }, - geoLocation: { - lon: "-103.714500", - lat: "19.266800" - }, - organization: { - asnOrg: "Internet Mexico Company", - org: "Internet Mexico Company", - isp: "Internet Mexico Company", - asn: "4257" - }, - ipAddressV4: "187.234.16.206" - }, - { - country: { - countryName: "Netherlands" - }, - city: { - cityName: "Amsterdam" - }, - geoLocation: { - lon: "4.889700", - lat: "52.374000" - }, - organization: { - asnOrg: "Netherlands Telecom", - org: "Netherlands Telecom", - isp: "Netherlands Telecom", - asn: "40070" - }, - ipAddressV4: "160.0.14.40" - }, - { - country: { - "countryName": "Italy" - }, - city: { - cityName: "Palermo" - }, - geoLocation: { - lon: "13.334100", - lat: "38.129000" - }, - organization: { - asnOrg: "Net Connections", - org: "Net Connections", - isp: "Net Connections", - asn: "1547" - }, - ipAddressV4: "75.0.101.245" - }, - { - country: { - countryName: "United States" - }, - city: { - cityName: "Panama City" - }, - geoLocation: { - lon: "-85.669600", - lat: "30.190900" - }, - organization: { - asnOrg: "Internet Innovations", - org: "Intenet Innovations", - isp: "Intenet Innovations", - asn: "4252" - }, - ipAddressV4: "70.24.101.214" - } -]; - -module.exports.instanceDetails = [ - { - "launchTime": "2020-04-22T11:17:08Z", - "instanceId": "i-0b0b8b34a48c8f1c4", - "networkInterfaces": { - "networkInterfaceId": "eni-01e777fb9acd548e4", - "subnetId": "subnet-7930da22", - "vpcId": "vpc-68e3c60f", - "privateDnsName": "ip-10-0-2-2.ec2.internal", - "publicIp": "40.220.125.204", - "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", - "privateIpAddress": "10.0.2.2" - }, - "instanceState": "running", - "imageId": "ami-0ff8a91507f77f900", - "instanceType": "t2.small", - "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", - "iamInstanceProfile": { - "id": "AIPAJGAZMFPZHKIBOCBIG", - "arn": "arn:aws:iam::{data.aws.accountId}:instance-profile/opsworks-web-production" - }, - "availabilityZone": "us-east-1a" - }, - { - "launchTime": "2019-03-22T14:15:41Z", - "instanceId": "i-0cab4a083d57dc400", - "networkInterfaces": { - "networkInterfaceId": "eni-0bb465b2d939dbda6", - "subnetId": "subnet-6b1d6203", - "vpcId": "vpc-921e61fa", - "privateDnsName": "ip-10-0-0-1.ec2.internal", - "publicIp": "54.90.48.38", - "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", - "privateIpAddress": "10.0.0.1" - }, - "instanceState": "running", - "imageId": "ami-09ae67bbfcd740875", - "instanceType": "a1.medium", - "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", - "productCodes": { - "productCodeId": "zud1u4kjmxu2j2jf0n36bqa", - "productCodeType": "marketplace" - }, - "iamInstanceProfile": { // FIXME - "id": "AIPAJGAZMFPZHKIBOUFGA", - "arn": "arn:aws:iam::{data.aws.accountId}:instance-profile/opsworks-web-production" - }, - "availabilityZone": "us-east-1e" - } -] - -module.exports.guarddutyPortProbe = { - data: { - aws: { - severity: "2", - schemaVersion: "2.0", - resource: { - // instanceDetails - resourceType: "Instance" - }, - description: "EC2 instance has an unprotected port which is being probed by a known malicious host.", - source: "guardduty", - type: "Recon:EC2/PortProbeUnprotectedPort", - title: "Unprotected port on EC2 instance {data.aws.resource.instanceDetails.instanceId} is being probed.", - // accountId: "166157441623", - // createdAt: "2019-07-31T16:31:14.739Z", - partition: "aws", - service: { - archived: "false", - resourceRole: "TARGET", - detectorId: "cab38390b400c06fb2897dfcebffb80d", - // eventFirstSeen: "2019-07-31T16:18:08Z", - // eventLastSeen: "2020-04-22T04:11:01Z", - additionalInfo: { - threatListName: "ProofPoint", - threatName: "Scanner" - }, - count: "2594", - action: { - actionType: "PORT_PROBE", - portProbeAction: { - blocked: "false", - portProbeDetails: { - localPortDetails: { - port: "80", - portName: "HTTP" - }, - remoteIpDetails: { - country: { - countryName: "Mexico" - }, - city: { - cityName: "M?rida" - }, - geoLocation: { - lon: "-89.616700", - lat: "20.950000" - }, - organization: { - asnOrg: "Internet Mexico Company", - org: "Internet Mexico Company", - isp: "Internet Mexico Company", - asn: "4257" - }, - ipAddressV4: "187.234.16.206" - } - } - } - }, - "serviceName": "guardduty" - } - } - }, - rule: { - firedtimes: 1, - mail: false, - level: 3, - description: "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance {data.aws.resource.instanceDetails.instanceId} is being probed. [IP: {data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4}] [Port: {data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port}]", - groups: ["amazon","aws","aws_guardduty"], - id: "80305" - }, - location: "Wazuh-AWS", - decoder: { - "name": "json" - }, -}; - -module.exports.apiCall = { - "data": { - "aws": { - "severity": "5", - "schemaVersion": "2.0", - "resource": { - "accessKeyDetails": { - "principalId": "AIDAIL4SI43KE7QMMBABB", - "userType": "IAMUser", - "userName": "" - }, - "resourceType": "AccessKey" - }, - "log_info": { - "s3bucket": "wazuh-aws-wodle", - "log_file": "guardduty/2020/04/22/10/firehose_guardduty-1-2020-04-22-10-36-02-d67c99dc-800a-486a-8339-59a7a8254ab2.zip" - }, - "description": "Unusual console login seen from principal {data.aws.resource.accessKeyDetails.userName}. Login activity using this client application, from the specific location has not been seen before from this principal.", - "source": "guardduty", - "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", - "title": "Unusual console login was seen for principal {data.aws.resource.accessKeyDetails.userName}.", - "accountId": "166157447443", - "createdAt": "2020-04-22T10:30:26.721Z", - "partition": "aws", - "service": { - "archived": "false", - "resourceRole": "TARGET", - "detectorId": "cab38390b728c06fb2897dfcebffb80d", - "eventFirstSeen": "2020-04-22T10:09:51Z", - "eventLastSeen": "2020-04-22T10:09:55Z", - "additionalInfo": { - "recentApiCalls": { - "count": "1", - "api": "ConsoleLogin" - } - }, - "count": "1", - "action": { - "actionType": "AWS_API_CALL", - "awsApiCallAction": { - "callerType": "Remote IP", - "api": "ConsoleLogin", - "serviceName": "signin.amazonaws.com", - "remoteIpDetails": { - "country": { - "countryName": "United States" - }, - "city": { - "cityName": "Ashburn" - }, - "geoLocation": { - "lon": "-77.472800", - "lat": "39.048100" - }, - "organization": { - "asnOrg": "ASN-Internet-Com", - "org": "Internet-Com", - "isp": "Internet-Com", - "asn": "27850" - }, - "ipAddressV4": "80.14.0.90" - } - } - }, - "serviceName": "guardduty" - }, - "id": "a8b8d0b82c50eed686df4d24fa87b657", - "region": "us-east-1", - "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", - "updatedAt": "2020-04-22T10:30:26.721Z" - } - }, - "rule": { - // "firedtimes": 1, - "mail": false, - "level": 6, - "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal {data.aws.resource.accessKeyDetails.userName}.", - "groups": [ - "amazon", - "aws", - "aws_guardduty" - ], - "id": "80302" - }, - "location": "Wazuh-AWS", - "decoder": { - "name": "json" - } -}; - -module.exports.networkConnection = { - "data": { - "integration": "aws", - "aws": { - "severity": "5", - "schemaVersion": "2.0", - "resource": { - "resourceType": "Instance" - }, - "description": "EC2 instance {data.aws.resource.instanceDetails.instanceId} is communicating with a remote host on an unusual server port 5060.", - "source": "guardduty", - "type": "Behavior:EC2/NetworkPortUnusual", - "title": "Unusual outbound communication seen from EC2 instance {data.aws.resource.instanceDetails.instanceId} on server port 5060.", - "accountId": "166157441800", - "createdAt": "2020-04-22T07:18:12.769Z", - "partition": "aws", - "service": { - "archived": "false", - "resourceRole": "ACTOR", - "detectorId": "cab38390b728c06fb2897dfcebffc80d", - "eventFirstSeen": "2020-04-22T07:13:44Z", - "eventLastSeen": "2020-04-22T07:15:04Z", - "additionalInfo": { - "localPort": "50040", - "outBytes": "1912", - "inBytes": "4621", - "unusual": "5060" - }, - "count": "8", - "action": { - "actionType": "NETWORK_CONNECTION", - "networkConnectionAction": { - "localIpDetails": { - "ipAddressV4": "10.0.0.251" - }, - "protocol": "TCP", - "blocked": "false", - "connectionDirection": "OUTBOUND", - "localPortDetails": { - "port": "36220", - "portName": "Unknown" - }, - "remotePortDetails": { - "port": "5050", - "portName": "Unknown" - }, - "remoteIpDetails": { - "country": { - "countryName": "United States" - }, - "city": { - "cityName": "Washington" - }, - "geoLocation": { - "lon": "-77.031900", - "lat": "38.905700" - }, - "organization": { - "asnOrg": "ASN-Supreme-Web", - "org": "Supreme Web", - "isp": "Supreme Web", - "asn": "395604" - }, - "ipAddressV4": "8.2.14.2" - } - } - }, - "serviceName": "guardduty" - }, - "id": "06b8d0602d109db1282f9143809f80b8", - "region": "us-east-1", - "arn": "arn:aws:guardduty:{data.aws.region}:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", - "updatedAt": "2020-04-22T07:18:12.778Z" - } - }, - "rule": { - "mail": false, - "level": 6, - "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance {data.aws.resource.instanceDetails.instanceId} on server port 5060.", - "groups": [ - "amazon", - "aws", - "aws_guardduty" - ], - "id": "80302" - }, - "location": "Wazuh-AWS", - "decoder": { - "name": "json" - }, -}; - -module.exports.iamPolicyGrantGlobal = { - "data": { - "aws": { - "severity": "CRITICAL", - "actor": "resources.wazuh.sample.com", - "summary": { - "Timestamps": "2020-04-22T00:11:44.617597Z,", - "Description": "S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", - "Bucket": "resources.wazuh.sample.com,", - "Record Count": "1", - "Event Count": "1", - "recipientAccountId": "166157441400", - "ACL": { - "resources": { - "wazuh": { - "com": { - "Owner": { - "DisplayName": "wazuh", - "ID": "3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700" - } - } - } - } - } - }, - "risk-score": "9", - "notification-type": "ALERT_CREATED", - "name": "S3 Bucket IAM policy grants global read rights", - "created-at": "2020-04-22T00:14:45.764008", - "source": "macie", - "url": "https://mt.{data.aws.region}.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3A{data.aws.region}%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded", - "tags": { - "value": "Open Permissions,Basic Alert," - }, - "alert-arn": "arn:aws:macie:{data.aws.region}:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed" - } - }, - "rule": { - "mail": true, - "level": 12, - "description": "AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", - "groups": ["amazon","aws","aws_macie"], - "id": "80355" - }, - "location": "Wazuh-AWS", - "decoder": { - "name": "json" - } -}; diff --git a/scripts/wazuh-alerts-generator/lib/modules/ciscat.js b/scripts/wazuh-alerts-generator/lib/modules/ciscat.js deleted file mode 100644 index d1a7202da5..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/ciscat.js +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Wazuh app - CIS-CAT sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - - // CIS-CAT -// More info https://documentation.wazuh.com/3.12/user-manual/capabilities/policy-monitoring/ciscat/ciscat.html -module.exports.ruleTitle = ["CIS-CAT 1", "CIS-CAT 2", "CIS-CAT 3", "CIS-CAT 4", "CIS-CAT 5", "CIS-CAT 6"]; -module.exports.group = ["Access, Authentication and Authorization", "Logging and Auditing"]; -module.exports.benchmark = ["CIS Ubuntu Linux 16.04 LTS Benchmark"]; // TODO: add more benchmarks -module.exports.result = ["fail", "errors", "pass", "unknown", "notchecked"]; \ No newline at end of file diff --git a/scripts/wazuh-alerts-generator/lib/modules/docker.js b/scripts/wazuh-alerts-generator/lib/modules/docker.js deleted file mode 100644 index 64a39c5c67..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/docker.js +++ /dev/null @@ -1,490 +0,0 @@ -/* - * Wazuh app - Docker sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -const { - randomElements -} = require('../common'); - - -module.exports.actorAttributesImage = ["wazuh/wazuh:3.12.0-7.6.1", "docker.elastic.co/elasticsearch/elasticsearch:7.6.2", "docker.elastic.co/kibana/kibana:7.6.2", "nginx:latest"]; -module.exports.type = ["container", "image", "volume", "network"]; -module.exports.action = ["start", "stop", "pause", "unpause"]; -module.exports.actorAttributesName = ["wonderful_page", "nostalgic_gates", "jovial_zuckerberg", "inspiring_jobs", "opening_torvalds", "gifted_bezos", "clever_wales", "laughing_tesla", "kind_nobel"]; // https://github.com/moby/moby/blob/5aa44cdf132788cc0cd28ce2393b44265dd400e9/pkg/namesgenerator/names-generator.go#L600 - -const stringRandom = 'abcdef0123456789'; - -module.exports.dataDocker = [{ - rule: { - level: 3, - description: "Docker: Network vagrant_default created", - id: "87930", - firedtimes: 1, - mail: false, - pci_dss: ["10.2.7"], - groups: ["docker"] - }, - data: { - integration: "docker", - docker: { - Type: "network", - Action: "create", - Actor: { - ID: randomElements(64, stringRandom), - Attributes: { - name: "vagrant_default", - type: "bridge" - } - }, - scope: "local", - time: "1563354307", - timeNano: "1563354307459382528.000000" - } - } - }, - { - rule: { - level: 3, - description: "Docker: Image or repository wazuh/wazuh pulled", - id: "87932", - firedtimes: 1, - mail: false, - groups: ["docker"], - pci_dss: ["10.2.7"] - }, - data: { - integration: "docker", - docker: { - status: "pull", - id: "wazuh/wazuh:3.9.2_7.1.1", - Type: "image", - Action: "pull", - Actor: { - ID: "wazuh/wazuh:3.9.2_7.1.1", - Attributes: { - name: "wazuh/wazuh" - } - }, - scope: "local", - time: "1563354346", - timeNano: "1563354346181027328.000000" - } - } - }, - { - rule: { - firedtimes: 2, - mail: false, - level: 5, - pci_dss: [ - "10.2.7" - ], - description: "Docker: Started shell session in container nginx_container", - groups: [ - "docker" - ], - id: "87908", - nist_800_53: [ - "AU.14" - ], - gdpr: [ - "IV_32.2" - ] - }, - data: { - integration: "docker", - docker: { - Action: "exec_start: bash ", - Type: "container", - Actor: { - Attributes: { - image: "nginx", - name: "nginx_container", - maintainer: "NGINX Docker Maintainers ", - execID: randomElements(64, stringRandom), - }, - ID: randomElements(64, stringRandom), - }, - timeNano: "1587404196804128000.000000", - from: "nginx", - time: "1587404196", - status: "exec_start: bash " - } - } - }, - { - rule: { - level: 3, - description: "Docker: Error message", - id: "86003", - firedtimes: 1, - mail: false, - groups: ["docker", "docker-error"] - }, - data: { - docker: { - level: "error", - message: "Not continuing with pull after error: context canceled" - } - } - }, - { - rule: { - level: 3, - description: "Docker: Image or repository wazuh/wazuh-elasticsearch pulled", - id: "87932", - firedtimes: 2, - mail: false, - groups: ["docker"], - pci_dss: ["10.2.7"] - }, - data: { - integration: "docker", - docker: { - status: "pull", - id: "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", - Type: "image", - Action: "pull", - Actor: { - ID: "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", - Attributes: { - license: "Elastic License", - name: "wazuh/wazuh-elasticsearch", - org: { - "label-schema": { - "build-date": "20190305", - license: "GPLv2", - name: "elasticsearch", - "schema-version": "1.0", - url: "https://www.elastic.co/products/elasticsearch", - "vcs-url": "https://github.com/elastic/elasticsearch", - vendor: "Elastic", - version: "7.1.1" - } - } - } - }, - scope: "local", - time: "1563354404", - timeNano: "1563354404067201536.000000" - } - } - }, - { - rule: { - level: 3, - description: "Docker: Image or repository wazuh/wazuh-kibana pulled", - id: "87932", - firedtimes: 3, - mail: false, - groups: ["docker"], - pci_dss: ["10.2.7"] - }, - data: { - integration: "docker", - docker: { - status: "pull", - id: "wazuh/wazuh-kibana:3.9.2_7.1.1", - Type: "image", - Action: "pull", - Actor: { - ID: "wazuh/wazuh-kibana:3.9.2_7.1.1", - Attributes: { - license: "Elastic License", - name: "wazuh/wazuh-kibana", - org: { - "label-schema": { - "build-date": "20190305", - license: "GPLv2", - name: "kibana", - "schema-version": "1.0", - url: "https://www.elastic.co/products/kibana", - "vcs-url": "https://github.com/elastic/kibana", - vendor: "Elastic", - version: "7.1.1" - } - } - } - }, - scope: "local", - time: "1563354404", - timeNano: "1563354404067201536.000000" - } - } - }, - { - rule: { - level: 3, - description: "Docker: Image or repository wazuh/wazuh-nginx pulled", - id: "87932", - firedtimes: 3, - mail: false, - groups: ["docker"], - pci_dss: ["10.2.7"] - }, - data: { - integration: "docker", - docker: { - status: "pull", - id: "wazuh/wazuh-nginx:3.9.2_7.1.1", - Type: "image", - Action: "pull", - Actor: { - ID: "wazuh/wazuh-nginx:3.9.2_7.1.1", - Attributes: { - maintainer: "NGINX Docker Maintainers ", - name: "wazuh/wazuh-nginx" - } - } - }, - scope: "local", - time: "1563354404", - timeNano: "1563354404067201536.000000" - } - }, - { - rule: { - firedtimes: 1, - mail: false, - level: 3, - description: "Docker: Network bridge connected", - groups: [ - "docker" - ], - id: "87928" - }, - data: { - integration: "docker", - docker: { - Action: "connect", - Type: "network", - Actor: { - Attributes: { - container: randomElements(64, stringRandom), - name: "bridge", - type: "bridge" - }, - ID: randomElements(64, stringRandom), - }, - scope: "local", - timeNano: "1587084599776133888.000000", - time: "1587084599" - } - } - }, - { - rule: { - firedtimes: 1, - mail: false, - level: 3, - description: "Docker: Container test_container started", - groups: [ - "docker" - ], - id: "87928" - }, - data: { - integration: "docker", - docker: { - Action: "start", - Type: "container", - Actor: { - Attributes: { - image: "nginx", - name: "test_container", - maintainer: "NGINX Docker Maintainers " - }, - ID: randomElements(64, stringRandom), - }, - scope: "local", - timeNano: "1587084600046795264.000000", - from: "nginx", - time: "1587084600", - status: "start" - } - } - }, - { - rule: { - firedtimes: 1, - mail: false, - level: 3, - description: "Docker: Container test_container received the action: die", - groups: [ - "docker" - ], - id: "87928", - gdpr: [ - "IV_32.2" - ] - }, - data: { - integration: "docker", - docker: { - Action: "die", - Type: "container", - Actor: { - Attributes: { - image: "nginx", - name: "test_container", - exitCode: "0", - maintainer: "NGINX Docker Maintainers " - }, - ID: randomElements(64, stringRandom), - }, - scope: "local", - timeNano: "1587084648640092672.000000", - from: "nginx", - time: "1587084648", - status: "die" - } - } - }, - { - rule: { - firedtimes: 1, - mail: false, - level: 4, - description: "Docker: Network bridge disconnected", - groups: [ - "docker" - ], - id: "87929", - gdpr: [ - "IV_32.2" - ] - }, - data: { - integration: "docker", - docker: { - Action: "disconnect", - Type: "network", - Actor: { - Attributes: { - container: randomElements(64, stringRandom), - name: "bridge", - type: "bridge" - }, - ID: randomElements(64, stringRandom), - }, - scope: "local", - timeNano: "1586460544485358336.000000", - time: "1586460544" - } - } - }, - { - rule: { - firedtimes: 1, - mail: false, - level: 7, - description: "Docker: Container nginx_container received the action: kill", - groups: [ - "docker" - ], - id: "87924", - gdpr: [ - "IV_32.2" - ] - }, - data: { - integration: "docker", - docker: { - Action: "kill", - Type: "container", - Actor: { - Attributes: { - image: "nginx", - name: "nginx_container", - signal: "15", - maintainer: "NGINX Docker Maintainers " - }, - ID: randomElements(64, stringRandom), - }, - scope: "local", - timeNano: "1586460544324527616.000000", - from: "nginx", - time: "1586460544", - status: "kill" - } - } - }, - { - rule: { - firedtimes: 2, - mail: false, - level: 3, - description: "Docker: Container nginx_container stopped", - groups: [ - "docker" - ], - id: "87904", - gdpr: [ - "IV_32.2" - ] - }, - data: { - integration: "docker", - docker: { - Action: "stop", - Type: "container", - Actor: { - Attributes: { - image: "nginx", - name: "nginx_container", - maintainer: "NGINX Docker Maintainers " - }, - ID: randomElements(64, stringRandom), - }, - scope: "local", - timeNano: "1586461541373152000.000000", - from: "nginx", - time: "1586461541", - status: "stop" - } - } - }, - { - rule: { - firedtimes: 1, - mail: false, - level: 3, - description: "Docker: Container nginx_container restarted", - groups: [ - "docker" - ], - id: "87909", - gdpr: [ - "IV_32.2" - ] - }, - data: { - integration: "docker", - docker: { - Action: "restart", - Type: "container", - Actor: { - Attributes: { - image: "nginx", - name: "nginx_container", - maintainer: "NGINX Docker Maintainers " - }, - ID: randomElements(64, stringRandom), - }, - scope: "local", - timeNano: "1586460544801840896.000000", - from: "nginx", - time: "1586460544", - status: "restart" - } - } - }, -] diff --git a/scripts/wazuh-alerts-generator/lib/modules/gcp.js b/scripts/wazuh-alerts-generator/lib/modules/gcp.js deleted file mode 100644 index 6e2a4768a0..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/gcp.js +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Wazuh app - GCP sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -// GCP -module.exports.arrayAuthAnswer = ["true", "false"]; -module.exports.arrayProtocol = ['UDP', 'TCP']; -module.exports.arrayQueryName = ['185.5.205.124.in-addr.arpa.', '98.72.244.104.in-addr.arpa.', 'mirrors.advancedhosters.com.', '41.212.95.203.in-addr.arpa', '41.212.95.203.in-addr.arpa.']; -module.exports.arrayQueryType = ['PTR', 'PTR', 'PTR', 'PTR', 'PTR', 'A']; -module.exports.arrayResponseCode = ['NXDOMAIN', 'NOERROR', 'WARNING', 'CRITICAL', 'ALERT', 'EMERGENCY', 'SERVFAIL', 'INFO', 'SUCCESS', 'BADTRUNC', 'BADNAME', 'NOTAUTH']; -module.exports.arraySourceIP = ['163.172.0.0', '1.33.213.199', '83.32.0.0', '154.84.246.205', '75.142.129.202', '171.197.217.149', '77.38.119.17']; -module.exports.arrayLocation = ['europe-west1', 'us-central1', 'asia-east1', 'australia-southeast1', 'us-west1', 'us-west3', 'us-west2', 'us-west4', 'us-east1', 'us-east2', 'us-east3', 'southamerica-east1']; -module.exports.arrayProject = ['wazuh-dev', 'wazuh-prod', 'wazuh-test']; -module.exports.arraySourceType = ['gce-vm', 'internet']; -module.exports.arraySeverity = ['ERROR', 'INFO', 'NOTICE', 'CRITICAL', 'EMERGENCY', 'ALERT']; -module.exports.arrayType = ['dns_query', 'app_script_function', 'generic_task']; - - -module.exports.arrayRules = [{ - level: 12, - description: "Unable to process query due to a problem with the name server", - id: "65007", - firedtimes: 2, - mail: true, - groups: ["gcp"] - }, - { - level: 5, - description: "GCP notice event", - id: "65001", - firedtimes: 1, - mail: true, - groups: ["gcp"] - }, - { - level: 3, - description: "DNS external query", - id: "65032", - firedtimes: 1, - mail: true, - groups: ["gcp"] - }, - { - level: 5, - description: "GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1", - id: "65034", - firedtimes: 1, - mail: true, - groups: ["gcp"] - }, { - level: 9, - description: "GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1", - id: "65036", - firedtimes: 4, - mail: true, - groups: ["gcp"] - }, - { - level: 11, - description: "GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1", - id: "65037", - firedtimes: 1, - mail: true, - groups: ["gcp"] - }, - { - level: 12, - description: "GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1", - id: "65038", - firedtimes: 2, - mail: true, - groups: ["gcp"] - }, - { - - level: 5, - description: "GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN", - id: "65010", - firedtimes: 2, - mail: true, - groups: ["gcp"] - } -]; diff --git a/scripts/wazuh-alerts-generator/lib/modules/github.js b/scripts/wazuh-alerts-generator/lib/modules/github.js deleted file mode 100644 index 793547c5ef..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/github.js +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Wazuh app - GitHub sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -module.exports.LOCATION = 'github'; - -module.exports.DECODER = { "name": "json" }; - -module.exports.COUNTRY_CODES = [ - 'AR', - 'CA', - 'DE', - 'ES', - 'FR', - 'GR', - 'IN', - 'MX', - 'SE', - 'US' -]; - -const baseElements = Array(10).fill(); - -module.exports.ORGANIZATION_NAMES = baseElements.map((_, index) => `Organization${index + 1}`); - -module.exports.USER_NAMES = baseElements.map((_, index) => `User${index + 1}`); - -module.exports.REPOSITORY_NAMES = baseElements.map((_, index) => `Repo${index + 1}`); - -module.exports.ACTORS = baseElements.map((_, index) => ({ name: module.exports.USER_NAMES[index], country_code: module.exports.COUNTRY_CODES[index] })); - -module.exports.SERVER_ADDRESS_WEBHOOK = [ - 'https://server/webhook', - 'https://cool_server/integrations/webhook', - 'https://another_server/github_notifications', - 'https://my_web/notifications/webhook', -]; - -module.exports.ALERT_TYPES = [ - { "rule": { "level": 5, "description": "GitHub Organization audit log export.", "id": "91193", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624444988681.000000", "org": "_ORGANIZATION_", "created_at": "1624444988681.000000", "action": "org.audit_log_export", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "ElEQJvOCnhWZ2mVpjzYOMw" } } }, - { "rule": { "level": 5, "description": "GitHub Team create.", "id": "91397", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624445678369.000000", "org": "_ORGANIZATION_", "created_at": "1624445678369.000000", "action": "team.create", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "_document_id": "cC4uIXPNDz1O1G21Vjs8Vw" } } }, - { "rule": { "level": 5, "description": "GitHub Team add member.", "id": "91393", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624445678470.000000", "org": "_ORGANIZATION_", "created_at": "1624445678470.000000", "action": "team.add_member", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "user": "_USER_", "_document_id": "0Z4NBBhHM2T4gEuWziZfvQ" } } }, - { "rule": { "level": 5, "description": "GitHub Team add member.", "id": "91393", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624445927571.000000", "org": "_ORGANIZATION_", "created_at": "1624445927571.000000", "action": "team.add_member", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "user": "_USER_", "_document_id": "Hi6dpYdi9G5PrEqqTkEYnA" } } }, - { "rule": { "level": 5, "description": "GitHub Repo create.", "id": "91318", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_repo"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624445965569.000000", "visibility": "private", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "created_at": "1624445965569.000000", "action": "repo.create", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "fXwGe7IW-BX8Ze64V_AORg" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624445969188.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624446009635.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 5, "description": "GitHub Organization audit log export.", "id": "91193", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446236415.000000", "org": "_ORGANIZATION_", "created_at": "1624446236415.000000", "action": "org.audit_log_git_event_export", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "vkV52PbNTZPJRRNLuOZcuw" } } }, - { "rule": { "level": 5, "description": "GitHub Organization audit log export.", "id": "91193", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446254661.000000", "org": "_ORGANIZATION_", "created_at": "1624446254661.000000", "action": "org.audit_log_export", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "gwkccTbAcX2WujhEXS3r0Q" } } }, - { "rule": { "level": 5, "description": "GitHub Team create.", "id": "91397", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446278480.000000", "org": "_ORGANIZATION_", "created_at": "1624446278480.000000", "action": "team.create", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "_document_id": "Qf6RhFYhb7ysdV8K8ukYFw" } } }, - { "rule": { "level": 5, "description": "GitHub Team add member.", "id": "91393", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446278606.000000", "org": "_ORGANIZATION_", "created_at": "1624446278606.000000", "action": "team.add_member", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "user": "_USER_", "_document_id": "T6DZ-t0-a9yQShoBbUxc_g" } } }, - { "rule": { "level": 7, "description": "GitHub Team destroy.", "id": "91399", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446293390.000000", "org": "_ORGANIZATION_", "created_at": "1624446293390.000000", "action": "team.destroy", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/_REPOSITORY_", "_document_id": "ZLC0q4Ka_R4gGw3gWgxc3w" } } }, - { "rule": { "level": 7, "description": "GitHub Team remove member.", "id": "91401", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446387691.000000", "org": "_ORGANIZATION_", "created_at": "1624446387691.000000", "action": "team.remove_member", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/backend", "user": "_USER_", "_document_id": "PYn3TOghg5FYze673svhgw" } } }, - { "rule": { "level": 5, "description": "GitHub Team add member.", "id": "91393", "firedtimes": 3, "mail": false, "groups": ["github", "git", "git_team"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446397464.000000", "org": "_ORGANIZATION_", "created_at": "1624446397464.000000", "action": "team.add_member", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "team": "_ORGANIZATION_/backend", "user": "_USER_", "_document_id": "z4qIP_kjzjnilIhL8ak0mg" } } }, - { "rule": { "level": 3, "description": "GitHub Dependency graph new repos enable.", "id": "91131", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_dependency_graph_new_repos"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446915154.000000", "org": "_ORGANIZATION_", "created_at": "1624446915154.000000", "action": "dependency_graph_new_repos.enable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "2Az9XCqb-Fe8k0KkLQlk0A" } } }, - { "rule": { "level": 12, "description": "GitHub Dependency graph new repos disable.", "id": "91130", "firedtimes": 1, "mail": true, "groups": ["github", "git", "git_dependency_graph_new_repos"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446916718.000000", "org": "_ORGANIZATION_", "created_at": "1624446916718.000000", "action": "dependency_graph_new_repos.disable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "TzBGANy3SmrnxI8GW9bpQA" } } }, - { "rule": { "level": 5, "description": "GitHub Hook create.", "id": "91162", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_hook"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624446982688.000000", "org": "_ORGANIZATION_", "hook_id": "303999727", "name": "webhook", "created_at": "1624446982688.000000", "action": "hook.create", "active": "true", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "config": { "content_type": "json", "insecure_ssl": "0", "secret": "********", "url": "_SERVER_ADDRESS_WEBHOOK_" }, "events": ["push"], "_document_id": "SSlObiXNNtzQzxFooK4-fw" } } }, - { "rule": { "level": 5, "description": "GitHub Hook events changed.", "id": "91165", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_hook"] }, "data": { "integration": "github", "github": { "org": "_ORGANIZATION_", "created_at": "1624447042505.000000", "active": "true", "actor": "_USER_", "@timestamp": "1624447042505.000000", "hook_id": "303999727", "name": "webhook", "action": "hook.events_changed", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "config": { "content_type": "json", "insecure_ssl": "0", "secret": "********", "url": "_SERVER_ADDRESS_WEBHOOK_" }, "events": ["push", "create", "deployment", "fork", "issues"], "_document_id": "Ba9NJbFnSfJB1zGEn29asw", "events_were": ["push"] } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447139607.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 3, "description": "GitHub Git push.", "id": "91160", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447520462.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.push", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 3, "description": "GitHub Git push.", "id": "91160", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447522682.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.push", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624447527007.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 5, "description": "GitHub Repo create.", "id": "91318", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_repo"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447568303.000000", "visibility": "private", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "created_at": "1624447568303.000000", "action": "repo.create", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "AcrdSmMW0PpEEmuGWiTcoQ" } } }, - { "rule": { "level": 9, "description": "GitHub Repo destroy.", "id": "91320", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_repo"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447588615.000000", "visibility": "private", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "created_at": "1624447588615.000000", "action": "repo.destroy", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "H-bRCuWh_FAoZxzW8BV9JA" } } }, - { "rule": { "level": 3, "description": "GitHub Git fetch.", "id": "91159", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624447744877.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.fetch", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "false" } } }, - { "rule": { "level": 7, "description": "GitHub Organization update default repository permission.", "id": "91231", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448015027.000000", "org": "_ORGANIZATION_", "created_at": "1624448015027.000000", "action": "org.update_default_repository_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "BHpvG7xc2bTNW3ME3nAgDw" } } }, - { "rule": { "level": 7, "description": "GitHub Organization update default repository permission.", "id": "91231", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448020670.000000", "org": "_ORGANIZATION_", "created_at": "1624448020670.000000", "action": "org.update_default_repository_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "t5ZumMJeWBs2CqZT-n4JNA" } } }, - { "rule": { "level": 7, "description": "GitHub Organization update member repository creation permission.", "id": "91233", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448034735.000000", "visibility": "private_internal", "org": "_ORGANIZATION_", "created_at": "1624448034735.000000", "action": "org.update_member_repository_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "CAwbh8KpE75aa0ajCpRISw" } } }, - { "rule": { "level": 7, "description": "GitHub Organization update member repository creation permission.", "id": "91233", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448038247.000000", "visibility": "internal", "org": "_ORGANIZATION_", "created_at": "1624448038247.000000", "action": "org.update_member_repository_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "s96ibVD5sEyRDxYgQ8gKhQ" } } }, - { "rule": { "level": 9, "description": "GitHub Private repository forking enable.", "id": "91273", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_private_repository_forking"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448046546.000000", "org": "_ORGANIZATION_", "created_at": "1624448046546.000000", "action": "private_repository_forking.enable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "NZWBrO2Ac02LnG3TFeEykA" } } }, - { "rule": { "level": 5, "description": "GitHub Private repository forking disable.", "id": "91274", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_private_repository_forking"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448051193.000000", "org": "_ORGANIZATION_", "created_at": "1624448051193.000000", "action": "private_repository_forking.disable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "5EkgWPa8Du6ZJ_5oOfU_rg" } } }, - { "rule": { "level": 3, "description": "GitHub Generic rule.", "id": "91449", "firedtimes": 1, "mail": false, "groups": ["github", "git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448069427.000000", "org": "_ORGANIZATION_", "created_at": "1624448069427.000000", "action": "members_can_create_private_pages.disable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "0rtyFg2GD2-oJyJsOtRZ_A" } } }, - { "rule": { "level": 3, "description": "GitHub Generic rule.", "id": "91449", "firedtimes": 2, "mail": false, "groups": ["github", "git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448073290.000000", "org": "_ORGANIZATION_", "created_at": "1624448073290.000000", "action": "members_can_create_private_pages.enable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "sSbImF40N-hLe0mfDHkfMg" } } }, - { "rule": { "level": 3, "description": "GitHub Generic rule.", "id": "91449", "firedtimes": 3, "mail": false, "groups": ["github", "git"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448089991.000000", "org": "_ORGANIZATION_", "created_at": "1624448089991.000000", "action": "repository_visibility_change.enable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "dWJ-7ZR6DdumQeu01PAGig" } } }, - { "rule": { "level": 3, "description": "GitHub Issues.", "id": "91169", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_issues"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448109958.000000", "org": "_ORGANIZATION_", "created_at": "1624448109958.000000", "action": "issues.deletes_enabled", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "gWT0UNMVFaI8ZPB3tGGsew" } } }, - { "rule": { "level": 3, "description": "GitHub Issues.", "id": "91169", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_issues"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448114493.000000", "org": "_ORGANIZATION_", "created_at": "1624448114493.000000", "action": "issues.deletes_disabled", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "T2hgq3r3yVD23Np6CAD-zQ" } } }, - { "rule": { "level": 5, "description": "GitHub Organization display commenter full name enabled.", "id": "91202", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448121171.000000", "org": "_ORGANIZATION_", "created_at": "1624448121171.000000", "action": "org.display_commenter_full_name_enabled", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "o-Edi8owvz1iPv78RPPSJw" } } }, - { "rule": { "level": 3, "description": "GitHub Organization.", "id": "91188", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448125116.000000", "org": "_ORGANIZATION_", "created_at": "1624448125116.000000", "action": "org.display_commenter_full_name_disabled", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "OxJjqpug2FM8RJuzE1CZpA" } } }, - { "rule": { "level": 3, "description": "GitHub Organization.", "id": "91188", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448133245.000000", "org": "_ORGANIZATION_", "created_at": "1624448133245.000000", "action": "org.enable_reader_discussion_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "5KmA_VkQPn3I6gY4L8qFPA" } } }, - { "rule": { "level": 3, "description": "GitHub Organization.", "id": "91188", "firedtimes": 3, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448138392.000000", "org": "_ORGANIZATION_", "created_at": "1624448138392.000000", "action": "org.disable_reader_discussion_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "JQ3JAd3zHmpRpGZYJsJIQw" } } }, - { "rule": { "level": 5, "description": "GitHub Organization enable member team creation permission.", "id": "91203", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448148271.000000", "org": "_ORGANIZATION_", "created_at": "1624448148271.000000", "action": "org.enable_member_team_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "sd2fnKW-Jc_OZI9xm2pyyQ" } } }, - { "rule": { "level": 9, "description": "GitHub Organization disable member team creation permission.", "id": "91198", "firedtimes": 1, "mail": false, "groups": ["github", "git", "git_org"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448154972.000000", "org": "_ORGANIZATION_", "created_at": "1624448154972.000000", "action": "org.disable_member_team_creation_permission", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "ppjVxGQBAQts82at9Az3XQ" } } }, - { "rule": { "level": 12, "description": "GitHub Repository vulnerability alerts disable.", "id": "91367", "firedtimes": 1, "mail": true, "groups": ["github", "git", "git_repository_vulnerability_alerts"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448419210.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "created_at": "1624448419210.000000", "action": "repository_vulnerability_alerts.disable", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "user": "_USER_", "_document_id": "wgf0uCen5LG4su6jQ2xKDA" } } }, - { "rule": { "level": 5, "description": "GitHub Repo create.", "id": "91318", "firedtimes": 2, "mail": false, "groups": ["github", "git", "git_repo"] }, "data": { "integration": "github", "github": { "actor": "_USER_", "@timestamp": "1624448419470.000000", "visibility": "public", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "created_at": "1624448419470.000000", "action": "repo.create", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "_document_id": "oLAjZ_DbHvzZlPmRCXr4MA" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 3, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624448422207.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "true" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 4, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624448423987.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "true" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 5, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624448432101.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "true" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 6, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624448487893.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "true" } } }, - { "rule": { "level": 3, "description": "GitHub Git clone.", "id": "91158", "firedtimes": 7, "mail": false, "groups": ["github", "git", "git_git"] }, "data": { "integration": "github", "github": { "@timestamp": "1624448736294.000000", "org": "_ORGANIZATION_", "repo": "_ORGANIZATION_/_REPOSITORY_", "actor_location": { "country_code": "_COUNTRY_CODE_" }, "action": "git.clone", "transport_protocol_name": "http", "transport_protocol": "1", "repository": "_ORGANIZATION_/_REPOSITORY_", "repository_public": "true" } } }, -]; diff --git a/scripts/wazuh-alerts-generator/lib/modules/integrity-monitoring.js b/scripts/wazuh-alerts-generator/lib/modules/integrity-monitoring.js deleted file mode 100644 index eb406366ea..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/integrity-monitoring.js +++ /dev/null @@ -1,136 +0,0 @@ -/* - * Wazuh app - FIM sample alerts - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -module.exports.events = ["modified", "deleted", "added"]; -module.exports.attributes = ["mtime", "inode", "size", "tmp", "md5", "sha1", "sha256"]; -module.exports.pathsLinux = [ - "/etc/resolv.conf", - "/var/wazuh/queue/fim/db/fim.db-journal", - "/var/wazuh/queue/fim/db/fim.db", - "/var/osquery/osquery.db/CURRENT", - "/etc/sysconfig/network-scripts/ifcfg-eth1", - "/etc/filebeat/fields.yml", - "/var/log/lastlog", - "/tmp/agent.conf", - "/etc/elasticsearch/elasticsearch.yml", - "/etc/elasticsearch/users", - "/etc/elasticsearch/config", - "/tmp/wazuh-config", - "/run/utmp", - "/etc/resolv.conf", - "/var/wazuh/queue/fim/db/fim.db", - "/var/osquery/osquery.db/CURRENT", - "/run/utmp" -]; -module.exports.pathsWindows = [ - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv", - "[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F4", - "[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F5", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\Config", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", - "[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch", - "c:\\programdata\\microsoft\\windows defender\\scans\\mpenginedb.db-wal", - "c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector", - "c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter", - "c:\\program files (x86)\\wazuh-agent\\queue\\fim\\db\\fim.db", - "c:\\program files (x86)\\wazuh-agent\\wazuh-agent.state", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend", - "[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-856620481-996501011-1859314257-500", -]; -module.exports.uid_after = ["0", "S-1-5-18", "S-1-5-32-544", "996", "S-1-5-19"]; -module.exports.gid_after = ["994", "0", "993", "190", "22"]; -module.exports.tags = ["tmp"]; -module.exports.regulatory = [{ - "firedtimes": 1, - "mail": false, - "level": 5, - "pci_dss": [ - "11.5" - ], - "hipaa": [ - "164.312.c.1", - "164.312.c.2" - ], - "description": "File added to the system.", - "groups": [ - "wazuh", - "syscheck" - ], - "id": "554", - "nist_800_53": [ - "SI.7" - ], - "gpg13": [ - "4.11" - ], - "gdpr": [ - "II_5.1.f" - ] - }, - { - "firedtimes": 2, - "mail": false, - "level": 7, - "pci_dss": [ - "11.5" - ], - "hipaa": [ - "164.312.c.1", - "164.312.c.2" - ], - "description": "Integrity checksum changed.", - "groups": [ - "wazuh", - "syscheck" - ], - "id": "550", - "nist_800_53": [ - "SI.7" - ], - "gpg13": [ - "4.11" - ], - "gdpr": [ - "II_5.1.f" - ] - }, - { - "firedtimes": 2, - "mail": false, - "level": 7, - "pci_dss": [ - "11.5" - ], - "hipaa": [ - "164.312.c.1", - "164.312.c.2" - ], - "description": "File deleted.", - "groups": [ - "wazuh", - "syscheck" - ], - "id": "553", - "nist_800_53": [ - "SI.7" - ], - "gpg13": [ - "4.11" - ], - "gdpr": [ - "II_5.1.f" - ] - }, -]; diff --git a/scripts/wazuh-alerts-generator/lib/modules/mitre.js b/scripts/wazuh-alerts-generator/lib/modules/mitre.js deleted file mode 100644 index 2a731b5ee4..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/mitre.js +++ /dev/null @@ -1,1787 +0,0 @@ -/* - * Wazuh app - Mitre sample alerts - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -// Mitre -module.exports.arrayMitreRules = [ - { - filename: '0015-ossec_rules.xml', - relative_dirname: 'ruleset/rules', - id: 504, - level: 3, - status: 'enabled', - details: { if_sid: '500', match: 'Agent disconnected' }, - pci_dss: ['10.6.1', '10.2.6'], - gpg13: ['10.1'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'AU.14', 'AU.5'], - tsc: ['CC7.2', 'CC7.3', 'CC6.8'], - mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, - groups: ['wazuh'], - description: 'Ossec agent disconnected.', - }, - { - filename: '0015-ossec_rules.xml', - relative_dirname: 'ruleset/rules', - id: 505, - level: 3, - status: 'enabled', - details: { if_sid: '500', match: 'Agent removed' }, - pci_dss: ['10.6.1', '10.2.6'], - gpg13: ['10.1'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'AU.14', 'AU.5'], - tsc: ['CC7.2', 'CC7.3', 'CC6.8'], - mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, - groups: ['wazuh'], - description: 'Ossec agent removed.', - }, - { - filename: '0015-ossec_rules.xml', - relative_dirname: 'ruleset/rules', - id: 518, - level: 9, - status: 'enabled', - details: { if_sid: '514', match: 'Adware|Spyware' }, - gpg13: ['4.2'], - gdpr: ['IV_35.7.d'], - mitre: { - tactic: ['Lateral Movement'], - id: ['T1017'], - technique: ['Application Deployment Software'], - }, - groups: ['rootcheck', 'wazuh'], - description: 'Windows Adware/Spyware application found.', - }, - { - filename: '0015-ossec_rules.xml', - relative_dirname: 'ruleset/rules', - id: 550, - level: 7, - status: 'enabled', - details: { category: 'wazuh', decoded_as: 'syscheck_integrity_changed' }, - pci_dss: ['11.5'], - gpg13: ['4.11'], - gdpr: ['II_5.1.f'], - hipaa: ['164.312.c.1', '164.312.c.2'], - nist_800_53: ['SI.7'], - tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] }, - groups: ['syscheck', 'wazuh'], - description: 'Integrity checksum changed.', - }, - { - filename: '0015-ossec_rules.xml', - relative_dirname: 'ruleset/rules', - id: 553, - level: 7, - status: 'enabled', - details: { category: 'wazuh', decoded_as: 'syscheck_deleted' }, - pci_dss: ['11.5'], - gpg13: ['4.11'], - gdpr: ['II_5.1.f'], - hipaa: ['164.312.c.1', '164.312.c.2'], - nist_800_53: ['SI.7'], - tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Defense Evasion', 'Impact'], - id: ['T1107', 'T1485'], - technique: ['File Deletion', 'Data Destruction'], - }, - groups: ['syscheck', 'wazuh'], - description: 'File deleted.', - }, - { - filename: '0015-ossec_rules.xml', - relative_dirname: 'ruleset/rules', - id: 592, - level: 8, - status: 'enabled', - details: { if_sid: '500', match: '^ossec: File size reduced' }, - pci_dss: ['10.5.2', '11.4'], - gpg13: ['10.1'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.9', 'SI.4'], - tsc: ['CC6.1', 'CC7.2', 'CC7.3', 'CC6.8'], - mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] }, - groups: ['attacks', 'wazuh'], - description: 'Log file size reduced.', - }, - { - filename: '0015-ossec_rules.xml', - relative_dirname: 'ruleset/rules', - id: 593, - level: 9, - status: 'enabled', - details: { if_sid: '500', match: '^ossec: Event log cleared' }, - pci_dss: ['10.5.2'], - gpg13: ['10.1'], - gdpr: ['II_5.1.f', 'IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.9'], - tsc: ['CC6.1', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Defense Evasion'], id: ['T1070'], technique: ['Indicator Removal on Host'] }, - groups: ['logs_cleared', 'wazuh'], - description: 'Microsoft Event log cleared.', - }, - { - filename: '0015-ossec_rules.xml', - relative_dirname: 'ruleset/rules', - id: 594, - level: 5, - status: 'enabled', - details: { category: 'wazuh', if_sid: '550', hostname: 'syscheck-registry' }, - pci_dss: ['11.5'], - gpg13: ['4.13'], - gdpr: ['II_5.1.f'], - hipaa: ['164.312.c.1', '164.312.c.2'], - nist_800_53: ['SI.7'], - tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] }, - groups: ['syscheck', 'wazuh'], - description: 'Registry Integrity Checksum Changed', - }, - { - filename: '0015-ossec_rules.xml', - relative_dirname: 'ruleset/rules', - id: 597, - level: 5, - status: 'enabled', - details: { category: 'wazuh', if_sid: '553', hostname: 'syscheck-registry' }, - pci_dss: ['11.5'], - gpg13: ['4.13'], - gdpr: ['II_5.1.f'], - hipaa: ['164.312.c.1', '164.312.c.2'], - nist_800_53: ['SI.7'], - tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Defense Evasion', 'Impact'], - id: ['T1107', 'T1485'], - technique: ['File Deletion', 'Data Destruction'], - }, - groups: ['syscheck', 'wazuh'], - description: 'Registry Entry Deleted.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 1003, - level: 13, - status: 'enabled', - details: { maxsize: '1025', noalert: '1' }, - gpg13: ['4.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, - groups: ['syslog', 'errors'], - description: 'Non standard syslog message (size too large).', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 2301, - level: 10, - status: 'enabled', - details: { match: '^Deactivating service ' }, - pci_dss: ['10.6.1'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, - groups: ['syslog', 'xinetd'], - description: 'xinetd: Excessive number connections to a service.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 2502, - level: 10, - status: 'enabled', - details: { match: 'more authentication failures;|REPEATED login failures' }, - pci_dss: ['10.2.4', '10.2.5'], - gpg13: ['7.8'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, - groups: ['authentication_failed', 'syslog', 'access_control'], - description: 'syslog: User missed the password more than one time', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 2503, - level: 5, - status: 'enabled', - details: { - regex: [ - '^refused connect from|', - '^libwrap refused connection|', - 'Connection from S+ denied', - ], - }, - pci_dss: ['10.2.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Command and Control'], - id: ['T1095'], - technique: ['Standard Non-Application Layer Protocol'], - }, - groups: ['access_denied', 'syslog', 'access_control'], - description: 'syslog: Connection blocked by Tcp Wrappers.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 2504, - level: 9, - status: 'enabled', - details: { match: 'ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED' }, - pci_dss: ['10.2.4', '10.2.5', '10.2.2'], - gpg13: ['7.8'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7', 'AC.6'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, - groups: ['invalid_login', 'syslog', 'access_control'], - description: 'syslog: Illegal root login.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 2551, - level: 10, - status: 'enabled', - details: { if_sid: '2550', regex: '^Connection from S+ on illegal port$' }, - pci_dss: ['10.6.1'], - gpg13: ['7.1'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Discovery'], id: ['T1046'], technique: ['Network Service Scanning'] }, - groups: ['connection_attempt', 'syslog', 'access_control'], - description: 'Connection to rshd from unprivileged port. Possible network scan.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 2833, - level: 8, - status: 'enabled', - details: { if_sid: '2832', match: '^(root)' }, - pci_dss: ['10.2.7', '10.6.1', '10.2.2'], - gpg13: ['4.13'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AU.6', 'AC.6'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, - groups: ['syslog', 'cron'], - description: "Root's crontab entry changed.", - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 2960, - level: 2, - status: 'enabled', - details: { decoded_as: 'gpasswd', match: 'added by' }, - gpg13: ['7.9', '4.13'], - gdpr: ['IV_32.2'], - mitre: { tactic: ['Persistence'], id: ['T1136'], technique: ['Create Account'] }, - groups: ['syslog', 'yum'], - description: 'User added to group.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 2961, - level: 5, - status: 'enabled', - details: { if_sid: '2960', group: 'sudo' }, - gpg13: ['7.9', '4.13'], - gdpr: ['IV_32.2'], - mitre: { tactic: ['Persistence'], id: ['T1136'], technique: ['Create Account'] }, - groups: ['syslog', 'yum'], - description: 'User added to group sudo.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 2964, - level: 10, - status: 'enabled', - details: { frequency: '4', timeframe: '30', if_matched_sid: '2963', same_source_ip: '' }, - pci_dss: ['11.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, - groups: ['recon', 'syslog', 'perdition'], - description: 'perdition: Multiple connection attempts from same source.', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3102, - level: 5, - status: 'enabled', - details: { if_sid: '3101', match: 'reject=451 4.1.8 ' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'sendmail'], - description: - 'sendmail: Sender domain does not have any valid MX record (Requested action aborted).', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3103, - level: 6, - status: 'enabled', - details: { if_sid: '3101', match: 'reject=550 5.0.0 |reject=553 5.3.0' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'sendmail'], - description: 'sendmail: Rejected by access list (55x: Requested action not taken).', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3104, - level: 6, - status: 'enabled', - details: { if_sid: '3101', match: 'reject=550 5.7.1 ' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'sendmail'], - description: 'sendmail: Attempt to use mail server as relay (550: Requested action not taken).', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3105, - level: 5, - status: 'enabled', - details: { if_sid: '3101', match: 'reject=553 5.1.8 ' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'sendmail'], - description: 'sendmail: Sender domain is not found (553: Requested action not taken).', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3106, - level: 5, - status: 'enabled', - details: { if_sid: '3101', match: 'reject=553 5.5.4 ' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'sendmail'], - description: 'sendmail: Sender address does not have domain (553: Requested action not taken).', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3108, - level: 6, - status: 'enabled', - details: { if_sid: '3100', match: 'rejecting commands from' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'sendmail'], - description: 'sendmail: Sendmail rejected due to pre-greeting.', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3151, - level: 10, - status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3102', same_source_ip: '' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'sendmail'], - description: 'sendmail: Sender domain has bogus MX record. It should not be sending e-mail.', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3152, - level: 6, - status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3103', same_source_ip: '' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'sendmail'], - description: - 'sendmail: Multiple attempts to send e-mail from a previously rejected sender (access).', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3153, - level: 6, - status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3104', same_source_ip: '' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'sendmail'], - description: 'sendmail: Multiple relaying attempts of spam.', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3154, - level: 10, - status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3105', same_source_ip: '' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'sendmail'], - description: 'sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain.', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3155, - level: 10, - status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3106', same_source_ip: '' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'sendmail'], - description: 'sendmail: Multiple attempts to send e-mail from invalid/unknown sender.', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3156, - level: 10, - status: 'enabled', - details: { frequency: '12', timeframe: '120', if_matched_sid: '3107', same_source_ip: '' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'sendmail'], - description: 'sendmail: Multiple rejected e-mails from same source ip.', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3158, - level: 10, - status: 'enabled', - details: { frequency: '8', timeframe: '120', if_matched_sid: '3108', same_source_ip: '' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'sendmail'], - description: 'sendmail: Multiple pre-greetings rejects.', - }, - { - filename: '0025-sendmail_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3191, - level: 6, - status: 'enabled', - details: { if_sid: '3190', match: '^sender check failed|^sender check tempfailed' }, - pci_dss: ['11.4'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['smf-sav', 'spam', 'syslog', 'sendmail'], - description: 'sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED).', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3301, - level: 6, - status: 'enabled', - details: { if_sid: '3300', id: '^554$' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: Attempt to use mail server as relay (client host rejected).', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3302, - level: 6, - status: 'enabled', - details: { if_sid: '3300', id: '^550$' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: Rejected by access list (Requested action not taken).', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3303, - level: 5, - status: 'enabled', - details: { if_sid: '3300', id: '^450$' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: Sender domain is not found (450: Requested mail action not taken).', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3304, - level: 5, - status: 'enabled', - details: { if_sid: '3300', id: '^503$' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'postfix'], - description: - 'Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands).', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3305, - level: 5, - status: 'enabled', - details: { if_sid: '3300', id: '^504$' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'postfix'], - description: - 'Postfix: Recipient address must contain FQDN (504: Command parameter not implemented).', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3306, - level: 6, - status: 'enabled', - details: { if_sid: '3301, 3302', match: ' blocked using ' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: IP Address black-listed by anti-spam (blocked).', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3330, - level: 10, - status: 'enabled', - details: { - ignore: '240', - if_sid: '3320', - match: [ - 'defer service failure|Resource temporarily unavailable|', - '^fatal: the Postfix mail system is not running', - ], - }, - pci_dss: ['10.6.1'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, - groups: ['service_availability', 'syslog', 'postfix'], - description: 'Postfix process error.', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3335, - level: 6, - status: 'enabled', - details: { if_sid: '3320', match: '^too many ' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: too many errors after RCPT from unknown', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3351, - level: 6, - status: 'enabled', - details: { - frequency: '$POSTFIX_FREQ', - timeframe: '90', - if_matched_sid: '3301', - same_source_ip: '', - }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'postfix'], - description: 'Postfix: Multiple relaying attempts of spam.', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3352, - level: 6, - status: 'enabled', - details: { - frequency: '$POSTFIX_FREQ', - timeframe: '120', - if_matched_sid: '3302', - same_source_ip: '', - }, - pci_dss: ['10.6.1', '11.4'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'postfix'], - description: 'Postfix: Multiple attempts to send e-mail from a rejected sender IP (access).', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3353, - level: 10, - status: 'enabled', - details: { - frequency: '$POSTFIX_FREQ', - timeframe: '120', - if_matched_sid: '3303', - same_source_ip: '', - }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'postfix'], - description: 'Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain.', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3354, - level: 12, - status: 'enabled', - details: { - frequency: '$POSTFIX_FREQ', - timeframe: '120', - if_matched_sid: '3304', - same_source_ip: '', - }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['multiple_spam', 'syslog', 'postfix'], - description: 'Postfix: Multiple misuse of SMTP service (bad sequence of commands).', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3355, - level: 10, - status: 'enabled', - details: { - frequency: '$POSTFIX_FREQ', - timeframe: '120', - if_matched_sid: '3305', - same_source_ip: '', - }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'syslog', 'postfix'], - description: - 'Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain.', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3356, - level: 10, - status: 'enabled', - details: { - frequency: '$POSTFIX_FREQ', - timeframe: '120', - ignore: '30', - if_matched_sid: '3306', - same_source_ip: '', - }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, - groups: ['multiple_spam', 'syslog', 'postfix'], - description: - 'Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked).', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3357, - level: 10, - status: 'enabled', - details: { - frequency: '8', - timeframe: '120', - ignore: '60', - if_matched_sid: '3332', - same_source_ip: '', - }, - pci_dss: ['10.2.4', '10.2.5', '11.4'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7', 'SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, - groups: ['authentication_failures', 'syslog', 'postfix'], - description: 'Postfix: Multiple SASL authentication failures.', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3396, - level: 6, - status: 'enabled', - details: { if_sid: '3395', match: 'verification' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: hostname verification failed', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3397, - level: 6, - status: 'enabled', - details: { if_sid: '3395', match: 'RBL' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: RBL lookup error: Host or domain name not found', - }, - { - filename: '0030-postfix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3398, - level: 6, - status: 'enabled', - details: { if_sid: '3395', match: 'MAIL|does not resolve to address' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, - groups: ['spam', 'syslog', 'postfix'], - description: 'Postfix: Illegal address from unknown sender', - }, - { - filename: '0040-imapd_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3602, - level: 3, - status: 'enabled', - details: { if_sid: '3600', match: 'Authenticated user=' }, - pci_dss: ['10.2.5'], - gpg13: ['7.1'], - gdpr: ['IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'syslog', 'imapd'], - description: 'Imapd user login.', - }, - { - filename: '0040-imapd_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3651, - level: 10, - status: 'enabled', - details: { - frequency: '$IMAPD_FREQ', - timeframe: '120', - if_matched_sid: '3601', - same_source_ip: '', - }, - pci_dss: ['10.2.4', '10.2.5', '11.4'], - gpg13: ['7.1'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7', 'SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, - groups: ['authentication_failures', 'syslog', 'imapd'], - description: 'Imapd Multiple failed logins from same source ip.', - }, - { - filename: '0045-mailscanner_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3751, - level: 6, - status: 'enabled', - details: { frequency: '8', timeframe: '180', if_matched_sid: '3702', same_source_ip: '' }, - pci_dss: ['10.6.1'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { - tactic: ['Credential Access', 'Collection'], - id: ['T1110', 'T1114'], - technique: ['Brute Force', 'Email Collection'], - }, - groups: ['multiple_spam', 'syslog', 'mailscanner'], - description: 'mailscanner: Multiple attempts of spam.', - }, - { - filename: '0050-ms-exchange_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3851, - level: 9, - status: 'enabled', - details: { - frequency: '12', - timeframe: '120', - ignore: '120', - if_matched_sid: '3801', - same_source_ip: '', - }, - pci_dss: ['10.6.1'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'ms', 'exchange'], - description: 'ms-exchange: Multiple e-mail attempts to an invalid account.', - }, - { - filename: '0050-ms-exchange_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3852, - level: 9, - status: 'enabled', - details: { - frequency: '14', - timeframe: '120', - ignore: '240', - if_matched_sid: '3802', - same_source_ip: '', - }, - pci_dss: ['10.6.1'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { - tactic: ['Collection', 'Impact'], - id: ['T1114', 'T1499'], - technique: ['Email Collection', 'Endpoint Denial of Service'], - }, - groups: ['multiple_spam', 'ms', 'exchange'], - description: 'ms-exchange: Multiple e-mail 500 error code (spam).', - }, - { - filename: '0055-courier_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3904, - level: 3, - status: 'enabled', - details: { if_sid: '3900', match: '^LOGIN,' }, - pci_dss: ['10.2.5'], - gpg13: ['7.1', '7.2'], - gdpr: ['IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'syslog', 'courier'], - description: 'Courier (imap/pop3) authentication success.', - }, - { - filename: '0055-courier_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3910, - level: 10, - status: 'enabled', - details: { frequency: '12', timeframe: '30', if_matched_sid: '3902', same_source_ip: '' }, - pci_dss: ['10.2.4', '10.2.5', '11.4'], - gpg13: ['7.1'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7', 'SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, - groups: ['authentication_failures', 'syslog', 'courier'], - description: 'Courier brute force (multiple failed logins).', - }, - { - filename: '0055-courier_rules.xml', - relative_dirname: 'ruleset/rules', - id: 3911, - level: 10, - status: 'enabled', - details: { frequency: '17', timeframe: '30', if_matched_sid: '3901', same_source_ip: '' }, - pci_dss: ['10.6.1', '11.4'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, - groups: ['recon', 'syslog', 'courier'], - description: 'Courier: Multiple connection attempts from same source.', - }, - { - filename: '0065-pix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4323, - level: 3, - status: 'enabled', - details: { if_sid: '4314', id: '^6-605005' }, - pci_dss: ['10.2.5'], - gpg13: ['7.8'], - gdpr: ['IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'syslog', 'pix'], - description: 'PIX: Successful login.', - }, - { - filename: '0065-pix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4325, - level: 8, - status: 'enabled', - details: { if_sid: '4313', id: '^4-405001' }, - pci_dss: ['10.6.1'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { - tactic: ['Command and Control'], - id: ['T1095'], - technique: ['Standard Non-Application Layer Protocol'], - }, - groups: ['syslog', 'pix'], - description: 'PIX: ARP collision detected.', - }, - { - filename: '0065-pix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4335, - level: 3, - status: 'enabled', - details: { if_sid: '4314', id: '^6-113004' }, - pci_dss: ['10.2.5'], - gpg13: ['7.1', '7.2'], - gdpr: ['IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'syslog', 'pix'], - description: 'PIX: AAA (VPN) authentication successful.', - }, - { - filename: '0065-pix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4336, - level: 8, - status: 'enabled', - details: { if_sid: '4314', id: '^6-113006' }, - pci_dss: ['10.2.4', '10.2.5'], - gpg13: ['7.1', '7.5'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1133'], technique: ['External Remote Services'] }, - groups: ['authentication_failed', 'syslog', 'pix'], - description: 'PIX: AAA (VPN) user locked out.', - }, - { - filename: '0065-pix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4337, - level: 8, - status: 'enabled', - details: { if_sid: '4312', id: '^3-201008' }, - pci_dss: ['10.6.1'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1133'], technique: ['External Remote Services'] }, - groups: ['service_availability', 'syslog', 'pix'], - description: 'PIX: The PIX is disallowing new connections.', - }, - { - filename: '0065-pix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4339, - level: 8, - status: 'enabled', - details: { if_sid: '4314', id: '^5-111003' }, - pci_dss: ['1.1.1', '10.4'], - gpg13: ['4.13'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.a.1', '164.312.b'], - nist_800_53: ['CM.3', 'CM.5', 'AU.8'], - tsc: ['CC8.1', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, - groups: ['config_changed', 'syslog', 'pix'], - description: 'PIX: Firewall configuration deleted.', - }, - { - filename: '0065-pix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4340, - level: 8, - status: 'enabled', - details: { if_sid: '4314', id: '^5-111005|^5-111004|^5-111002|^5-111007' }, - pci_dss: ['1.1.1', '10.4'], - gpg13: ['4.13'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.a.1', '164.312.b'], - nist_800_53: ['CM.3', 'CM.5', 'AU.8'], - tsc: ['CC8.1', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, - groups: ['config_changed', 'syslog', 'pix'], - description: 'PIX: Firewall configuration changed.', - }, - { - filename: '0065-pix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4342, - level: 8, - status: 'enabled', - details: { if_sid: '4314', id: '^5-502101|^5-502102' }, - pci_dss: ['8.1.2', '10.2.5'], - gpg13: ['4.13'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.a.2.I', '164.312.a.2.II', '164.312.b'], - nist_800_53: ['AC.2', 'IA.4', 'AU.14', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Defense Evasion', 'Initial Access'], - id: ['T1089', 'T1133'], - technique: ['Disabling Security Tools', 'External Remote Services'], - }, - groups: ['adduser', 'account_changed', 'syslog', 'pix'], - description: 'PIX: User created or modified on the Firewall.', - }, - { - filename: '0065-pix_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4386, - level: 10, - status: 'enabled', - details: { frequency: '10', timeframe: '240', if_matched_sid: '4334', same_source_ip: '' }, - pci_dss: ['11.4', '10.2.4', '10.2.5'], - gpg13: ['7.1'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['SI.4', 'AU.14', 'AC.7'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Credential Access', 'Initial Access'], - id: ['T1110', 'T1133'], - technique: ['Brute Force', 'External Remote Services'], - }, - groups: ['authentication_failures', 'syslog', 'pix'], - description: 'PIX: Multiple AAA (VPN) authentication failures.', - }, - { - filename: '0070-netscreenfw_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4505, - level: 11, - status: 'enabled', - details: { if_sid: '4503', id: '^00027' }, - pci_dss: ['1.4', '10.6.1'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.a.1', '164.312.b'], - nist_800_53: ['SC.7', 'AU.6'], - tsc: ['CC6.7', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1485'], technique: ['Data Destruction'] }, - groups: ['service_availability', 'netscreenfw'], - description: 'Netscreen Erase sequence started.', - }, - { - filename: '0070-netscreenfw_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4506, - level: 8, - status: 'enabled', - details: { if_sid: '4501', id: '^00002' }, - pci_dss: ['10.2.5', '10.2.2'], - gpg13: ['7.8'], - gdpr: ['IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7', 'AC.6'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'netscreenfw'], - description: 'Netscreen firewall: Successfull admin login', - }, - { - filename: '0070-netscreenfw_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4507, - level: 8, - status: 'enabled', - details: { if_sid: '4502', id: '^00515' }, - pci_dss: ['10.2.5', '10.2.2'], - gpg13: ['7.8'], - gdpr: ['IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7', 'AC.6'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'netscreenfw'], - description: 'Netscreen firewall: Successfull admin login', - }, - { - filename: '0070-netscreenfw_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4509, - level: 8, - status: 'enabled', - details: { if_sid: '4504', id: '^00767' }, - pci_dss: ['1.1.1'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.a.1'], - nist_800_53: ['CM.3', 'CM.5'], - tsc: ['CC8.1'], - mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, - groups: ['config_changed', 'netscreenfw'], - description: 'Netscreen firewall: configuration changed.', - }, - { - filename: '0070-netscreenfw_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4550, - level: 10, - status: 'enabled', - details: { - frequency: '6', - timeframe: '180', - ignore: '60', - if_matched_sid: '4503', - same_source_ip: '', - }, - pci_dss: ['1.4', '10.6.1', '11.4'], - gpg13: ['4.1'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.a.1', '164.312.b'], - nist_800_53: ['SC.7', 'AU.6', 'SI.4'], - tsc: ['CC6.7', 'CC6.8', 'CC7.2', 'CC7.3', 'CC6.1'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, - groups: ['netscreenfw'], - description: 'Netscreen firewall: Multiple critical messages from same source IP.', - }, - { - filename: '0070-netscreenfw_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4551, - level: 10, - status: 'enabled', - details: { frequency: '8', timeframe: '180', ignore: '60', if_matched_sid: '4503' }, - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, - groups: ['netscreenfw'], - description: 'Netscreen firewall: Multiple critical messages.', - }, - { - filename: '0075-cisco-ios_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4722, - level: 3, - status: 'enabled', - details: { if_sid: '4715', id: '^%SEC_LOGIN-5-LOGIN_SUCCESS' }, - pci_dss: ['10.2.5'], - gpg13: ['3.6'], - gdpr: ['IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'syslog', 'cisco_ios'], - description: 'Cisco IOS: Successful login to the router.', - }, - { - filename: '0080-sonicwall_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4810, - level: 3, - status: 'enabled', - details: { if_sid: '4806', id: '^236$' }, - pci_dss: ['10.2.5'], - gpg13: ['3.6'], - gdpr: ['IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'syslog', 'sonicwall'], - description: 'SonicWall: Firewall administrator login.', - }, - { - filename: '0080-sonicwall_rules.xml', - relative_dirname: 'ruleset/rules', - id: 4851, - level: 10, - status: 'enabled', - details: { frequency: '8', timeframe: '120', ignore: '60', if_matched_sid: '4803' }, - pci_dss: ['10.6.1'], - gpg13: ['3.5'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, - groups: ['service_availability', 'syslog', 'sonicwall'], - description: 'SonicWall: Multiple firewall error messages.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5103, - level: 9, - status: 'enabled', - details: { if_sid: '5100', match: 'Oversized packet received from' }, - gdpr: ['IV_35.7.d'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, - groups: ['syslog', 'linuxkernel'], - description: 'Error message from the kernel. Ping of death attack.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5104, - level: 8, - status: 'enabled', - details: { - if_sid: '5100', - regex: ['Promiscuous mode enabled|', 'device S+ entered promiscuous mode'], - }, - pci_dss: ['10.6.1', '11.4'], - gpg13: ['4.13'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6', 'SI.4'], - tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], - mitre: { tactic: ['Discovery'], id: ['T1040'], technique: ['Network Sniffing'] }, - groups: ['promisc', 'syslog', 'linuxkernel'], - description: 'Interface entered in promiscuous(sniffing) mode.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5108, - level: 12, - status: 'enabled', - details: { if_sid: '5100', match: 'Out of Memory: ' }, - pci_dss: ['10.6.1'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, - groups: ['service_availability', 'syslog', 'linuxkernel'], - description: 'System running out of memory. Availability of the system is in risk.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5113, - level: 7, - status: 'enabled', - details: { if_sid: '5100', match: 'Kernel log daemon terminating' }, - pci_dss: ['10.6.1'], - gpg13: ['4.14'], - gdpr: ['IV_35.7.d'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.6'], - tsc: ['CC7.2', 'CC7.3'], - mitre: { tactic: ['Impact'], id: ['T1529'], technique: ['System Shutdown/Reboot'] }, - groups: ['system_shutdown', 'syslog', 'linuxkernel'], - description: 'System is shutting down.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5132, - level: 11, - status: 'enabled', - details: { if_sid: '5100', match: 'module verification failed' }, - mitre: { tactic: ['Persistence'], id: ['T1215'], technique: ['Kernel Modules and Extensions'] }, - groups: ['syslog', 'linuxkernel'], - description: 'Unsigned kernel module was loaded', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5133, - level: 11, - status: 'enabled', - details: { if_sid: '5100', match: 'PKCS#7 signature not signed with a trusted key' }, - mitre: { tactic: ['Persistence'], id: ['T1215'], technique: ['Kernel Modules and Extensions'] }, - groups: ['syslog', 'linuxkernel'], - description: 'Signed but untrusted kernel module was loaded', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5302, - level: 9, - status: 'enabled', - details: { if_sid: '5301', user: '^root' }, - pci_dss: ['10.2.4', '10.2.5'], - gpg13: ['7.8'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3', 'CC7.4'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, - groups: ['authentication_failed', 'syslog', 'su'], - description: 'User missed the password to change UID to root.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5303, - level: 3, - status: 'enabled', - details: { - if_sid: '5300', - regex: [ - "session opened for user root|^'su root'|", - '^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$', - ], - }, - pci_dss: ['10.2.5'], - gpg13: ['7.6', '7.8', '7.9'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'syslog', 'su'], - description: 'User successfully changed UID to root.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5304, - level: 3, - status: 'enabled', - details: { - if_sid: '5300', - regex: ['session opened for user|succeeded for|', '^+|^S+ to |^SU S+ S+ + '], - }, - pci_dss: ['10.2.5'], - gpg13: ['7.6', '7.8'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'syslog', 'su'], - description: 'User successfully changed UID.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5401, - level: 5, - status: 'enabled', - details: { if_sid: '5400', match: 'incorrect password attempt' }, - pci_dss: ['10.2.4', '10.2.5'], - gpg13: ['7.8'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, - groups: ['syslog', 'sudo'], - description: 'Failed attempt to run sudo.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5402, - level: 3, - status: 'enabled', - details: { if_sid: '5400', regex: ' ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND=' }, - pci_dss: ['10.2.5', '10.2.2'], - gpg13: ['7.6', '7.8', '7.13'], - gdpr: ['IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7', 'AC.6'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, - groups: ['syslog', 'sudo'], - description: 'Successful sudo to ROOT executed.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5403, - level: 4, - status: 'enabled', - details: { if_sid: '5400', if_fts: '' }, - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, - groups: ['syslog', 'sudo'], - description: 'First time user executed sudo.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5404, - level: 10, - status: 'enabled', - details: { if_sid: '5401', match: '3 incorrect password attempts' }, - pci_dss: ['10.2.4', '10.2.5'], - gpg13: ['7.8'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, - groups: ['syslog', 'sudo'], - description: 'Three failed attempts to run sudo', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5405, - level: 5, - status: 'enabled', - details: { if_sid: '5400', match: 'user NOT in sudoers' }, - pci_dss: ['10.2.2', '10.2.5'], - gpg13: ['7.8'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.6', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, - groups: ['syslog', 'sudo'], - description: 'Unauthorized user attempted to use sudo.', - }, - { - filename: '0020-syslog_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5407, - level: 3, - status: 'enabled', - details: { if_sid: '5400', regex: ' ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND=' }, - pci_dss: ['10.2.5', '10.2.2'], - gpg13: ['7.6', '7.8', '7.13'], - gdpr: ['IV_32.2'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, - groups: ['syslog', 'sudo'], - description: 'Successful sudo executed.', - }, - { - filename: '0085-pam_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5501, - level: 3, - status: 'enabled', - details: { if_sid: '5500', match: 'session opened for user ' }, - pci_dss: ['10.2.5'], - gpg13: ['7.8', '7.9'], - gdpr: ['IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7'], - tsc: ['CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, - groups: ['authentication_success', 'pam', 'syslog'], - description: 'PAM: Login session opened.', - }, - { - filename: '0085-pam_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5551, - level: 10, - status: 'enabled', - details: { frequency: '8', timeframe: '180', if_matched_sid: '5503', same_source_ip: '' }, - pci_dss: ['10.2.4', '10.2.5', '11.4'], - gpg13: ['7.8'], - gdpr: ['IV_35.7.d', 'IV_32.2'], - hipaa: ['164.312.b'], - nist_800_53: ['AU.14', 'AC.7', 'SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, - groups: ['authentication_failures', 'pam', 'syslog'], - description: 'PAM: Multiple failed logins in a small period of time.', - }, - { - filename: '0090-telnetd_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5601, - level: 5, - status: 'enabled', - details: { if_sid: '5600', match: 'refused connect from ' }, - gdpr: ['IV_35.7.d'], - mitre: { - tactic: ['Command and Control'], - id: ['T1095'], - technique: ['Standard Non-Application Layer Protocol'], - }, - groups: ['syslog', 'telnetd'], - description: 'telnetd: Connection refused by TCP Wrappers.', - }, - { - filename: '0090-telnetd_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5631, - level: 10, - status: 'enabled', - details: { frequency: '6', timeframe: '120', if_matched_sid: '5602', same_source_ip: '' }, - gdpr: ['IV_35.7.d', 'IV_32.2'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, - groups: ['syslog', 'telnetd'], - description: 'telnetd: Multiple connection attempts from same source (possible scan).', - }, - { - filename: '0095-sshd_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5701, - level: 8, - status: 'enabled', - details: { if_sid: '5700', match: 'Bad protocol version identification' }, - pci_dss: ['11.4'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Initial Access'], - id: ['T1190'], - technique: ['Exploit Public-Facing Application'], - }, - groups: ['recon', 'syslog', 'sshd'], - description: 'sshd: Possible attack on the ssh server (or version gathering).', - }, - { - filename: '0095-sshd_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5703, - level: 10, - status: 'enabled', - details: { frequency: '6', timeframe: '360', if_matched_sid: '5702', same_source_ip: '' }, - pci_dss: ['11.4'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, - groups: ['syslog', 'sshd'], - description: 'sshd: Possible breakin attempt (high number of reverse lookup errors).', - }, - { - filename: '0095-sshd_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5705, - level: 10, - status: 'enabled', - details: { frequency: '6', timeframe: '360', if_matched_sid: '5704' }, - pci_dss: ['11.4'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { - tactic: ['Initial Access', 'Credential Access'], - id: ['T1190', 'T1110'], - technique: ['Exploit Public-Facing Application', 'Brute Force'], - }, - groups: ['syslog', 'sshd'], - description: 'sshd: Possible scan or breakin attempt (high number of login timeouts).', - }, - { - filename: '0095-sshd_rules.xml', - relative_dirname: 'ruleset/rules', - id: 5706, - level: 6, - status: 'enabled', - details: { if_sid: '5700', match: 'Did not receive identification string from' }, - pci_dss: ['11.4'], - gpg13: ['4.12'], - gdpr: ['IV_35.7.d'], - nist_800_53: ['SI.4'], - tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], - mitre: { tactic: ['Command and Control'], id: ['T1043'], technique: ['Commonly Used Port'] }, - groups: ['recon', 'syslog', 'sshd'], - description: 'sshd: insecure connection attempt (scan).', - }, -]; - -module.exports.arrayLocation = ['EventChannel', '/var/log/auth.log', '/var/log/secure']; diff --git a/scripts/wazuh-alerts-generator/lib/modules/office.js b/scripts/wazuh-alerts-generator/lib/modules/office.js deleted file mode 100644 index 4c595dfa6c..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/office.js +++ /dev/null @@ -1,1597 +0,0 @@ -/* - * Wazuh app - Office365 sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -module.exports.arrayOfficeGroups = ['office365', 'AzureActiveDirectoryStsLogon']; - -module.exports.arrayLocationOffice = 'office365'; - -module.exports.arrayDecoderOffice = [ - { - name: 'json', - }, -]; - -module.exports.arrayUuidOffice = [ - 'a8080009-aa85-4d65-a0f0-74fe0331edce', - '4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00', - 'd14aa5cb-b070-42f8-8709-0f8afd942fc0', - '92a7e893-0f4a-4635-af0d-83891d4ff9c0', - 'ce013f05-a783-4186-9d85-5a14998b6111', - '4f686e03-7cf6-44a8-9212-b8a91b128082', - 'cc58e817-c6d3-4457-b011-54e881e230ec', - '825f9d6e-12c0-4b59-807d-1b41c6e48a3a', - 'd36253fb-24a1-481c-a199-f778534ccb5f', - '9083369e-679b-4e8b-9249-323a51d5bf9c', - '6d872bf8-e462-4de8-9e16-c36761050fb7', - 'b9a73c0f-55f2-4e95-9626-1c264d02eac3', - 'bbab91ad-bc8a-4c86-9010-3c84b39fde0d', - 'b5359092-dad2-4060-b93d-3791e4da0dec', - 'e8493b26-c1f9-42eb-9756-dfd363149852', - 'ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a', - 'a0995136-91d8-4acf-8449-28c275ffb7e3', - 'c3482b5d-b1a9-4f44-8df0-a601e18cf5c3', - '49fd4642-cfe5-4170-9488-25d847e3579f', - '29f96271-5c1b-47ec-9652-a41d5cb17cb4', -]; - -module.exports.arrayDevicePropertiesOffice = [ - { - Name: 'BrowserType', - Value: 'Chrome', - }, - { - Name: 'IsCompliantAndManaged', - Value: 'False', - }, - { - Name: 'SessionId', - Value: '2a1fb8c4-ceb6-4fa0-826c-3d43f87de897', - }, -]; - -module.exports.arrayIp = [ - '77.231.182.17', - '172.217.204.94', - '108.177.13.101', - '13.226.52.66', - '13.226.52.2', - '13.226.52.104', - '13.226.52.89', - '140.82.113.3', -]; -module.exports.arrayUserId = [ - 'smith@wazuh.com', - 'williams@wazuh.com', - 'frank@wazuh.com', - 'jones@wazuh.com', - 'brown@wazuh.com', -]; -module.exports.arrayTargetOffice = [ - { - ID: '797f4846-ba00-4fd7-ba43-dac1f8f63013', - Type: 0, - }, -]; - -module.exports.arrayActorOffice = [ - { - ID: 'a39dd957-d295-4548-b537-2055469bafbb', - Type: 0, - }, - { - ID: 'albe@wazuh.com', - Type: 5, - }, -]; - -module.exports.arrayExtendedPropertiesOffice = [ - { - Name: 'ResultStatusDetail', - Value: 'Success', - }, - { - Name: 'UserAgent', - Value: - 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36', - }, - { - Name: 'RequestType', - Value: 'OAuth2:Authorize', - }, -]; - -module.exports.officeRules = { - 1: { - data: { - office365: { - RecordType: 1, - Subscription: 'Audit.Exchange', - }, - }, - rule: { - level: 3, - description: 'Office 365: Events from the Exchange admin audit log.', - id: '91533', - mail: false, - firedtimes: 3, - groups: ['office365', 'ExchangeAdmin', 'hipaa_164.312.b', 'pci_dss_10.2.2', 'pci_dss_10.6.1'], - }, - }, - 2: { - data: { - office365: { - RecordType: 2, - Subscription: 'Audit.Exchange', - }, - }, - rule: { - level: 3, - description: - 'Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.', - id: '91534', - mail: false, - firedtimes: 3, - groups: ['office365', 'ExchangeItem', 'hipaa_164.312.b', 'pci_dss_10.6.2'], - }, - }, - 4: { - data: { - office365: { - RecordType: 4, - Subscription: 'Audit.SharePoint', - }, - }, - rule: { - level: 3, - description: 'Office 365: SharePoint events.', - id: '91536', - mail: false, - firedtimes: 3, - groups: ['office365', 'SharePoint', 'hipaa_164.312.b', 'pci_dss_10.6.2'], - }, - }, - 6: { - data: { - office365: { - RecordType: 6, - Subscription: 'Audit.SharePoint', - }, - }, - rule: { - level: 3, - description: 'Office 365: SharePoint file operation events.', - id: '91537', - mail: false, - firedtimes: 3, - groups: [ - 'office365', - 'SharePointFileOperation', - 'hipaa_164.312.b', - 'hipaa_164.312.c.1', - 'pci_dss_10.6.2', - 'pci_dss_11.5', - ], - }, - }, - 8: { - data: { - office365: { - RecordType: 8, - Subscription: 'Audit.AzureActiveDirectory', - }, - }, - rule: { - level: 3, - description: 'Office 365: Azure Active Directory events.', - id: '91539', - mail: false, - firedtimes: 3, - groups: ['office365', 'AzureActiveDirectory', 'hipaa_164.312.b', 'pci_dss_10.6.2'], - }, - }, - 14: { - data: { - office365: { - RecordType: 14, - Subscription: 'Audit.SharePoint', - }, - }, - rule: { - level: 3, - description: 'Office 365: SharePoint sharing events.', - id: '91544', - mail: false, - firedtimes: 3, - groups: ['office365', 'SharePoint', 'hipaa_164.312.b', 'pci_dss_10.6.2'], - }, - }, - 15: { - data: { - office365: { - RecordType: 15, - Subscription: 'Audit.AzureActiveDirectory', - }, - }, - rule: { - level: 3, - description: 'Office 365: Secure Token Service (STS) logon events in Azure Active Directory.', - id: '91545', - mail: false, - firedtimes: 3, - groups: [ - 'office365', - 'AzureActiveDirectoryStsLogon', - 'hipaa_164.312.a.2.I,hipaa_164.312.b', - 'hipaa_164.312.d', - 'hipaa_164.312.e.2.II', - 'pci_dss_8.3,pci_dss_10.6.1', - ], - }, - }, - 18: { - data: { - office365: { - RecordType: 18, - Subscription: 'Audit.General', - }, - }, - rule: { - level: 5, - description: 'Office 365: Admin actions from the Security and Compliance Center.', - id: '91548', - mail: false, - firedtimes: 3, - groups: [ - 'office365', - 'SecurityComplianceCenterEOPCmdlet', - 'hipaa_164.312.b', - 'pci_dss_10.2.2', - 'pci_dss_10.6.1', - ], - }, - }, - 36: { - data: { - office365: { - RecordType: 36, - Subscription: 'Audit.SharePoint', - }, - }, - rule: { - level: 3, - description: 'Office 365: SharePoint List events.', - id: '91564', - mail: false, - firedtimes: 3, - groups: ['office365', 'SharePointListOperation', 'hipaa_164.312.b', 'pci_dss_10.6.2'], - }, - }, - 52: { - data: { - office365: { - RecordType: 52, - Subscription: 'Audit.General', - }, - }, - rule: { - level: 3, - description: 'Office 365: Data Insights REST API events.', - id: '91580', - mail: false, - firedtimes: 4, - groups: ['office365', 'DataInsightsRestApiAudit', 'hipaa_164.312.b', 'pci_dss_10.6.2'], - }, - }, -}; -module.exports.arrayLogs = [ - { - Id: '35ab8b89-cfea-4214-5249-08d91a06e537', - Operation: 'SearchDataInsightsSubscription', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 52, - UserKey: 'fake@email.not', - UserType: 5, - Version: 1, - Workload: 'SecurityComplianceCenter', - UserId: 'fake@email.not', - AadAppId: '80ccca67-54bd-44ab-8625-4b79c4dc7775', - DataType: 'DataInsightsSubscription', - DatabaseType: 'Directory', - RelativeUrl: - '/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b', - ResultCount: '1', - }, - { - Id: '27ee2e95-6f55-4723-f91d-08d91a26b9a4', - Operation: 'SearchAlert', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 52, - UserKey: '910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - UserType: 0, - Version: 1, - Workload: 'SecurityComplianceCenter', - UserId: '910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - AadAppId: 'fc780465-2017-40d4-a0c5-307022471b92', - DataType: 'Alert', - DatabaseType: 'DataInsights', - RelativeUrl: - '/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27', - ResultCount: '0', - }, - { - CreationTime: '2021-05-18T17:59:52', - Id: '7d3a9d35-6c04-4f02-e8fe-08d91a26bc79', - Operation: 'SearchAlertAggregate', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 52, - UserKey: '910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - UserType: 0, - Version: 1, - Workload: 'SecurityComplianceCenter', - UserId: '910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - AadAppId: 'fc780465-2017-40d4-a0c5-307022471b92', - DataType: 'AlertAggregate', - DatabaseType: 'DataInsights', - RelativeUrl: - '/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27', - ResultCount: '0', - }, - { - CreationTime: '2021-05-18T17:59:46', - Id: 'eb9775cb-59f7-42ea-3ee0-08d91a26b92b', - Operation: 'ValidaterbacAccessCheck', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 52, - UserKey: 'fake@email.not', - UserType: 5, - Version: 1, - Workload: 'SecurityComplianceCenter', - UserId: 'fake@email.not', - AadAppId: 'd6fdaa33-e821-4211-83d0-cf74736489e1', - DataType: 'rbacAccessCheck', - RelativeUrl: - '/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b', - ResultCount: '0', - }, - { - CreationTime: '2021-05-18T14:12:53', - Id: 'c0eada1b-52b2-450d-84df-6d461420d621', - Operation: 'Get-RetentionCompliancePolicy', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 18, - ResultStatus: 'Success', - UserKey: 'fake@email.not', - UserType: 2, - Version: 1, - Workload: 'SecurityComplianceCenter', - ObjectId: '', - UserId: 'fake@email.not', - SecurityComplianceCenterEventType: 0, - ClientApplication: 'EMC', - CmdletVersion: '...', - EffectiveOrganization: 'wazuh.testytest.com', - NonPIIParameters: '', - Parameters: '', - StartTime: '2021-05-18T14:12:53', - UserServicePlan: '', - }, - { - CreationTime: '2021-05-18T15:52:26', - Id: '45a0d7c4-de73-466a-8e6c-c25f9c035714', - Operation: 'Get-SupervisoryReviewPolicyV2', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 18, - ResultStatus: 'Success', - UserKey: 'fake@email.not', - UserType: 2, - Version: 1, - Workload: 'SecurityComplianceCenter', - ObjectId: '', - UserId: 'fake@email.not', - SecurityComplianceCenterEventType: 0, - ClientApplication: 'EMC', - CmdletVersion: '...', - EffectiveOrganization: 'wazuh.testytest.com', - NonPIIParameters: '', - Parameters: '', - StartTime: '2021-05-18T15:52:26', - UserServicePlan: '', - }, - { - CreationTime: '2021-05-18T15:52:31', - Id: 'f9912868-b431-435c-8337-0fc3b4370815', - Operation: 'Get-SupervisoryReviewReport', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 18, - ResultStatus: 'Success', - UserKey: 'fake@email.not', - UserType: 2, - Version: 1, - Workload: 'SecurityComplianceCenter', - ObjectId: '', - UserId: 'fake@email.not', - SecurityComplianceCenterEventType: 0, - ClientApplication: 'EMC', - CmdletVersion: '...', - EffectiveOrganization: 'wazuh.testytest.com', - NonPIIParameters: - '-StartDate "" -EndDate "" -PageSize "" -Page ""', - Parameters: - '-StartDate "5/12/2021 12:00:00 AM" -EndDate "5/18/2021 11:59:59 PM" -PageSize "300" -Page "1"', - StartTime: '2021-05-18T15:52:31', - UserServicePlan: '', - }, - { - CreationTime: '2021-05-18T15:52:30', - Id: 'dcecd87a-3061-4dea-9bff-4fbfc23ca328', - Operation: 'Get-SupervisoryReviewOverallProgressReport', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 18, - ResultStatus: 'Success', - UserKey: 'fake@email.not', - UserType: 2, - Version: 1, - Workload: 'SecurityComplianceCenter', - ObjectId: '', - UserId: 'fake@email.not', - SecurityComplianceCenterEventType: 0, - ClientApplication: 'EMC', - CmdletVersion: '...', - EffectiveOrganization: 'wazuh.testytest.com', - NonPIIParameters: '', - Parameters: '', - StartTime: '2021-05-18T15:52:30', - UserServicePlan: '', - }, - { - CreationTime: '2021-05-18T15:52:30', - Id: '5641d062-f279-4ca4-9577-50d7ecbfeedb', - Operation: 'Get-SupervisoryReviewTopCasesReport', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 18, - ResultStatus: 'Success', - UserKey: 'fake@email.not', - UserType: 2, - Version: 1, - Workload: 'SecurityComplianceCenter', - ObjectId: '', - UserId: 'fake@email.not', - SecurityComplianceCenterEventType: 0, - ClientApplication: 'EMC', - CmdletVersion: '...', - EffectiveOrganization: 'wazuh.testytest.com', - NonPIIParameters: '', - Parameters: '', - StartTime: '2021-05-18T15:52:30', - UserServicePlan: '', - }, - { - CreationTime: '2021-05-18T17:50:15', - Id: '8c7c9f81-68e9-452b-a22d-1333eb9cd647', - Operation: 'Get-ComplianceSearchAction', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 18, - ResultStatus: 'Success', - UserKey: 'fake@email.not', - UserType: 2, - Version: 1, - Workload: 'SecurityComplianceCenter', - ObjectId: '', - UserId: 'fake@email.not', - SecurityComplianceCenterEventType: 0, - ClientApplication: 'EMC', - CmdletVersion: '...', - EffectiveOrganization: 'wazuh.testytest.com', - NonPIIParameters: '-Export ""', - Parameters: '-Export "True"', - StartTime: '2021-05-18T17:50:15', - UserServicePlan: '', - }, - { - CreationTime: '2021-05-18T17:50:12', - Id: '4692201f-8101-455e-b89d-6727ef75c223', - Operation: 'Get-ComplianceTag', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 18, - ResultStatus: 'Success', - UserKey: 'fake@email.not', - UserType: 2, - Version: 1, - Workload: 'SecurityComplianceCenter', - ObjectId: '', - UserId: 'fake@email.not', - SecurityComplianceCenterEventType: 0, - ClientApplication: 'EMC', - CmdletVersion: '...', - EffectiveOrganization: 'wazuh.testytest.com', - NonPIIParameters: '-IncludingLabelState ""', - Parameters: '-IncludingLabelState "True"', - StartTime: '2021-05-18T17:50:12', - UserServicePlan: '', - }, - { - CreationTime: '2021-05-18T17:50:12', - Id: '7d41f1f2-587c-492f-b6ff-2f9d1a519c60', - Operation: 'Get-ComplianceSearch', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 18, - ResultStatus: 'Success', - UserKey: 'fake@email.not', - UserType: 2, - Version: 1, - Workload: 'SecurityComplianceCenter', - ObjectId: '', - UserId: 'fake@email.not', - SecurityComplianceCenterEventType: 0, - ClientApplication: 'EMC', - CmdletVersion: '...', - EffectiveOrganization: 'wazuh.testytest.com', - NonPIIParameters: '-ResultSize "Unlimited"', - Parameters: '-ResultSize "Unlimited"', - StartTime: '2021-05-18T17:50:12', - UserServicePlan: '', - }, - { - CreationTime: '2021-05-18T17:59:45', - Id: 'ebcfc2bf-8799-413c-add4-6c2b53cb68e7', - Operation: 'Get-DlpSensitiveInformationType', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 18, - ResultStatus: 'Success', - UserKey: 'fake@email.not', - UserType: 0, - Version: 1, - Workload: 'SecurityComplianceCenter', - ObjectId: '', - UserId: 'fake@email.not', - SecurityComplianceCenterEventType: 0, - ClientApplication: '', - CmdletVersion: '...', - EffectiveOrganization: 'wazuh.testytest.com', - NonPIIParameters: '-Organization "0fea4e03-8146-453b-b889-54b4bd11565b"', - Parameters: '-Organization "0fea4e03-8146-453b-b889-54b4bd11565b"', - StartTime: '2021-05-18T17:59:45', - UserServicePlan: '', - }, - { - CreationTime: '2021-05-18T14:11:41', - Id: '7aeca226-b3e7-4033-9a7f-d067622e8d00', - Operation: 'UserLoggedIn', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 15, - ResultStatus: 'Success', - UserKey: '910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - UserType: 0, - Version: 1, - Workload: 'AzureActiveDirectory', - ClientIP: '190.16.9.176', - ObjectId: '5f09333a-842c-47da-a157-57da27fcbca5', - UserId: 'fake@email.not', - AzureActiveDirectoryEventType: 1, - ExtendedProperties: [ - { - Name: 'ResultStatusDetail', - Value: 'Redirect', - }, - { - Name: 'UserAgent', - Value: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - }, - { - Name: 'RequestType', - Value: 'OAuth2:Authorize', - }, - ], - ModifiedProperties: [], - Actor: [ - { - ID: '910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - Type: 0, - }, - { - ID: 'fake@email.not', - Type: 5, - }, - ], - ActorContextId: '0fea4e03-8146-453b-b889-54b4bd11565b', - ActorIpAddress: '190.16.9.176', - InterSystemsId: 'a3798792-fef1-4b53-bd44-bbbd94cf0e5c', - IntraSystemId: '7aeca226-b3e7-4033-9a7f-d067622e8d00', - SupportTicketId: '', - Target: [ - { - ID: '5f09333a-842c-47da-a157-57da27fcbca5', - Type: 0, - }, - ], - TargetContextId: '0fea4e03-8146-453b-b889-54b4bd11565b', - ApplicationId: '89bee1f7-5e6e-4d8a-9f3d-ecd601259da7', - DeviceProperties: [ - { - Name: 'OS', - Value: 'Windows 10', - }, - { - Name: 'BrowserType', - Value: 'Chrome', - }, - { - Name: 'IsCompliantAndManaged', - Value: 'False', - }, - { - Name: 'SessionId', - Value: '714c4935-a22d-400d-8563-fbbd8bfc2301', - }, - ], - ErrorNumber: '0', - }, - { - CreationTime: '2021-05-18T17:49:11', - Id: '4e621563-394f-42a9-8a8a-8549e1ffa771', - Operation: 'Add service principal.', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 8, - ResultStatus: 'Success', - UserKey: 'Not Available', - UserType: 4, - Version: 1, - Workload: 'AzureActiveDirectory', - ObjectId: 'f738ef14-47dc-4564-b53b-45069484ccc7', - UserId: 'ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57', - AzureActiveDirectoryEventType: 1, - ExtendedProperties: [ - { - Name: 'additionalDetails', - Value: '{}', - }, - { - Name: 'extendedAuditEventCategory', - Value: 'ServicePrincipal', - }, - ], - ModifiedProperties: [ - { - Name: 'AccountEnabled', - NewValue: '[\r\n true\r\n]', - OldValue: '[]', - }, - { - Name: 'AppPrincipalId', - NewValue: '[\r\n "f738ef14-47dc-4564-b53b-45069484ccc7"\r\n]', - OldValue: '[]', - }, - { - Name: 'DisplayName', - NewValue: '[\r\n "Marketplace Api"\r\n]', - OldValue: '[]', - }, - { - Name: 'ServicePrincipalName', - NewValue: '[\r\n "f738ef14-47dc-4564-b53b-45069484ccc7"\r\n]', - OldValue: '[]', - }, - { - Name: 'Credential', - NewValue: - '[\r\n {\r\n "CredentialType": 2,\r\n "KeyStoreId": "291154f0-a9f5-45bb-87be-9c8ee5b6d62c",\r\n "KeyGroupId": "1c5aa04b-dea5-4284-9908-47edd1e12d13"\r\n }\r\n]', - OldValue: '[]', - }, - { - Name: 'Included Updated Properties', - NewValue: 'AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential', - OldValue: '', - }, - { - Name: 'TargetId.ServicePrincipalNames', - NewValue: 'f738ef14-47dc-4564-b53b-45069484ccc7', - OldValue: '', - }, - ], - Actor: [ - { - ID: 'Windows Azure Service Management API', - Type: 1, - }, - { - ID: '797f4846-ba00-4fd7-ba43-dac1f8f63013', - Type: 2, - }, - { - ID: 'ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57', - Type: 2, - }, - { - ID: '4bf80788-0ec4-481a-ae7b-b71647bf3b57', - Type: 2, - }, - { - ID: 'ServicePrincipal', - Type: 2, - }, - ], - ActorContextId: '0fea4e03-8146-453b-b889-54b4bd11565b', - InterSystemsId: '9cfba3bb-b478-44aa-a140-465ee7f29274', - IntraSystemId: '21051805-2413-594a-ab5d-006014005348', - SupportTicketId: '', - Target: [ - { - ID: 'ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de', - Type: 2, - }, - { - ID: 'f6d2eabc-d020-4643-80a8-2b92b163d1de', - Type: 2, - }, - { - ID: 'ServicePrincipal', - Type: 2, - }, - { - ID: 'Marketplace Api', - Type: 1, - }, - { - ID: 'f738ef14-47dc-4564-b53b-45069484ccc7', - Type: 2, - }, - { - ID: 'f738ef14-47dc-4564-b53b-45069484ccc7', - Type: 4, - }, - ], - TargetContextId: '0fea4e03-8146-453b-b889-54b4bd11565b', - }, - { - CreationTime: '2021-05-18T21:42:25', - Id: 'af4e552f-0bca-4b02-92c9-4bd430f24f75', - Operation: 'Change user license.', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 8, - ResultStatus: 'Success', - UserKey: '100320014080D3AD@wazuh.com', - UserType: 0, - Version: 1, - Workload: 'AzureActiveDirectory', - ObjectId: 'fake@email.not', - UserId: 'fake@email.not', - AzureActiveDirectoryEventType: 1, - ExtendedProperties: [ - { - Name: 'additionalDetails', - Value: '{}', - }, - { - Name: 'extendedAuditEventCategory', - Value: 'User', - }, - ], - ModifiedProperties: [], - Actor: [ - { - ID: 'fake@email.not', - Type: 5, - }, - { - ID: '100320014080D3AD', - Type: 3, - }, - { - ID: 'User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - Type: 2, - }, - { - ID: '910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - Type: 2, - }, - { - ID: 'User', - Type: 2, - }, - ], - ActorContextId: '0fea4e03-8146-453b-b889-54b4bd11565b', - InterSystemsId: '1fd09d6b-54d3-4a58-acfe-71cc2c429d97', - IntraSystemId: '0a8ae201-e404-4f6f-99db-a3c92a5bd022', - SupportTicketId: '', - Target: [ - { - ID: 'User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - Type: 2, - }, - { - ID: '910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - Type: 2, - }, - { - ID: 'User', - Type: 2, - }, - { - ID: 'fake@email.not', - Type: 5, - }, - { - ID: '100320014080D3AD', - Type: 3, - }, - ], - TargetContextId: '0fea4e03-8146-453b-b889-54b4bd11565b', - }, - { - CreationTime: '2021-05-18T21:42:25', - Id: 'b27eab84-1ef7-4372-bc68-7213af8ab3fb', - Operation: 'Update user.', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 8, - ResultStatus: 'Success', - UserKey: '100320014080D3AD@wazuh.com', - UserType: 0, - Version: 1, - Workload: 'AzureActiveDirectory', - ObjectId: 'fake@email.not', - UserId: 'fake@email.not', - AzureActiveDirectoryEventType: 1, - ExtendedProperties: [ - { - Name: 'additionalDetails', - Value: '{"UserType":"Member"}', - }, - { - Name: 'extendedAuditEventCategory', - Value: 'User', - }, - ], - ModifiedProperties: [ - { - Name: 'AssignedLicense', - NewValue: - '[\r\n "[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]"\r\n]', - OldValue: '[]', - }, - { - Name: 'AssignedPlan', - NewValue: - '[\r\n {\r\n "SubscribedPlanId": "c976d07f-fd0f-49eb-bdc2-26c17481e1c5",\r\n "ServiceInstance": "AzureAnalysis/SDF",\r\n "CapabilityStatus": 0,\r\n "AssignedTimestamp": "2021-05-18T21:42:25.3894164Z",\r\n "InitialState": null,\r\n "Capability": null,\r\n "ServicePlanId": "2049e525-b859-401b-b2a0-e0a31c4b1fe4"\r\n }\r\n]', - OldValue: '[]', - }, - { - Name: 'Included Updated Properties', - NewValue: 'AssignedLicense, AssignedPlan', - OldValue: '', - }, - { - Name: 'TargetId.UserType', - NewValue: 'Member', - OldValue: '', - }, - ], - Actor: [ - { - ID: 'fake@email.not', - Type: 5, - }, - { - ID: '100320014080D3AD', - Type: 3, - }, - { - ID: 'User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - Type: 2, - }, - { - ID: '910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - Type: 2, - }, - { - ID: 'User', - Type: 2, - }, - ], - ActorContextId: '0fea4e03-8146-453b-b889-54b4bd11565b', - InterSystemsId: '1fd09d6b-54d3-4a58-acfe-71cc2c429d97', - IntraSystemId: '0a8ae201-e404-4f6f-99db-a3c92a5bd022', - SupportTicketId: '', - Target: [ - { - ID: 'User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - Type: 2, - }, - { - ID: '910ed5ca-4ecf-414c-a1be-d53511bfe1a5', - Type: 2, - }, - { - ID: 'User', - Type: 2, - }, - { - ID: 'fake@email.not', - Type: 5, - }, - { - ID: '100320014080D3AD', - Type: 3, - }, - ], - TargetContextId: '0fea4e03-8146-453b-b889-54b4bd11565b', - }, - { - CreationTime: '2021-05-20T17:43:00', - Id: '8c3d0215-66f0-41b0-3205-08d91bb6b63c', - Operation: 'SharingPolicyChanged', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 4, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'OneDrive', - ClientIP: '20.190.157.27', - ObjectId: 'https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com', - UserId: 'fake@email.not', - CorrelationId: 'fd9ac79d-1100-48aa-92c5-40a73a1d443f', - EventSource: 'SharePoint', - ItemType: 'Site', - Site: 'f49feae4-033d-4028-97d1-3acd55341f69', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - ModifiedProperties: [ - { - Name: 'ShareUsingAnonymousLinks', - NewValue: 'Enabled', - OldValue: 'Disabled', - }, - ], - }, - { - CreationTime: '2021-05-20T17:43:00', - Id: '35a1b515-2a0e-4bd6-d0a3-08d91bb6b639', - Operation: 'SiteCollectionCreated', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 4, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'OneDrive', - ClientIP: '20.190.157.27', - ObjectId: 'https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com', - UserId: 'fake@email.not', - CorrelationId: 'fd9ac79d-1100-48aa-92c5-40a73a1d443f', - EventSource: 'SharePoint', - ItemType: 'Site', - Site: 'f49feae4-033d-4028-97d1-3acd55341f69', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - EventData: - 'APITrueFalse', - }, - { - CreationTime: '2021-05-20T17:43:00', - Id: '344f9139-f437-4290-9566-08d91bb6b61f', - Operation: 'SiteCollectionAdminRemoved', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 14, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'OneDrive', - ClientIP: '20.190.157.27', - ObjectId: 'https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com', - UserId: 'fake@email.not', - CorrelationId: 'fd9ac79d-1100-48aa-92c5-40a73a1d443f', - EventSource: 'SharePoint', - ItemType: 'Web', - Site: 'f49feae4-033d-4028-97d1-3acd55341f69', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: 'a9d15b23-6ac9-43c5-af3c-b4a0916631c1', - ModifiedProperties: [ - { - Name: 'SiteAdmin', - NewValue: '', - OldValue: '', - }, - ], - TargetUserOrGroupType: 'Member', - SiteUrl: 'https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com', - TargetUserOrGroupName: 'SHAREPOINT\\system', - }, - { - CreationTime: '2021-05-20T17:43:00', - Id: 'd36e4b4d-1e8b-4634-6dd8-08d91bb6b618', - Operation: 'SiteCollectionAdminAdded', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 14, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'OneDrive', - ClientIP: '20.190.157.27', - ObjectId: 'https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com', - UserId: 'fake@email.not', - CorrelationId: 'fd9ac79d-1100-48aa-92c5-40a73a1d443f', - EventSource: 'SharePoint', - ItemType: 'Web', - Site: 'f49feae4-033d-4028-97d1-3acd55341f69', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: 'a9d15b23-6ac9-43c5-af3c-b4a0916631c1', - ModifiedProperties: [ - { - Name: 'SiteAdmin', - NewValue: 'fake@email.not', - OldValue: '', - }, - ], - TargetUserOrGroupType: 'Member', - SiteUrl: 'https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com', - TargetUserOrGroupName: 'fake@email.not', - }, - { - CreationTime: '2021-05-20T17:43:22', - Id: '0d6a62d3-e4bd-44ee-ce8d-08d91bb6c392', - Operation: 'PageViewed', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 4, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: 'https://wazuh.sharepoint.com/_layouts/15/CreateGroup.aspx', - UserId: 'fake@email.not', - CorrelationId: 'ccd0c99f-309b-2000-df13-3fcca9a8c8e1', - CustomUniqueId: true, - EventSource: 'SharePoint', - ItemType: 'Page', - ListItemUniqueId: '59a8433d-9bb8-cfef-65b7-ef35de00c8f6', - Site: 'f7fbb805-5f6b-4950-b681-2365eb46081f', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '3b56db49-60e3-410e-acbd-d8765467388a', - }, - { - CreationTime: '2021-05-20T17:45:57', - Id: '18bb351b-49e1-47df-8f4d-08d91bb71ffd', - Operation: 'AddedToGroup', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 14, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: 'https://wazuh.sharepoint.com/sites/TestSharePoint', - UserId: 'fake@email.not', - CorrelationId: 'f1d0c99f-3094-2000-da82-454f034ca629', - EventSource: 'SharePoint', - ItemType: 'Web', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - EventData: 'Site Owners', - TargetUserOrGroupType: 'Member', - SiteUrl: 'https://wazuh.sharepoint.com/sites/TestSharePoint', - TargetUserOrGroupName: 'SHAREPOINT\\system', - }, - { - CreationTime: '2021-05-20T17:46:26', - Id: '29bde84a-d3ec-4388-4600-08d91bb730bc', - Operation: 'FileAccessed', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 6, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: - 'https://wazuh.sharepoint.com/sites/TestSharePoint/Shared Documents/Forms/AllItems.aspx', - UserId: 'fake@email.not', - CorrelationId: 'f9d0c99f-b04f-2000-da82-4bb2abf6168f', - EventSource: 'SharePoint', - ItemType: 'File', - ListId: 'fd2ebaf0-900b-4dff-8fc2-d348be51e677', - ListItemUniqueId: '3c9d8943-846e-41f3-a647-72a5e4e3decf', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - SourceFileExtension: 'aspx', - SiteUrl: 'https://wazuh.sharepoint.com/sites/TestSharePoint/', - SourceFileName: 'AllItems.aspx', - SourceRelativeUrl: 'Shared Documents/Forms', - }, - { - CreationTime: '2021-05-20T17:46:25', - Id: '087e5b68-fc3f-4e01-1efc-08d91bb730b5', - Operation: 'ListViewed', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 36, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: - 'https://wazuh.sharepoint.com/sites/TestSharePoint/fd2ebaf0-900b-4dff-8fc2-d348be51e677', - UserId: 'fake@email.not', - CorrelationId: 'f9d0c99f-b04f-2000-da82-4bb2abf6168f', - DoNotDistributeEvent: true, - EventSource: 'SharePoint', - ItemType: 'List', - ListId: 'fd2ebaf0-900b-4dff-8fc2-d348be51e677', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - CustomizedDoclib: false, - FromApp: true, - IsDocLib: true, - ItemCount: 0, - ListBaseTemplateType: '101', - ListBaseType: 'DocumentLibrary', - ListColor: '', - ListIcon: '', - Source: 'Unknown', - TemplateTypeId: '', - ListTitle: 'fd2ebaf0-900b-4dff-8fc2-d348be51e677', - }, - { - CreationTime: '2021-05-20T17:52:29', - Id: '41225487-31c1-4e24-b8b0-08d91bb8094c', - Operation: 'PagePrefetched', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 4, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: 'https://wazuh.sharepoint.com/sites/TestSharePoint', - UserId: 'fake@email.not', - CorrelationId: '52d1c99f-3000-2000-df13-3ab1e8fb9f92', - CustomUniqueId: false, - EventSource: 'SharePoint', - ItemType: 'Page', - ListId: 'e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3', - ListItemUniqueId: '36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - }, - { - CreationTime: '2021-05-20T17:51:49', - Id: 'd930cc5c-2658-45df-6361-08d91bb7f179', - Operation: 'FileCheckedOut', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 6, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: 'https://wazuh.sharepoint.com/sites/TestSharePoint/SitePages/Home.aspx', - UserId: 'fake@email.not', - CorrelationId: '48d1c99f-f03c-2000-df13-38983a6608f8', - EventSource: 'SharePoint', - ItemType: 'File', - ListId: 'e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3', - ListItemUniqueId: '36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - HighPriorityMediaProcessing: false, - SourceFileExtension: 'aspx', - SiteUrl: 'https://wazuh.sharepoint.com/sites/TestSharePoint/', - SourceFileName: 'Home.aspx', - SourceRelativeUrl: 'SitePages', - }, - { - CreationTime: '2021-05-20T17:51:51', - Id: '89d76362-e493-4c20-3b69-08d91bb7f288', - Operation: 'ListUpdated', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 36, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: - 'https://wazuh.sharepoint.com/sites/TestSharePoint/e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3', - UserId: 'fake@email.not', - CorrelationId: '48d1c99f-f0a8-2000-da82-41be3f973267', - DoNotDistributeEvent: true, - EventSource: 'SharePoint', - ItemType: 'List', - ListId: 'e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - CustomizedDoclib: false, - FromApp: false, - IsDocLib: true, - ItemCount: 1, - ListBaseTemplateType: '119', - ListBaseType: 'DocumentLibrary', - ListColor: '', - ListIcon: '', - Source: 'Unknown', - TemplateTypeId: '', - ListTitle: 'e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3', - }, - { - CreationTime: '2021-05-20T17:52:36', - Id: '7a91dd8c-560b-4fbe-2585-08d91bb80d46', - Operation: 'ClientViewSignaled', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 4, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: 'https://wazuh.sharepoint.com/sites/TestSharePoint/SitePages/Home.aspx', - UserId: 'fake@email.not', - CorrelationId: '53d1c99f-b0aa-2000-df13-3efea9e41071', - CustomUniqueId: false, - EventSource: 'SharePoint', - ItemType: 'Page', - ListId: 'e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3', - ListItemUniqueId: '36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - }, - { - CreationTime: '2021-05-20T17:53:37', - Id: '9695afcd-19ff-491f-a6ee-08d91bb831d1', - Operation: 'FileModified', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 6, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: 'https://wazuh.sharepoint.com/sites/TestSharePoint/SitePages/Home.aspx', - UserId: 'fake@email.not', - CorrelationId: '62d1c99f-d09c-2000-df13-37ddf480e717', - DoNotDistributeEvent: true, - EventSource: 'SharePoint', - ItemType: 'File', - ListId: 'e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3', - ListItemUniqueId: '36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - SourceFileExtension: 'aspx', - SiteUrl: 'https://wazuh.sharepoint.com/sites/TestSharePoint/', - SourceFileName: 'Home.aspx', - SourceRelativeUrl: 'SitePages', - }, - { - CreationTime: '2021-05-20T17:57:03', - Id: '551fd7d5-bac1-4bb4-11d2-08d91bb8ac9e', - Operation: 'FileAccessedExtended', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 6, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: - 'https://wazuh.sharepoint.com/sites/TestSharePoint/Shared Documents/Forms/AllItems.aspx', - UserId: 'fake@email.not', - CorrelationId: '94d1c99f-20eb-2000-df13-35746d02911e', - EventSource: 'SharePoint', - ItemType: 'File', - ListId: 'fd2ebaf0-900b-4dff-8fc2-d348be51e677', - ListItemUniqueId: '3c9d8943-846e-41f3-a647-72a5e4e3decf', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - SourceFileExtension: 'aspx', - SiteUrl: 'https://wazuh.sharepoint.com/sites/TestSharePoint/', - SourceFileName: 'AllItems.aspx', - SourceRelativeUrl: 'Shared Documents/Forms', - }, - { - CreationTime: '2021-05-20T17:59:55', - Id: 'eb1f0911-9bed-4f15-10e5-08d91bb91372', - Operation: 'SiteDeleted', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 6, - UserKey: 'S-1-0-0', - UserType: 4, - Version: 1, - Workload: 'SharePoint', - ClientIP: '', - ObjectId: 'https://wazuh.sharepoint.com/sites/TestSharePoint', - UserId: 'AAD to SharePoint Sync', - CorrelationId: 'bed1c99f-20ee-2000-df13-306cb6803c92', - EventSource: 'SharePoint', - ItemType: 'Web', - ListItemUniqueId: '00000000-0000-0000-0000-000000000000', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: '', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - DestinationFileExtension: '', - SourceFileExtension: '', - DestinationFileName: 'TestSharePoint', - DestinationRelativeUrl: '../../https://wazuh.sharepoint.com/sites', - SiteUrl: 'https://wazuh.sharepoint.com/sites/TestSharePoint/', - SourceFileName: 'TestSharePoint', - SourceRelativeUrl: '..', - }, - { - CreationTime: '2021-05-20T17:59:11', - Id: '0d20a3e1-e9cb-436c-799f-08d91bb8f92f', - Operation: 'PageViewedExtended', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 4, - UserKey: 'i:0h.f|membership|100320014080d3ad@live.com', - UserType: 0, - Version: 1, - Workload: 'SharePoint', - ClientIP: '190.16.9.176', - ObjectId: - 'https://wazuh.sharepoint.com/sites/TestSharePoint/_layouts/15/online/handlers/SpoSuiteLinks.ashx', - UserId: 'fake@email.not', - CorrelationId: 'b4d1c99f-0043-2000-da82-41b63e1d91f4', - EventSource: 'SharePoint', - ItemType: 'Page', - Site: 'dd58ef08-faea-4cb5-847a-35bb5c01e757', - UserAgent: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', - WebId: '00c32555-e0d8-425f-9fbd-ef5539bfecf7', - }, - { - CreationTime: '2021-05-20T17:44:27', - Id: '30ef2f70-a12d-4b31-1e70-08d91bb6ea2e', - Operation: 'Set-Mailbox', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 1, - ResultStatus: 'True', - UserKey: 'SpoolsProvisioning-ApplicationAccount@eurprd04.prod.outlook.com', - UserType: 3, - Version: 1, - Workload: 'Exchange', - ClientIP: '52.233.237.141:40638', - ObjectId: - 'EURPR04A010.prod.outlook.com/Microsoft Exchange Hosted Organizations/wazuh.testytest.com/tomas.turina', - UserId: 'SpoolsProvisioning-ApplicationAccount@eurprd04.prod.outlook.com', - AppId: '61109738-7d2b-4a0b-9fe3-660b1ff83505', - ClientAppId: '', - ExternalAccess: true, - OrganizationName: 'wazuh.testytest.com', - OriginatingServer: 'AM9PR04MB8986 (15.20.4150.023)', - Parameters: [ - { - Name: 'Identity', - Value: - 'MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2', - }, - { - Name: 'ResourceEmailAddresses', - Value: 'True', - }, - { - Name: 'BypassLiveId', - Value: 'True', - }, - { - Name: 'Force', - Value: 'True', - }, - { - Name: 'DomainController', - Value: 'HE1PR04A010DC03.EURPR04A010.prod.outlook.com', - }, - { - Name: 'EmailAddresses', - Value: - 'SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b', - }, - ], - SessionId: '', - }, - { - CreationTime: '2021-05-20T17:45:59', - Id: '48c00930-b25d-4ccc-ccb3-08d91bb720f6', - Operation: 'ModifyFolderPermissions', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 2, - ResultStatus: 'Succeeded', - UserKey: 'S-1-5-18', - UserType: 2, - Version: 1, - Workload: 'Exchange', - ClientIP: '::1', - UserId: 'S-1-5-18', - ClientIPAddress: '::1', - ClientInfoString: 'Client=WebServices;Action=ConfigureGroupMailbox', - ExternalAccess: true, - InternalLogonType: 1, - LogonType: 1, - LogonUserSid: 'S-1-5-18', - MailboxGuid: 'fc108b45-9d51-4b87-a473-9d5a0e404966', - MailboxOwnerMasterAccountSid: 'S-1-5-10', - MailboxOwnerSid: 'S-1-5-21-2986565805-1835265550-1383574073-20743067', - MailboxOwnerUPN: 'TestSharePoint@wazuh.com', - OrganizationName: 'wazuh.testytest.com', - OriginatingServer: 'AS8PR04MB8465 (15.20.4150.023)\r\n', - Item: { - Id: 'LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC', - ParentFolder: { - Id: 'LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC', - MemberRights: - 'ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed', - MemberSid: 'S-1-8-4228942661-1267178833-1520268196-1716076558-1', - MemberUpn: 'Member@local', - Name: 'Calendar', - Path: '\\Calendar', - }, - }, - }, - { - CreationTime: '2021-05-20T17:45:58', - Id: 'bb03b48e-609d-477b-cb80-08d91bb72077', - Operation: 'Create', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 2, - ResultStatus: 'Succeeded', - UserKey: 'S-1-5-18', - UserType: 2, - Version: 1, - Workload: 'Exchange', - ClientIP: '::1', - UserId: 'S-1-5-18', - ClientIPAddress: '::1', - ClientInfoString: 'Client=WebServices;Action=ConfigureGroupMailbox', - ExternalAccess: true, - InternalLogonType: 1, - LogonType: 1, - LogonUserSid: 'S-1-5-18', - MailboxGuid: 'fc108b45-9d51-4b87-a473-9d5a0e404966', - MailboxOwnerMasterAccountSid: 'S-1-5-10', - MailboxOwnerSid: 'S-1-5-21-2986565805-1835265550-1383574073-20743067', - MailboxOwnerUPN: 'TestSharePoint@wazuh.com', - OrganizationName: 'wazuh.testytest.com', - OriginatingServer: 'AS8PR04MB8465 (15.20.4150.023)\r\n', - Item: { - Attachments: - 'warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)', - Id: - 'RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ', - InternetMessageId: - '', - IsRecord: false, - ParentFolder: { - Id: 'LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB', - Path: '\\Inbox', - }, - Subject: 'The new TestSharePoint group is ready', - }, - }, - { - CreationTime: '2021-05-20T17:59:59', - Id: 'e855fb12-2d48-45f3-ac8d-08d91bb91569', - Operation: 'Remove-UnifiedGroup', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 1, - ResultStatus: 'True', - UserKey: 'NT AUTHORITY\\SYSTEM (w3wp)', - UserType: 2, - Version: 1, - Workload: 'Exchange', - ClientIP: '[2a01:111:f402:ac00::f134]:51514', - ObjectId: 'TestSharePoint_b47e06bf-895d-48c4-8ae4-a0fdc60ec249', - UserId: 'NT AUTHORITY\\SYSTEM (w3wp)', - AppId: '00000003-0000-0ff1-ce00-000000000000', - ClientAppId: '00000003-0000-0ff1-ce00-000000000000', - ExternalAccess: false, - OrganizationName: 'wazuh.testytest.com', - OriginatingServer: 'VI1PR04MB6125 (15.20.4129.033)', - Parameters: [ - { - Name: 'Identity', - Value: 'b47e06bf-895d-48c4-8ae4-a0fdc60ec249', - }, - ], - SessionId: '', - }, - { - CreationTime: '2021-05-20T18:04:37', - Id: 'f111c82c-7961-473d-112a-08d91bb9bb91', - Operation: 'Set-UnifiedGroup', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 1, - ResultStatus: 'True', - UserKey: 'SpoolsProvisioning-ApplicationAccount@eurprd04.prod.outlook.com', - UserType: 3, - Version: 1, - Workload: 'Exchange', - ClientIP: '51.144.33.14:58849', - ObjectId: - 'EURPR04A010.prod.outlook.com/Microsoft Exchange Hosted Organizations/wazuh.testytest.com/Soft Deleted Objects/TestSharePoint_b47e06bf-895d-48c4-8ae4-a0fdc60ec249', - UserId: 'SpoolsProvisioning-ApplicationAccount@eurprd04.prod.outlook.com', - AppId: '61109738-7d2b-4a0b-9fe3-660b1ff83505', - ClientAppId: '', - ExternalAccess: true, - OrganizationName: 'wazuh.testytest.com', - OriginatingServer: 'VI1PR0402MB3326 (15.20.4129.033)', - Parameters: [ - { - Name: 'Identity', - Value: - 'MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2', - }, - { - Name: 'EmailAddresses', - Value: 'smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com', - }, - { - Name: 'IncludeSoftDeletedObjects', - Value: 'True', - }, - ], - SessionId: '', - }, - { - CreationTime: '2021-05-20T18:59:49', - Id: '32229114-e357-4b56-9d08-08d91bc1717c', - Operation: 'Set-User', - OrganizationId: '0fea4e03-8146-453b-b889-54b4bd11565b', - RecordType: 1, - ResultStatus: 'True', - UserKey: 'NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Management.ForwardSync)', - UserType: 3, - Version: 1, - Workload: 'Exchange', - ObjectId: - 'EURPR04A010.prod.outlook.com/Microsoft Exchange Hosted Organizations/wazuh.testytest.com/tomas.turina', - UserId: 'NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Management.ForwardSync)', - AppId: '', - ClientAppId: '', - ExternalAccess: true, - OrganizationName: 'wazuh.testytest.com', - OriginatingServer: 'DB8PR04MB7065 (15.20.4150.023)', - Parameters: [ - { - Name: 'Identity', - Value: '0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c', - }, - { - Name: 'SyncMailboxLocationGuids', - Value: 'True', - }, - { - Name: 'ErrorAction', - Value: 'Stop', - }, - { - Name: 'WarningAction', - Value: 'SilentlyContinue', - }, - ], - }, -]; diff --git a/scripts/wazuh-alerts-generator/lib/modules/openscap.js b/scripts/wazuh-alerts-generator/lib/modules/openscap.js deleted file mode 100644 index 95ef2e3300..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/openscap.js +++ /dev/null @@ -1,1509 +0,0 @@ -/* - * Wazuh app - OpenSCAP sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -// OpenSCAP -module.exports.scanProfileTitle = ["xccdf_org.ssgproject.content_profile_standard", "xccdf_org.ssgproject.content_profile_pci-dss", "xccdf_org.ssgproject.content_profile_common", "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal"]; -module.exports.checkSeverity = ["low", "medium", "high"]; -module.exports.checkResult = ["fail"]; -module.exports.scanContent = ["ssg-centos-7-ds.xml", "ssg-centos-6-ds.xml", "ssg-rhel6-ds.xml", "ssg-ubuntu18-ds.xml", "ssg-debian-ds.xml", "ssg-fedora-ds.xml"]; -module.exports.checkTitle = ["Record Attempts to Alter the localtime File", "Record Attempts to Alter Time Through clock_settime", "Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)", "Ensure auditd Collects System Administrator Actions", "Ensure auditd Collects File Deletion Events by User"]; - -module.exports.decoder = { - parent: "oscap", - name: "oscap" -}; - -module.exports.location = 'wodle_open-scap'; - -module.exports.data = [ - { - // "input": { - // "type": "log" - // }, - "data": { - "oscap": { - "scan": { - "score": "99.814812", - "profile": { - "id": "No profile", - "title": "No profile" - }, - "id": "0001587604016", - "content": "cve-redhat-7-ds.xml", - "benchmark": { - "id": "xccdf_com.redhat.rhsa_benchmark_generated-xccdf" - } - } - } - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 3, - "pci_dss": ["2.2"], - "description": "OpenSCAP Report overview.", - "groups": ["oscap","oscap-report"], - "id": "81540", - "nist_800_53": ["CM.1"] - }, - "full_log": "oscap: msg: \"xccdf-overview\", scan-id: \"{data.oscap.scan.id}\", content: \"{data.oscap.scan.content}\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"{data.oscap.scan.profile.id}\", profile-title: \"{data.oscap.scan.profile.title}\", score: \"{data.oscap.scan.score}\".", - }, - { - "data": { - "oscap": { - "scan": { - "score": "75.000000", - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - } - } - }, - "rule": { - "firedtimes": 2, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP Report overview: Score less than 80", - "groups": ["oscap","oscap-report"], - "id": "81542", - "nist_800_53": ["CM.1"] - }, - "full_log": "oscap: msg: \"xccdf-overview\", scan-id: \"{data.oscap.scan.id}\", content: \"{data.oscap.scan.content}\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"{data.oscap.scan.profile.id}\", profile-title: \"{data.oscap.scan.profile.title}\", score: \"{data.oscap.scan.score}\".", - "timestamp": "2020-04-23T01:06:56.060+0000" - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "No profile", - "title": "No profile" - }, - "id": "0001587604016", - "content": "cve-redhat-7-ds.xml", - "benchmark": { - "id": "xccdf_com.redhat.rhsa_benchmark_generated-xccdf" - } - }, - "check": { - "result": "fail", - "severity": "high", - "identifiers": "CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)", - "oval": { - "id": "oval:com.redhat.rhsa:def:20170372" - }, - "id": "xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372", - "title": "RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)" - } - } - }, - "rule": { - "firedtimes": 3, - "mail": false, - "level": 9, - "pci_dss": ["2.2"], - "description": "OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81531", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_sysadmin_actions:def:1" - }, - "description": "At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions", - "title": "Ensure auditd Collects System Administrator Actions", - "rationale": "The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes." - } - } - }, - "rule": { - "firedtimes": 41, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_kernel_module_loading:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading", - "title": "Ensure auditd Collects Information on Kernel Module Loading and Unloading", - "rationale": "The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel." - } - } - }, - "rule": { - "firedtimes": 34, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_kernel_module_loading:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading", - "title": "Ensure auditd Collects Information on Kernel Module Loading and Unloading", - "rationale": "The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel." - } - } - }, - "rule": { - "firedtimes": 34, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_file_deletion_events:def:1" - }, - "description": "At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events", - "title": "Ensure auditd Collects File Deletion Events by User", - "rationale": "Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence." - } - } - }, - "rule": { - "firedtimes": 33, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_media_export:def:1" - }, - "description": "At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_media_export", - "title": "Ensure auditd Collects Information on Exporting to Media (successful)", - "rationale": "The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss." - } - } - }, - "rule": { - "firedtimes": 32, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_privileged_commands:def:1" - }, - "description": "At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands", - "title": "Ensure auditd Collects Information on the Use of Privileged Commands", - "rationale": "Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity." - } - } - }, - "rule": { - "firedtimes": 31, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_unsuccessful_file_modification:def:1" - }, - "description": "At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification", - "title": "Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)", - "rationale": "Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise." - } - } - }, - "rule": { - "firedtimes": 30, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_dac_modification_chown:def:1" - }, - "description": "At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown", - "title": "Record Events that Modify the System's Discretionary Access Controls - chown", - "rationale": "The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - } - } - }, - "rule": { - "firedtimes": 32, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_dac_modification_removexattr:def:1" - }, - "description": "At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr", - "title": "Record Events that Modify the System's Discretionary Access Controls - removexattr", - "rationale": "The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - } - } - }, - "rule": { - "firedtimes": 29, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_networkconfig_modification:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification", - "title": "Record Events that Modify the System's Network Environment", - "rationale": "The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited." - } - } - }, - "rule": { - "firedtimes": 29, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Events that Modify the System's Network Environment (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_usergroup_modification:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification", - "title": "Record Events that Modify User/Group Information", - "rationale": "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." - } - } - }, - "rule": { - "firedtimes": 28, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Events that Modify User/Group Information (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_time_watch_localtime:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime", - "title": "Record Attempts to Alter the localtime File", - "rationale": "Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - } - } - }, - "rule": { - "firedtimes": 27, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Attempts to Alter the localtime File (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_time_clock_settime:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime", - "title": "Record Attempts to Alter Time Through clock_settime", - "rationale": "Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - } - } - }, - "rule": { - "firedtimes": 26, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_common", - "title": "Common Profile for General-Purpose Systems" - }, - "id": "0001587603934", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_time_settimeofday:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday", - "title": "Record attempts to alter time through settimeofday", - "rationale": "Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - } - } - }, - "rule": { - "firedtimes": 25, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record attempts to alter time through settimeofday (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81529", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_file_deletion_events:def:1" - }, - "description": "At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events", - "title": "Ensure auditd Collects File Deletion Events by User", - "rationale": "Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence." - } - } - }, - "rule": { - "firedtimes": 24, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_login_events:def:1" - }, - "description": "The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_login_events", - "title": "Record Attempts to Alter Logon and Logout Events", - "rationale": "Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion." - } - } - }, - "rule": { - "firedtimes": 20, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "low", - "references": "RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-audit_rules_usergroup_modification:def:1" - }, - "description": "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification", - "id": "xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification", - "title": "Record Events that Modify User/Group Information", - "rationale": "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." - } - } - }, - "rule": { - "firedtimes": 6, - "mail": false, - "level": 5, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Record Events that Modify User/Group Information (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81529", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-auditd_audispd_syslog_plugin_activated:def:1" - }, - "description": "To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart", - "id": "xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated", - "title": "Configure auditd to use audispd's syslog plugin", - "rationale": "The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server" - } - } - }, - "rule": { - "firedtimes": 16, - "mail": false, - "level": 7, - "pci_dss": ["2.2"], - "description": "OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)", - "groups": ["oscap","oscap-result"], - "id": "81530", - "nist_800_53": ["CM.1"] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)", - "identifiers": "CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-smartcard_auth:def:1" - }, - "description": "To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273", - "id": "xccdf_org.ssgproject.content_rule_smartcard_auth", - "title": "Enable Smart Card Login", - "rationale": "Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials." - } - } - }, - "rule": { - "firedtimes": 11, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Enable Smart Card Login (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_password_pam_unix_remember:def:1" - }, - "description": "Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.", - "id": "xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember", - "title": "Limit Password Reuse", - "rationale": "Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user." - } - } - }, - "rule": { - "firedtimes": 10, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Limit Password Reuse (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1" - }, - "description": "To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so", - "id": "xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time", - "title": "Set Lockout Time For Failed Password Attempts", - "rationale": "Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations." - } - } - }, - "rule": { - "firedtimes": 9, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_passwords_pam_faillock_deny:def:1" - }, - "description": "To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so", - "id": "xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny", - "title": "Set Deny For Failed Password Attempts", - "rationale": "Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks." - } - } - }, - "rule": { - "firedtimes": 8, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Deny For Failed Password Attempts (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)", - "identifiers": "CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_password_pam_lcredit:def:1" - }, - "description": "The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.", - "id": "xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit", - "title": "Set Password Strength Minimum Lowercase Characters", - "rationale": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space." - } - } - }, - "rule": { - "firedtimes": 7, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)", - "identifiers": "CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_password_pam_ucredit:def:1" - }, - "description": "The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.", - "id": "xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit", - "title": "Set Password Strength Minimum Uppercase Characters", - "rationale": "Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." - } - } - }, - "rule": { - "firedtimes": 6, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)", - "identifiers": "CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_password_pam_minlen:def:1" - }, - "description": "The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.", - "id": "xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen", - "title": "Set Password Minimum Length", - "rationale": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password." - } - } - }, - "rule": { - "firedtimes": 5, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Password Minimum Length (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)", - "identifiers": "CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_password_pam_dcredit:def:1" - }, - "description": "The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.", - "id": "xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit", - "title": "Set Password Strength Minimum Digit Characters", - "rationale": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space." - } - } - }, - "rule": { - "firedtimes": 4, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-accounts_maximum_age_login_defs:def:1" - }, - "description": "To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .", - "id": "xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs", - "title": "Set Password Maximum Age", - "rationale": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise." - } - } - }, - "rule": { - "firedtimes": 3, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Set Password Maximum Age (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "high", - "references": "RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-no_empty_passwords:def:1" - }, - "description": "If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.", - "id": "xccdf_org.ssgproject.content_rule_no_empty_passwords", - "title": "Prevent Log In to Accounts With Empty Password", - "rationale": "If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments." - } - } - }, - "rule": { - "firedtimes": 2, - "mail": false, - "level": 9, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81531", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "high", - "references": "RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", - "identifiers": "CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-rpm_verify_permissions:def:1" - }, - "description": "Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME", - "id": "xccdf_org.ssgproject.content_rule_rpm_verify_permissions", - "title": "Verify and Correct File Permissions with RPM", - "rationale": "Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated." - } - } - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 9, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Verify and Correct File Permissions with RPM (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81531", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)", - "identifiers": "CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-aide_periodic_cron_checking:def:1" - }, - "description": "At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.", - "id": "xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking", - "title": "Configure Periodic Execution of AIDE", - "rationale": "By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item." - } - } - }, - "rule": { - "firedtimes": 2, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Configure Periodic Execution of AIDE (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "profile": { - "id": "xccdf_org.ssgproject.content_profile_pci-dss", - "title": "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7" - }, - "id": "0001587603717", - "content": "ssg-rhel-7-ds.xml", - "benchmark": { - "id": "xccdf_org.ssgproject.content_benchmark_RHEL-7" - } - }, - "check": { - "result": "fail", - "severity": "medium", - "references": "CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)", - "identifiers": "CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)", - "oval": { - "id": "oval:ssg-package_aide_installed:def:1" - }, - "description": "Install the AIDE package with the command: $ sudo yum install aide", - "id": "xccdf_org.ssgproject.content_rule_package_aide_installed", - "title": "Install AIDE", - "rationale": "The AIDE package must be installed if it is to be available for integrity checking." - } - } - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 7, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP: Install AIDE (not passed)", - "groups": [ - "oscap", - "oscap-result" - ], - "id": "81530", - "nist_800_53": [ - "CM.1" - ] - } - }, - { - "data": { - "oscap": { - "scan": { - "score": "99.814812", - "profile": { - "id": "No profile", - "title": "No profile" - }, - "id": "0001587574647", - "content": "cve-redhat-7-ds.xml", - "benchmark": { - "id": "xccdf_com.redhat.rhsa_benchmark_generated-xccdf" - } - } - } - }, - "manager": { - "name": "ip-10-0-0-219.us-west-1.compute.internal" - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 3, - "pci_dss": [ - "2.2" - ], - "description": "OpenSCAP Report overview.", - "groups": [ - "oscap", - "oscap-report" - ], - "id": "81540", - "nist_800_53": [ - "CM.1" - ] - } - } -] diff --git a/scripts/wazuh-alerts-generator/lib/modules/osquery.js b/scripts/wazuh-alerts-generator/lib/modules/osquery.js deleted file mode 100644 index 8c6ac7149b..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/osquery.js +++ /dev/null @@ -1,390 +0,0 @@ -/* - * Wazuh app - Osquery sample alerts - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -module.exports.dataOsquery = [{ - osquery: { - calendarTime: new Date(), - subquery: "osquery_info", - columns: { - counter: "43", - uuid: "EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366", - version: "3.3.2", - }, - name: "pack_osquery-monitoring_osquery_info", - action: "added", - epoch: "0", - counter: "1836", - pack: "osquery-monitoring" - }, - rule: { - firedtimes: 2, - mail: false, - level: 4, - description: 'osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial' - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "iptables", - columns: { - chain: "POSTROUTING", - filter_name: "nat", - dst_mask: "0.0.0.0", - match: "yes", - src_mask: "255.255.0.0", - dst_ip: "0.0.0.0", - packets: "43092", - target: "MASQUERADE", - src_ip: "172.17.0.0", - protocol: "0", - outiface_mask: "FFFFFFFFFFFFFFFF", - bytes: "3271628", - iniface: "all", - outiface: "docker0", - policy: "ACCEPT" - }, - name: "pack_incident-response_iptables", - action: "added", - epoch: "0", - counter: "282", - pack: "incident-response" - }, - rule: { - firedtimes: 17, - mail: false, - level: 4, - description: "osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "iptables", - columns: { - chain: "PREROUTING", - filter_name: "nat", - dst_mask: "0.0.0.0", - match: "yes", - src_mask: "0.0.0.0", - dst_ip: "0.0.0.0", - packets: "34553", - target: "DOCKER", - src_ip: "0.0.0.0", - protocol: "0", - bytes: "2065050", - iniface: "all", - outiface: "all", - policy: "ACCEPT" - }, - name: "pack_incident-response_iptables", - action: "added", - epoch: "0", - counter: "282", - pack: "incident-response" - }, - rule: { - firedtimes: 17, - mail: false, - level: 4, - description: "osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "schedule", - columns: { - average_memory: "0", - avg_system_time: "0", - executions: "177", - output_size: "0", - name: "pack_ossec-rootkit_zk_rootkit", - interval: "3600", - avg_user_time: "0", - last_executed: "1587482079", - wall_time: "0" - }, - name: "pack_osquery-monitoring_schedule", - action: "added", - epoch: "0", - counter: "282", - pack: "osquery-monitoring" - }, - rule: { - firedtimes: 82, - mail: false, - level: 4, - description: "osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "osquery_info", - columns: { - watcher: "18596", - system_time: "86740", - config_valid: "1", - pid: "18631", - counter: "33", - uuid: "EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366", - version: "3.3.2", - config_hash: "8423af1820e09cef21c8ed5594827b13ea8af90d", - build_platform: "ubuntu", - start_time: "1586893611", - extensions: "active", - instance_id: "29ebc250-4d9d-4420-b46f-127ff9e2437d", - build_distro: "xenial", - resident_size: "66664000", - user_time: "124490" - }, - name: "pack_osquery-monitoring_osquery_info", - action: "added", - epoch: "0", - counter: "1789", - pack: "osquery-monitoring" - }, - rule: { - firedtimes: 82, - mail: false, - level: 4, - description: "osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "mounts", - columns: { - path: "/", - blocks: "5239803", - inodes: "10484720", - flags: "rw,seclabel,relatime,attr2,inode64,noquota", - inodes_free: "10436261", - blocks_size: "4096", - blocks_available: "3940776", - type: "xfs", - device: "/dev/xvda2", - device_alias: "/dev/xvda2", - blocks_free: "3940776" - }, - name: "pack_incident-response_mounts", - action: "added", - epoch: "0", - counter: "278", - pack: "incident-response" - }, - rule: { - firedtimes: 82, - mail: false, - level: 4, - description: "osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "iptables", - columns: { - memory_free: "156012544", - memory_free_perc: "0.039271301812363", - threshold: "10%", - memory_total: "3972685824" - }, - name: "low_free_memory", - action: "added", - epoch: "0", - counter: "548", - }, - rule: { - firedtimes: 82, - mail: false, - level: 4, - description: "osquery: System memory is under 10%", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "iptables", - columns: { - memory_free: "156012544", - memory_free_perc: "0.039271301812363", - threshold: "15%", - memory_total: "3972685824" - }, - name: "low_free_memory", - action: "added", - epoch: "0", - counter: "548", - }, - rule: { - firedtimes: 82, - mail: false, - level: 4, - description: "osquery: System memory is under 15%", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "process_memory", - columns: { - inode: "0", - offset: "0", - permissions: "r-xp", - start: "0xffffffffff600000", - end: "0xffffffffff601000", - pid: "644", - device: "00:00", - pseudo: "1" - }, - name: "pack_incident-response_process_memory", - action: "added", - epoch: "0", - counter: "12", - }, - rule: { - firedtimes: 7621, - mail: false, - level: 4, - description: "osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "iptables", - columns: { - chain: "POSTROUTING", - filter_name: "nat", - dst_mask: "0.0.0.0", - match: "yes", - src_mask: "255.255.0.0", - dst_ip: "0.0.0.0", - packets: "43294", - target: "MASQUERADE", - src_ip: "172.17.0.0", - protocol: "0", - outiface_mask: "FFFFFFFFFFFFFFFF", - bytes: "3287370", - iniface: "all", - outiface: "docker0", - policy: "ACCEPT" - }, - name: "pack_incident-response_iptables", - action: "added", - epoch: "0", - counter: "283", - }, - rule: { - firedtimes: 18, - mail: false, - level: 4, - description: "osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "process_env", - columns: { - pid: "26151", - value: "244", - key: "GENERATION" - }, - name: "pack_incident-response_process_env", - action: "added", - epoch: "0", - counter: "11", - }, - rule: { - firedtimes: 18, - mail: false, - level: 4, - description: "osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "device_nodes", - columns: { - mode: "0666", - path: "/dev/ptmx", - uid: "0", - atime: "0", - gid: "5", - ctime: "1586444340", - mtime: "1587489592", - type: "character", - block_size: "4096" - }, - name: "pack_hardware-monitoring_device_nodes", - action: "added", - epoch: "0", - counter: "138", - pack: "hardware-monitoring" - }, - rule: { - firedtimes: 6, - mail: false, - level: 4, - description: "osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "last", - columns: { - tty: "pts/0", - pid: "25728", - time: "1587494777", - type: "8" - }, - name: "pack_incident-response_last", - action: "added", - epoch: "0", - counter: "1", - pack: "incident-response" - }, - rule: { - firedtimes: 2, - mail: false, - level: 4, - description: "osquery: incident-response last: User host", - } - }, - { - osquery: { - calendarTime: new Date(), - subquery: "open_files", - columns: { - path: "/var/osquery/osquery.db/MANIFEST-016679", - pid: "18631" - }, - name: "pack_incident-response_open_files", - action: "added", - epoch: "0", - counter: "11", - pack: "incident-response" - }, - rule: { - firedtimes: 2, - mail: false, - level: 4, - description: "osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened", - } - }, -] diff --git a/scripts/wazuh-alerts-generator/lib/modules/policy-monitoring.js b/scripts/wazuh-alerts-generator/lib/modules/policy-monitoring.js deleted file mode 100644 index c7aa085ce2..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/policy-monitoring.js +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Wazuh app - Policy monitoring sample alerts - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -// Policy monitoring -module.exports.title = ["Trojaned version of file detected."]; -module.exports.ruleDescription = ["Host-based anomaly detection event (rootcheck).", "System Audit event."]; - -module.exports.location = 'rootcheck'; - -module.exports.decoder = { - name: "rootcheck" -}; - -module.exports.rootkits = { - Bash: ['/tmp/mcliZokhb', '/tmp/mclzaKmfa'], - Adore: ['/dev/.shit/red.tgz', '/usr/lib/libt', '/usr/bin/adore'], - TRK: ['usr/bin/soucemask','/usr/bin/sourcemask'], - Volc: ['/usr/lib/volc', '/usr/bin/volc'], - Ramen: ['/usr/lib/ldlibps.so','/usr/lib/ldliblogin.so', '/tmp/ramen.tgz'], - Monkit: ['/lib/defs', '/usr/lib/libpikapp.a'], - RSHA: ['usr/bin/kr4p', 'usr/bin/n3tstat', 'usr/bin/chsh2'], - Omega: ['/dev/chr'], - "Rh-Sharpe": ['/usr/bin/.ps', '/bin/.lpstree', '/bin/ldu', '/bin/lkillall'], - Showtee: ['/usr/lib/.wormie','/usr/lib/.kinetic','/usr/include/addr.h'], - LDP: ['/dev/.kork', '/bin/.login', '/bin/.ps'], - Slapper: ['/tmp/.bugtraq','/tmp/.bugtraq.c', '/tmp/.b', '/tmp/httpd', '/tmp/.font-unix/.cinik'], - Knark: ['/dev/.pizda', '/proc/knark'], - ZK: ['/usr/share/.zk', 'etc/1ssue.net', 'usr/X11R6/.zk/xfs'], - Suspicious: ['etc/rc.d/init.d/rc.modules', 'lib/ldd.so', 'usr/bin/ddc', 'usr/bin/ishit', 'lib/.so', 'usr/bin/atm', 'tmp/.cheese', 'dev/srd0', 'dev/hd7', 'usr/man/man3/psid'] -}; - -module.exports.rootkitsData = { - "data": { - "title": "Rootkit '{_rootkit_category}' detected by the presence of file '{_rootkit_file}'." - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 7, - "description": "Host-based anomaly detection event (rootcheck).", - "groups": ["wazuh","rootcheck"], - "id": "510", - "gdpr": ["IV_35.7.d"] - }, - "full_log": "Rootkit '{_rootkit_category}' detected by the presence of file '{_rootkit_file}'.", -}; - -module.exports.trojans = [ - {file: '/usr/bin/grep', signature: 'bash|givemer'}, - {file: '/usr/bin/egrep', signature: 'bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh'}, - {file: '/usr/bin/find', signature: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h'}, - {file: '/usr/bin/lsof', signature: '/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp'}, - {file: '/usr/bin/netstat', signature: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h'}, - {file: '/usr/bin/top', signature: '/dev/[^npi3st%]|proc\.h|/prof/'}, - {file: '/usr/bin/ps', signature: '/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh'}, - {file: '/usr/bin/tcpdump', signature: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh'}, - {file: '/usr/bin/pidof', signature: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh'}, - {file: '/usr/bin/fuser', signature: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh'}, - {file: '/usr/bin/w', signature: 'uname -a|proc\.h|bash'}, -]; - -module.exports.trojansData = { - "rule": { - "firedtimes": 2, - "mail": false, - "level": 7, - "description": "Host-based anomaly detection event (rootcheck).", - "groups": ["wazuh","rootcheck"], - "id": "510", - "gdpr": ["IV_35.7.d"] - }, - "full_log": "Trojaned version of file '{data.file}' detected. Signature used: '{_trojan_signature}' (Generic).", -}; diff --git a/scripts/wazuh-alerts-generator/lib/modules/regulatory-compliance.js b/scripts/wazuh-alerts-generator/lib/modules/regulatory-compliance.js deleted file mode 100644 index 4f9fa63e50..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/regulatory-compliance.js +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Wazuh app - Regulatory compliance - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -// Regulatory compliance -module.exports.PCI_DSS = ["1.1.1","1.3.4","1.4","10.1","10.2.1","10.2.2","10.2.4","10.2.5","10.2.6","10.2.7","10.4","10.5.2","10.5.5","10.6","10.6.1","11.2.1","11.2.3","11.4","11.5","2.2","2.2.3","4.1","5.1","5.2","6.2","6.5","6.5.1","6.5.10","6.5.2","6.5.5","6.5.7","6.5.8","6.6","8.1.2","8.1.4","8.1.5","8.1.6","8.1.8","8.2.4","8.7"]; -module.exports.GDPR = ["IV_35.7.d", "II_5.1.f", "IV_32.2", "IV_30.1.g"]; -module.exports.HIPAA = ["164.312.a.1","164.312.a.2.I","164.312.a.2.II","164.312.a.2.III","164.312.a.2.IV","164.312.b","164.312.c.1","164.312.c.2","164.312.d","164.312.e.1","164.312.e.2.I","164.312.e.2.II"]; -module.exports.NIST_800_53 = ["AC.12","AC.2","AC.6","AC.7","AU.12","AU.14","AU.5","AU.6","AU.8","AU.9","CA.3","CM.1","CM.3","CM.5","IA.4","IA.5","SA.11","SC.2","SC.5","SC.7","SC.8","SI.2","SI.3","SI.4","SI.7"]; -module.exports.GPG13 = ["7.8", "7.9"]; -module.exports.tsc = ["CC1.1","CC1.2","CC1.3","CC1.4","CC1.5","CC2.1","CC2.2","CC2.3","CC3.1","CC3.2","CC3.3","CC3.4","CC4.1","CC4.2","CC5.1","CC5.2","CC5.3","CC6.1","CC6.2","CC6.3","CC6.4","CC6.5","CC6.6","CC6.7","CC6.8","CC7.1","CC7.2","CC7.3","CC7.4","CC7.5","CC8.1","CC9.1","CC9.2","A1.1","A1.2","A1.3","C1.1","C1.2","PI1.1","PI1.2","PI1.3","PI1.4","PI1.5","P1.0","P1.1","P2.0","P2.1","P3.0","P3.1","P3.2","P4.0","P4.1","P4.2","P4.3","P5.0","P5.1","P5.2","P6.0","P6.1","P6.2","P6.3","P6.4","P6.5","P6.6","P6.7","P7.0","P7.1","P8.0","P8.1"]; \ No newline at end of file diff --git a/scripts/wazuh-alerts-generator/lib/modules/ssh.js b/scripts/wazuh-alerts-generator/lib/modules/ssh.js deleted file mode 100644 index c5d3511bd8..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/ssh.js +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Wazuh app - SSH sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -module.exports.reverseLoockupError = { - location: "/var/log/secure", - rule: { - "mail": false, - "level": 5, - "pci_dss": ["11.4"], - "description": "sshd: Reverse lookup error (bad ISP or attack).", - "groups": ["syslog","sshd"], - "mitre": { - "tactic": ["Lateral Movement"], - "id": ["T1021"] - }, - "id": "5702", - "nist_800_53": ["SI.4"], - "gpg13": ["4.12"], - "gdpr": ["IV_35.7.d"] - }, - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[15409]: reverse mapping checking getaddrinfo for {data.srcip}.static.impsat.com.co [{data.srcip}] failed - POSSIBLE BREAK-IN ATTEMPT!" -}; - -module.exports.insecureConnectionAttempt = { - rule: { - mail: false, - level: 6, - pci_dss: ["11.4"], - description: "sshd: insecure connection attempt (scan).", - groups: ["syslog","sshd","recon"], - id: "5706", - nist_800_53: ["SI.4"], - gpg13: ["4.12"], - gdpr: ["IV_35.7.d"] - }, - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[15225]: Did not receive identification string from {data.srcip} port {data.srcport}", - location: "/var/log/secure" -}; - -module.exports.possibleAttackServer = { - rule: { - mail: false, - level: 8, - pci_dss: ["11.4"], - description: "sshd: Possible attack on the ssh server (or version gathering).", - groups: ["syslog","sshd","recon"], - mitre: { - tactic: ["Lateral Movement"], - technique: ["Brute Force","Remove Services"], - id: ["T1021"] - }, - id: "5701", - nist_800_53: ["SI.4"], - gpg13: ["4.12"], - gdpr: ["IV_35.7.d"] - }, - location: "/var/log/secure", - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[15122]: Bad protocol version identification '\\003' from {data.srcip} port {data.srcport}", -} - -module.exports.possibleBreakinAttempt = { - rule: { - mail: false, - level: 10, - pci_dss: ["11.4"], - description: "sshd: Possible breakin attempt (high number of reverse lookup errors).", - groups: ["syslog","sshd"], - mitre: { - tactic: ["Lateral Movement"], - technique: ["Brute Force","Remove Services"], - id: ["T1021"] - }, - id: "5703", - nist_800_53: ["SI.4"], - frequency: 6, - gpg13: ["4.12"], - gdpr: ["IV_35.7.d"] - }, - location: "/var/log/secure", - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[10385]: reverse mapping checking getaddrinfo for . [{data.srcip}] failed - POSSIBLE BREAK-IN ATTEMPT!", -}; - -module.exports.data = [module.exports.reverseLoockupError, module.exports.insecureConnectionAttempt, module.exports.possibleAttackServer, module.exports.possibleBreakinAttempt]; \ No newline at end of file diff --git a/scripts/wazuh-alerts-generator/lib/modules/virustotal.js b/scripts/wazuh-alerts-generator/lib/modules/virustotal.js deleted file mode 100644 index accd9ea77b..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/virustotal.js +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Wazuh app - Virustotal sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -// Virustotal -module.exports.sourceFile = ['/usr/share/sample/program', "/etc/data/file", "/etc/sample/script", "/root/super-script", "/tmp/virus/notavirus", "/var/opt/amazing-file"]; -module.exports.permalink = ['https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection', "https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection", "https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection", "https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection", "https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection", "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564", "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411", "https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229", "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233", "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465"]; -module.exports.malicious = [0, 1]; \ No newline at end of file diff --git a/scripts/wazuh-alerts-generator/lib/modules/vulnerabilities.js b/scripts/wazuh-alerts-generator/lib/modules/vulnerabilities.js deleted file mode 100644 index e894e8ece5..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/vulnerabilities.js +++ /dev/null @@ -1,4003 +0,0 @@ -// Vulnerability - -module.exports.data = [ - { - rule: { - level: 7, - description: 'CVE-2017-18018 affects coreutils', - id: '23504', - firedtimes: 1, - }, - data: { - vulnerability: { - package: { - name: 'coreutils', - version: '8.28-1ubuntu1', - architecture: 'amd64', - condition: 'Package less or equal than 8.29', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'partial', - availability: 'none', - }, - base_score: '1.900000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'high', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'high', - availability: 'none', - }, - base_score: '4.700000', - }, - }, - cve: 'CVE-2017-18018', - title: 'CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.', - severity: 'Medium', - published: '2018-01-04', - updated: '2018-01-19', - state: 'Fixed', - cwe_reference: 'CWE-362', - references: [ - 'http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html', - 'https://nvd.nist.gov/vuln/detail/CVE-2017-18018', - 'http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html', - 'http://www.openwall.com/lists/oss-security/2018/01/04/3', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018', - 'https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html', - 'https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2019-17540 affects imagemagick', - id: '23504', - firedtimes: 2, - }, - data: { - vulnerability: { - package: { - name: 'imagemagick', - version: '8:6.9.7.4+dfsg-16ubuntu6.8', - architecture: 'amd64', - condition: 'Package less than 7.0.8-54', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '6.800000', - }, - }, - cve: 'CVE-2019-17540', - title: - 'ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.', - severity: 'Medium', - published: '2019-10-14', - updated: '2019-10-23', - state: 'Fixed', - cwe_reference: 'CWE-120', - references: [ - 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826', - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578', - 'https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54', - 'https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D', - 'https://security-tracker.debian.org/tracker/CVE-2019-17540', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-17540', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2019-17540 affects libmagickcore-6.q16-3', - id: '23504', - firedtimes: 5, - }, - data: { - vulnerability: { - package: { - name: 'libmagickcore-6.q16-3', - source: 'imagemagick', - version: '8:6.9.7.4+dfsg-16ubuntu6.8', - architecture: 'amd64', - condition: 'Package less than 7.0.8-54', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '6.800000', - }, - }, - cve: 'CVE-2019-17540', - title: - 'ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.', - severity: 'Medium', - published: '2019-10-14', - updated: '2019-10-23', - state: 'Fixed', - cwe_reference: 'CWE-120', - references: [ - 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826', - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578', - 'https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54', - 'https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D', - 'https://security-tracker.debian.org/tracker/CVE-2019-17540', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-17540', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2018-1000035 affects unzip', - id: '23505', - firedtimes: 1, - }, - data: { - vulnerability: { - package: { - name: 'unzip', - version: '6.0-21ubuntu1', - architecture: 'amd64', - condition: 'Package less or equal than 6.00', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '6.800000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'required', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '7.800000', - }, - }, - cve: 'CVE-2018-1000035', - title: 'CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.', - severity: 'High', - published: '2018-02-09', - updated: '2020-01-29', - state: 'Fixed', - cwe_reference: 'CWE-119', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838', - ], - references: [ - 'https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html', - 'https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html', - 'https://security.gentoo.org/glsa/202003-58', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-1000035', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035', - 'https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2018-1000035 affects unzip', - id: '23505', - firedtimes: 1, - }, - data: { - vulnerability: { - package: { - name: 'unzip', - version: '6.0-21ubuntu1', - architecture: 'amd64', - condition: 'Package less or equal than 6.00', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '6.800000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'required', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '7.800000', - }, - }, - cve: 'CVE-2018-1000035', - title: 'CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.', - severity: 'High', - published: '2018-02-09', - updated: '2020-01-29', - state: 'Fixed', - cwe_reference: 'CWE-119', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838', - ], - references: [ - 'https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html', - 'https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html', - 'https://security.gentoo.org/glsa/202003-58', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-1000035', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035', - 'https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2020-1747 affects python3-yaml', - id: '23505', - firedtimes: 44, - }, - data: { - vulnerability: { - package: { - name: 'python3-yaml', - source: 'pyyaml', - version: '3.12-1build2', - architecture: 'amd64', - condition: 'Package less than 5.3.1', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'complete', - integrity_impact: 'complete', - availability: 'complete', - }, - base_score: '10', - }, - }, - cve: 'CVE-2020-1747', - title: - 'A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.', - severity: 'High', - published: '2020-03-24', - updated: '2020-05-11', - state: 'Fixed', - cwe_reference: 'CWE-20', - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html', - 'http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html', - 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747', - 'https://github.com/yaml/pyyaml/pull/386', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/', - 'https://nvd.nist.gov/vuln/detail/CVE-2020-1747', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2019-1552 affects openssl', - id: '23503', - firedtimes: 11, - }, - data: { - vulnerability: { - package: { - name: 'openssl', - version: '1.1.1-1ubuntu2.1~18.04.6', - architecture: 'amd64', - condition: - 'Package greater or equal than 1.1.1 and less or equal than 1.1.1c', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'partial', - availability: 'none', - }, - base_score: '1.900000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'low', - availability: 'none', - }, - base_score: '3.300000', - }, - }, - cve: 'CVE-2019-1552', - title: - "OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - severity: 'Low', - published: '2019-07-30', - updated: '2019-08-23', - state: 'Fixed', - cwe_reference: 'CWE-295', - references: [ - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e', - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28', - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd', - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/', - 'https://security.netapp.com/advisory/ntap-20190823-0006/', - 'https://support.f5.com/csp/article/K94041354', - 'https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS', - 'https://www.openssl.org/news/secadv/20190730.txt', - 'https://www.oracle.com/security-alerts/cpuapr2020.html', - 'https://www.oracle.com/security-alerts/cpujan2020.html', - 'https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html', - 'https://www.tenable.com/security/tns-2019-08', - 'https://www.tenable.com/security/tns-2019-09', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-1552', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2020-1747 affects python3-yaml', - id: '23505', - firedtimes: 44, - }, - data: { - vulnerability: { - package: { - name: 'python3-yaml', - source: 'pyyaml', - version: '3.12-1build2', - architecture: 'amd64', - condition: 'Package less than 5.3.1', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'complete', - integrity_impact: 'complete', - availability: 'complete', - }, - base_score: '10', - }, - }, - cve: 'CVE-2020-1747', - title: - 'A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.', - severity: 'High', - published: '2020-03-24', - updated: '2020-05-11', - state: 'Fixed', - cwe_reference: 'CWE-20', - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html', - 'http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html', - 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747', - 'https://github.com/yaml/pyyaml/pull/386', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/', - 'https://nvd.nist.gov/vuln/detail/CVE-2020-1747', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2019-18684 affects sudo', - id: '23504', - firedtimes: 87, - }, - data: { - vulnerability: { - package: { - name: 'sudo', - version: '1.8.21p2-3ubuntu1.2', - architecture: 'amd64', - condition: 'Package less or equal than 1.8.29', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'complete', - integrity_impact: 'complete', - availability: 'complete', - }, - base_score: '6.900000', - }, - }, - cve: 'CVE-2019-18684', - title: - '** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.', - severity: 'Medium', - published: '2019-11-04', - updated: '2019-11-08', - state: 'Fixed', - cwe_reference: 'CWE-362', - references: [ - 'https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-18684', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2018-20482 affects tar', - id: '23504', - firedtimes: 88, - }, - data: { - vulnerability: { - package: { - name: 'tar', - version: '1.29b-2ubuntu0.1', - architecture: 'amd64', - condition: 'Package less or equal than 1.30', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '1.900000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'high', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'high', - }, - base_score: '4.700000', - }, - }, - cve: 'CVE-2018-20482', - title: 'CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).", - severity: 'Medium', - published: '2018-12-26', - updated: '2019-10-03', - state: 'Fixed', - cwe_reference: 'CWE-835', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377', - 'https://bugzilla.redhat.com/show_bug.cgi?id=1662346', - ], - references: [ - 'http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454', - 'http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html', - 'http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html', - 'http://www.securityfocus.com/bid/106354', - 'https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html', - 'https://news.ycombinator.com/item?id=18745431', - 'https://security.gentoo.org/glsa/201903-05', - 'https://twitter.com/thatcks/status/1076166645708668928', - 'https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-20482', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2015-2987 affects ed', - id: '23503', - firedtimes: 9, - }, - data: { - vulnerability: { - package: { - name: 'ed', - version: '1.10-2.1', - architecture: 'amd64', - condition: 'Package less or equal than 3.4', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'high', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '2.600000', - }, - }, - cve: 'CVE-2015-2987', - title: - 'Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.', - severity: 'Low', - published: '2015-08-28', - updated: '2015-08-31', - state: 'Fixed', - cwe_reference: 'CWE-17', - references: [ - 'http://jvn.jp/en/jp/JVN91474878/index.html', - 'http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119', - 'http://type74.org/edman5-1.php', - 'http://type74org.blog14.fc2.com/blog-entry-1384.html', - 'https://nvd.nist.gov/vuln/detail/CVE-2015-2987', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2018-8769 affects elfutils', - id: '23505', - firedtimes: 45, - }, - data: { - vulnerability: { - package: { - name: 'elfutils', - version: '0.170-0.4ubuntu0.1', - architecture: 'amd64', - condition: 'Package matches a vulnerable version', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '6.800000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'required', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '7.800000', - }, - }, - cve: 'CVE-2018-8769', - title: - 'elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.', - severity: 'High', - published: '2018-03-18', - updated: '2019-10-03', - state: 'Pending confirmation', - cwe_reference: 'CWE-125', - references: [ - 'https://sourceware.org/bugzilla/show_bug.cgi?id=22976', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-8769', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2019-1552 affects openssl', - id: '23503', - firedtimes: 11, - }, - data: { - vulnerability: { - package: { - name: 'openssl', - version: '1.1.1-1ubuntu2.1~18.04.6', - architecture: 'amd64', - condition: - 'Package greater or equal than 1.1.1 and less or equal than 1.1.1c', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'partial', - availability: 'none', - }, - base_score: '1.900000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'low', - availability: 'none', - }, - base_score: '3.300000', - }, - }, - cve: 'CVE-2019-1552', - title: - "OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - severity: 'Low', - published: '2019-07-30', - updated: '2019-08-23', - state: 'Fixed', - cwe_reference: 'CWE-295', - references: [ - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e', - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28', - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd', - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/', - 'https://security.netapp.com/advisory/ntap-20190823-0006/', - 'https://support.f5.com/csp/article/K94041354', - 'https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS', - 'https://www.openssl.org/news/secadv/20190730.txt', - 'https://www.oracle.com/security-alerts/cpuapr2020.html', - 'https://www.oracle.com/security-alerts/cpujan2020.html', - 'https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html', - 'https://www.tenable.com/security/tns-2019-08', - 'https://www.tenable.com/security/tns-2019-09', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-1552', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2020-1752 affects libc-bin', - id: '23503', - firedtimes: 12, - }, - data: { - vulnerability: { - package: { - name: 'libc-bin', - source: 'glibc', - version: '2.27-3ubuntu1', - architecture: 'amd64', - condition: 'Package less than 2.32.0', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'high', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '3.700000', - }, - }, - cve: 'CVE-2020-1752', - title: 'CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.', - rationale: - 'A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.', - severity: 'Low', - published: '2020-04-30', - updated: '2020-05-18', - state: 'Fixed', - cwe_reference: 'CWE-416', - references: [ - 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752', - 'https://security.netapp.com/advisory/ntap-20200511-0005/', - 'https://sourceware.org/bugzilla/show_bug.cgi?id=25414', - 'https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c', - 'https://nvd.nist.gov/vuln/detail/CVE-2020-1752', - 'http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752', - 'https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2020-1752 affects multiarch-support', - id: '23503', - firedtimes: 17, - }, - data: { - vulnerability: { - package: { - name: 'multiarch-support', - source: 'glibc', - version: '2.27-3ubuntu1', - architecture: 'amd64', - condition: 'Package less than 2.32.0', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'high', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '3.700000', - }, - }, - cve: 'CVE-2020-1752', - title: 'CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.', - rationale: - 'A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.', - severity: 'Low', - published: '2020-04-30', - updated: '2020-05-18', - state: 'Fixed', - cwe_reference: 'CWE-416', - references: [ - 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752', - 'https://security.netapp.com/advisory/ntap-20200511-0005/', - 'https://sourceware.org/bugzilla/show_bug.cgi?id=25414', - 'https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c', - 'https://nvd.nist.gov/vuln/detail/CVE-2020-1752', - 'http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752', - 'https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2019-19645 affects libsqlite3-0', - id: '23503', - firedtimes: 18, - }, - data: { - vulnerability: { - package: { - name: 'libsqlite3-0', - source: 'sqlite3', - version: '3.22.0-1ubuntu0.3', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '2.100000', - }, - }, - cve: 'CVE-2019-19645', - title: 'CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.', - severity: 'Low', - published: '2019-12-09', - updated: '2019-12-23', - state: 'Unfixed', - cwe_reference: 'CWE-674', - references: [ - 'https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06', - 'https://security.netapp.com/advisory/ntap-20191223-0001/', - 'https://www.oracle.com/security-alerts/cpuapr2020.html', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-19645', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2019-19645 affects sqlite3', - id: '23503', - firedtimes: 19, - }, - data: { - vulnerability: { - package: { - name: 'sqlite3', - version: '3.22.0-1ubuntu0.3', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '2.100000', - }, - }, - cve: 'CVE-2019-19645', - title: 'CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.', - severity: 'Low', - published: '2019-12-09', - updated: '2019-12-23', - state: 'Unfixed', - cwe_reference: 'CWE-674', - references: [ - 'https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06', - 'https://security.netapp.com/advisory/ntap-20191223-0001/', - 'https://www.oracle.com/security-alerts/cpuapr2020.html', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-19645', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2013-4235 affects login', - id: '23503', - firedtimes: 20, - }, - data: { - vulnerability: { - package: { - name: 'login', - source: 'shadow', - version: '1:4.5-1ubuntu2', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '3.300000', - }, - }, - cve: 'CVE-2013-4235', - title: 'CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees', - severity: 'Low', - published: '2019-12-03', - updated: '2019-12-13', - state: 'Unfixed', - cwe_reference: 'CWE-367', - bugzilla_references: [ - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950', - 'https://bugzilla.redhat.com/show_bug.cgi?id=884658', - ], - references: [ - 'https://access.redhat.com/security/cve/cve-2013-4235', - 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235', - 'https://security-tracker.debian.org/tracker/CVE-2013-4235', - 'https://nvd.nist.gov/vuln/detail/CVE-2013-4235', - 'http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2013-4235 affects passwd', - id: '23503', - firedtimes: 21, - }, - data: { - vulnerability: { - package: { - name: 'passwd', - source: 'shadow', - version: '1:4.5-1ubuntu2', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '3.300000', - }, - }, - cve: 'CVE-2013-4235', - title: 'CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees', - severity: 'Low', - published: '2019-12-03', - updated: '2019-12-13', - state: 'Unfixed', - cwe_reference: 'CWE-367', - bugzilla_references: [ - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950', - 'https://bugzilla.redhat.com/show_bug.cgi?id=884658', - ], - references: [ - 'https://access.redhat.com/security/cve/cve-2013-4235', - 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235', - 'https://security-tracker.debian.org/tracker/CVE-2013-4235', - 'https://nvd.nist.gov/vuln/detail/CVE-2013-4235', - 'http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2013-4235 affects login', - id: '23503', - firedtimes: 20, - }, - data: { - vulnerability: { - package: { - name: 'login', - source: 'shadow', - version: '1:4.5-1ubuntu2', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '3.300000', - }, - }, - cve: 'CVE-2013-4235', - title: 'CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees', - severity: 'Low', - published: '2019-12-03', - updated: '2019-12-13', - state: 'Unfixed', - cwe_reference: 'CWE-367', - bugzilla_references: [ - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950', - 'https://bugzilla.redhat.com/show_bug.cgi?id=884658', - ], - references: [ - 'https://access.redhat.com/security/cve/cve-2013-4235', - 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235', - 'https://security-tracker.debian.org/tracker/CVE-2013-4235', - 'https://nvd.nist.gov/vuln/detail/CVE-2013-4235', - 'http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2019-1003010 affects git', - id: '23504', - firedtimes: 162, - }, - data: { - vulnerability: { - package: { - name: 'git', - version: '1:2.17.1-1ubuntu0.7', - architecture: 'amd64', - condition: 'Package less or equal than 3.9.1', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'partial', - availability: 'none', - }, - base_score: '4.300000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'required', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'low', - availability: 'none', - }, - base_score: '4.300000', - }, - }, - cve: 'CVE-2019-1003010', - title: - 'A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.', - severity: 'Medium', - published: '2019-02-06', - updated: '2019-04-26', - state: 'Fixed', - cwe_reference: 'CWE-352', - references: [ - 'https://access.redhat.com/errata/RHBA-2019:0326', - 'https://access.redhat.com/errata/RHBA-2019:0327', - 'https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-1003010', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2020-9366 affects screen', - id: '23505', - firedtimes: 77, - }, - data: { - vulnerability: { - package: { - name: 'screen', - version: '4.6.2-1ubuntu1', - architecture: 'amd64', - condition: 'Package less than 4.8.0', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - }, - cve: 'CVE-2020-9366', - title: - 'A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.', - severity: 'High', - published: '2020-02-24', - updated: '2020-03-30', - state: 'Fixed', - cwe_reference: 'CWE-120', - references: [ - 'http://www.openwall.com/lists/oss-security/2020/02/25/1', - 'https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html', - 'https://security.gentoo.org/glsa/202003-62', - 'https://www.openwall.com/lists/oss-security/2020/02/06/3', - 'https://nvd.nist.gov/vuln/detail/CVE-2020-9366', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2019-15847 affects gcc', - id: '23505', - firedtimes: 86, - }, - data: { - vulnerability: { - package: { - name: 'gcc', - source: 'gcc-defaults', - version: '4:7.4.0-1ubuntu2.3', - architecture: 'amd64', - condition: 'Package less than 10.0', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '5', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '7.500000', - }, - }, - cve: 'CVE-2019-15847', - title: 'CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.', - rationale: - 'The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.', - severity: 'High', - published: '2019-09-02', - updated: '2020-05-26', - state: 'Fixed', - cwe_reference: 'CWE-331', - bugzilla_references: [ - 'https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481', - ], - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html', - 'http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html', - 'http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html', - 'https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-15847', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2017-14988 affects libopenexr22', - id: '23504', - firedtimes: 189, - }, - data: { - vulnerability: { - package: { - name: 'libopenexr22', - source: 'openexr', - version: '2.2.0-11.1ubuntu1.2', - architecture: 'amd64', - condition: 'Package matches a vulnerable version', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '4.300000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'required', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'high', - }, - base_score: '5.500000', - }, - }, - cve: 'CVE-2017-14988', - title: - "** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.", - severity: 'Medium', - published: '2017-10-03', - updated: '2019-09-23', - state: 'Pending confirmation', - cwe_reference: 'CWE-400', - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html', - 'https://github.com/openexr/openexr/issues/248', - 'https://nvd.nist.gov/vuln/detail/CVE-2017-14988', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2020-1927 affects apache2', - id: '23504', - firedtimes: 190, - }, - data: { - vulnerability: { - package: { - name: 'apache2', - version: '2.4.29-1ubuntu4.13', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'none', - }, - base_score: '5.800000', - }, - }, - cve: 'CVE-2020-1927', - title: 'CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.', - severity: 'Medium', - published: '2020-04-02', - updated: '2020-04-03', - state: 'Unfixed', - cwe_reference: 'CWE-601', - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html', - 'http://www.openwall.com/lists/oss-security/2020/04/03/1', - 'http://www.openwall.com/lists/oss-security/2020/04/04/1', - 'https://httpd.apache.org/security/vulnerabilities_24.html', - 'https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E', - 'https://security.netapp.com/advisory/ntap-20200413-0002/', - 'https://nvd.nist.gov/vuln/detail/CVE-2020-1927', - 'http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927', - 'https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2020-1927 affects apache2-bin', - id: '23504', - firedtimes: 191, - }, - data: { - vulnerability: { - package: { - name: 'apache2-bin', - source: 'apache2', - version: '2.4.29-1ubuntu4.13', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'none', - }, - base_score: '5.800000', - }, - }, - cve: 'CVE-2020-1927', - title: 'CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.', - severity: 'Medium', - published: '2020-04-02', - updated: '2020-04-03', - state: 'Unfixed', - cwe_reference: 'CWE-601', - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html', - 'http://www.openwall.com/lists/oss-security/2020/04/03/1', - 'http://www.openwall.com/lists/oss-security/2020/04/04/1', - 'https://httpd.apache.org/security/vulnerabilities_24.html', - 'https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E', - 'https://security.netapp.com/advisory/ntap-20200413-0002/', - 'https://nvd.nist.gov/vuln/detail/CVE-2020-1927', - 'http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927', - 'https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2020-1927 affects apache2-data', - id: '23504', - firedtimes: 192, - }, - data: { - vulnerability: { - package: { - name: 'apache2-data', - source: 'apache2', - version: '2.4.29-1ubuntu4.13', - architecture: 'all', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'none', - }, - base_score: '5.800000', - }, - }, - cve: 'CVE-2020-1927', - title: 'CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.', - severity: 'Medium', - published: '2020-04-02', - updated: '2020-04-03', - state: 'Unfixed', - cwe_reference: 'CWE-601', - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html', - 'http://www.openwall.com/lists/oss-security/2020/04/03/1', - 'http://www.openwall.com/lists/oss-security/2020/04/04/1', - 'https://httpd.apache.org/security/vulnerabilities_24.html', - 'https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E', - 'https://security.netapp.com/advisory/ntap-20200413-0002/', - 'https://nvd.nist.gov/vuln/detail/CVE-2020-1927', - 'http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927', - 'https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2020-1927 affects apache2-utils', - id: '23504', - firedtimes: 193, - }, - data: { - vulnerability: { - package: { - name: 'apache2-utils', - source: 'apache2', - version: '2.4.29-1ubuntu4.13', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'none', - }, - base_score: '5.800000', - }, - }, - cve: 'CVE-2020-1927', - title: 'CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.', - severity: 'Medium', - published: '2020-04-02', - updated: '2020-04-03', - state: 'Unfixed', - cwe_reference: 'CWE-601', - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html', - 'http://www.openwall.com/lists/oss-security/2020/04/03/1', - 'http://www.openwall.com/lists/oss-security/2020/04/04/1', - 'https://httpd.apache.org/security/vulnerabilities_24.html', - 'https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E', - 'https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E', - 'https://security.netapp.com/advisory/ntap-20200413-0002/', - 'https://nvd.nist.gov/vuln/detail/CVE-2020-1927', - 'http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927', - 'https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2018-15919 affects openssh-client', - id: '23504', - firedtimes: 197, - }, - data: { - vulnerability: { - package: { - name: 'openssh-client', - source: 'openssh', - version: '1:7.6p1-4ubuntu0.3', - architecture: 'amd64', - condition: - 'Package greater or equal than 5.9 and less or equal than 7.8', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '5', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'low', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '5.300000', - }, - }, - cve: 'CVE-2018-15919', - title: 'CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states \'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.\'', - severity: 'Medium', - published: '2018-08-28', - updated: '2019-03-07', - state: 'Fixed', - cwe_reference: 'CWE-200', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503', - 'https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919', - ], - references: [ - 'http://seclists.org/oss-sec/2018/q3/180', - 'http://www.securityfocus.com/bid/105163', - 'https://security.netapp.com/advisory/ntap-20181221-0001/', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-15919', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html', - 'http://www.openwall.com/lists/oss-security/2018/08/27/2', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2018-15919 affects openssh-server', - id: '23504', - firedtimes: 198, - }, - data: { - vulnerability: { - package: { - name: 'openssh-server', - source: 'openssh', - version: '1:7.6p1-4ubuntu0.3', - architecture: 'amd64', - condition: - 'Package greater or equal than 5.9 and less or equal than 7.8', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '5', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'low', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '5.300000', - }, - }, - cve: 'CVE-2018-15919', - title: 'CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.', - rationale: - 'Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states \'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.\'', - severity: 'Medium', - published: '2018-08-28', - updated: '2019-03-07', - state: 'Fixed', - cwe_reference: 'CWE-200', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503', - 'https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919', - ], - references: [ - 'http://seclists.org/oss-sec/2018/q3/180', - 'http://www.securityfocus.com/bid/105163', - 'https://security.netapp.com/advisory/ntap-20181221-0001/', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-15919', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html', - 'http://www.openwall.com/lists/oss-security/2018/08/27/2', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2019-17595 affects ncurses-base', - id: '23504', - firedtimes: 222, - }, - data: { - vulnerability: { - package: { - name: 'ncurses-base', - source: 'ncurses', - version: '6.1-1ubuntu1.18.04', - architecture: 'all', - condition: 'Package less than 6.1.20191012', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '5.800000', - }, - }, - cve: 'CVE-2019-17595', - title: 'CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.', - rationale: - 'There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.', - severity: 'Medium', - published: '2019-10-14', - updated: '2019-12-23', - state: 'Fixed', - cwe_reference: 'CWE-125', - bugzilla_references: [ - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401', - ], - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html', - 'http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html', - 'https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html', - 'https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-17595', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2019-17543 affects liblz4-1', - id: '23504', - firedtimes: 244, - }, - data: { - vulnerability: { - package: { - name: 'liblz4-1', - source: 'lz4', - version: '0.0~r131-2ubuntu2', - architecture: 'amd64', - condition: 'Package less than 1.9.2', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '6.800000', - }, - }, - cve: 'CVE-2019-17543', - title: 'CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."', - severity: 'Medium', - published: '2019-10-14', - updated: '2019-10-24', - state: 'Fixed', - cwe_reference: 'CWE-120', - bugzilla_references: [ - 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941', - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680', - ], - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html', - 'http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html', - 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941', - 'https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2', - 'https://github.com/lz4/lz4/issues/801', - 'https://github.com/lz4/lz4/pull/756', - 'https://github.com/lz4/lz4/pull/760', - 'https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E', - 'https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E', - 'https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E', - 'https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E', - 'https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E', - 'https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-17543', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2018-20217 affects libkrb5-3', - id: '23504', - firedtimes: 254, - }, - data: { - vulnerability: { - package: { - name: 'libkrb5-3', - source: 'krb5', - version: '1.13.2+dfsg-5ubuntu2.1', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'single', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '3.500000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'high', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'high', - }, - base_score: '5.300000', - }, - }, - cve: 'CVE-2018-20217', - title: 'CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.', - rationale: - 'A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.', - severity: 'Medium', - published: '2018-12-26', - updated: '2019-10-03', - state: 'Unfixed', - cwe_reference: 'CWE-617', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387', - 'http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763', - ], - references: [ - 'http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763', - 'https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086', - 'https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/', - 'https://security.netapp.com/advisory/ntap-20190416-0006/', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-20217', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2018-14036 affects accountsservice', - id: '23504', - firedtimes: 256, - }, - data: { - vulnerability: { - package: { - name: 'accountsservice', - version: '0.6.40-2ubuntu11.3', - architecture: 'amd64', - condition: 'Package less than 0.6.50', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'single', - confidentiality_impact: 'partial', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '4', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '6.500000', - }, - }, - cve: 'CVE-2018-14036', - title: 'CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.', - severity: 'Medium', - published: '2018-07-13', - updated: '2018-09-06', - state: 'Fixed', - cwe_reference: 'CWE-22', - bugzilla_references: [ - 'https://bugs.freedesktop.org/show_bug.cgi?id=107085', - 'https://bugzilla.suse.com/show_bug.cgi?id=1099699', - ], - references: [ - 'http://www.openwall.com/lists/oss-security/2018/07/02/2', - 'http://www.securityfocus.com/bid/104757', - 'https://bugs.freedesktop.org/show_bug.cgi?id=107085', - 'https://bugzilla.suse.com/show_bug.cgi?id=1099699', - 'https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-14036', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2017-7244 affects libpcre3', - id: '23504', - firedtimes: 265, - }, - data: { - vulnerability: { - package: { - name: 'libpcre3', - source: 'pcre3', - version: '2:8.38-3.1', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '4.300000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'required', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'high', - }, - base_score: '5.500000', - }, - }, - cve: 'CVE-2017-7244', - title: 'CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.', - severity: 'Medium', - published: '2017-03-23', - updated: '2018-08-17', - state: 'Unfixed', - cwe_reference: 'CWE-125', - bugzilla_references: [ - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683', - 'https://bugs.exim.org/show_bug.cgi?id=2052', - 'https://bugs.exim.org/show_bug.cgi?id=2054', - ], - references: [ - 'http://www.securityfocus.com/bid/97067', - 'https://access.redhat.com/errata/RHSA-2018:2486', - 'https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/', - 'https://security.gentoo.org/glsa/201710-25', - 'https://nvd.nist.gov/vuln/detail/CVE-2017-7244', - 'http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2020-8631 affects grub-legacy-ec2', - id: '23503', - firedtimes: 32, - }, - data: { - vulnerability: { - package: { - name: 'grub-legacy-ec2', - source: 'cloud-init', - version: '19.4-33-gbb4131a2-0ubuntu1~16.04.1', - architecture: 'all', - condition: 'Package less or equal than 19.4', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '2.100000', - }, - }, - cve: 'CVE-2020-8631', - title: 'CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.', - severity: 'Low', - published: '2020-02-05', - updated: '2020-02-21', - state: 'Fixed', - cwe_reference: 'CWE-330', - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html', - 'https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795', - 'https://github.com/canonical/cloud-init/pull/204', - 'https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html', - 'https://nvd.nist.gov/vuln/detail/CVE-2020-8631', - 'http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2019-20079 affects vim', - id: '23505', - firedtimes: 109, - }, - data: { - vulnerability: { - package: { - name: 'vim', - version: '2:7.4.1689-3ubuntu1.4', - architecture: 'amd64', - condition: 'Package less than 8.1.2136', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - }, - cve: 'CVE-2019-20079', - title: - 'The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.', - severity: 'High', - published: '2019-12-30', - updated: '2020-03-30', - state: 'Fixed', - cwe_reference: 'CWE-416', - references: [ - 'https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421', - 'https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136', - 'https://packetstormsecurity.com/files/154898', - 'https://usn.ubuntu.com/4309-1/', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-20079', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2016-4484 affects cryptsetup', - id: '23504', - firedtimes: 290, - }, - data: { - vulnerability: { - package: { - name: 'cryptsetup', - version: '2:1.6.6-5ubuntu2.1', - architecture: 'amd64', - condition: 'Package less or equal than 2.1.7.3-2', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'complete', - integrity_impact: 'complete', - availability: 'complete', - }, - base_score: '7.200000', - }, - cvss3: { - vector: { - attack_vector: 'physical', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '6.800000', - }, - }, - cve: 'CVE-2016-4484', - title: 'CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.', - severity: 'Medium', - published: '2017-01-23', - updated: '2017-01-26', - state: 'Fixed', - cwe_reference: 'CWE-287', - bugzilla_references: ['https://launchpad.net/bugs/1660701'], - references: [ - 'http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html', - 'http://www.openwall.com/lists/oss-security/2016/11/14/13', - 'http://www.openwall.com/lists/oss-security/2016/11/15/1', - 'http://www.openwall.com/lists/oss-security/2016/11/15/4', - 'http://www.openwall.com/lists/oss-security/2016/11/16/6', - 'http://www.securityfocus.com/bid/94315', - 'https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb', - 'https://nvd.nist.gov/vuln/detail/CVE-2016-4484', - 'http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2019-13050 affects gnupg', - id: '23505', - firedtimes: 114, - }, - data: { - vulnerability: { - package: { - name: 'gnupg', - version: '1.4.20-1ubuntu3.3', - architecture: 'amd64', - condition: 'Package less or equal than 2.2.16', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '5', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'high', - }, - base_score: '7.500000', - }, - }, - cve: 'CVE-2019-13050', - title: 'CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.', - severity: 'High', - published: '2019-06-29', - updated: '2019-07-09', - state: 'Fixed', - cwe_reference: 'CWE-297', - bugzilla_references: [ - 'https://bugs.launchpad.net/bugs/1844059', - 'https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050', - 'https://dev.gnupg.org/T4591', - 'https://dev.gnupg.org/T4607', - 'https://dev.gnupg.org/T4628', - ], - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html', - 'https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/', - 'https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html', - 'https://support.f5.com/csp/article/K08654551', - 'https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS', - 'https://twitter.com/lambdafu/status/1147162583969009664', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-13050', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2018-7738 affects mount', - id: '23505', - firedtimes: 128, - }, - data: { - vulnerability: { - package: { - name: 'mount', - source: 'util-linux', - version: '2.27.1-6ubuntu3.10', - architecture: 'amd64', - condition: 'Package less or equal than 2.31', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'complete', - integrity_impact: 'complete', - availability: 'complete', - }, - base_score: '7.200000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '7.800000', - }, - }, - cve: 'CVE-2018-7738', - title: 'CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.', - rationale: - 'In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.', - severity: 'High', - published: '2018-03-07', - updated: '2019-10-03', - state: 'Fixed', - cwe_reference: 'NVD-CWE-noinfo', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179', - 'https://github.com/karelzak/util-linux/issues/539', - ], - references: [ - 'http://www.securityfocus.com/bid/103367', - 'https://bugs.debian.org/892179', - 'https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55', - 'https://github.com/karelzak/util-linux/issues/539', - 'https://www.debian.org/security/2018/dsa-4134', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-7738', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2018-7738 affects util-linux', - id: '23505', - firedtimes: 129, - }, - data: { - vulnerability: { - package: { - name: 'util-linux', - version: '2.27.1-6ubuntu3.10', - architecture: 'amd64', - condition: 'Package less or equal than 2.31', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'complete', - integrity_impact: 'complete', - availability: 'complete', - }, - base_score: '7.200000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '7.800000', - }, - }, - cve: 'CVE-2018-7738', - title: 'CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.', - rationale: - 'In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.', - severity: 'High', - published: '2018-03-07', - updated: '2019-10-03', - state: 'Fixed', - cwe_reference: 'NVD-CWE-noinfo', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179', - 'https://github.com/karelzak/util-linux/issues/539', - ], - references: [ - 'http://www.securityfocus.com/bid/103367', - 'https://bugs.debian.org/892179', - 'https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55', - 'https://github.com/karelzak/util-linux/issues/539', - 'https://www.debian.org/security/2018/dsa-4134', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-7738', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2018-7738 affects uuid-runtime', - id: '23505', - firedtimes: 130, - }, - data: { - vulnerability: { - package: { - name: 'uuid-runtime', - source: 'util-linux', - version: '2.27.1-6ubuntu3.10', - architecture: 'amd64', - condition: 'Package less or equal than 2.31', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'complete', - integrity_impact: 'complete', - availability: 'complete', - }, - base_score: '7.200000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '7.800000', - }, - }, - cve: 'CVE-2018-7738', - title: 'CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.', - rationale: - 'In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.', - severity: 'High', - published: '2018-03-07', - updated: '2019-10-03', - state: 'Fixed', - cwe_reference: 'NVD-CWE-noinfo', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179', - 'https://github.com/karelzak/util-linux/issues/539', - ], - references: [ - 'http://www.securityfocus.com/bid/103367', - 'https://bugs.debian.org/892179', - 'https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55', - 'https://github.com/karelzak/util-linux/issues/539', - 'https://www.debian.org/security/2018/dsa-4134', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-7738', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 5, - description: 'CVE-2019-1547 affects libssl1.0.0', - id: '23503', - firedtimes: 35, - }, - data: { - vulnerability: { - package: { - name: 'libssl1.0.0', - source: 'openssl', - version: '1.0.2g-1ubuntu4.15', - architecture: 'amd64', - condition: - 'Package greater or equal than 1.0.2 and less or equal than 1.0.2s', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '1.900000', - }, - }, - cve: 'CVE-2019-1547', - title: 'CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).', - severity: 'Low', - published: '2019-09-10', - updated: '2019-09-12', - state: 'Fixed', - cwe_reference: 'CWE-311', - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html', - 'http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html', - 'http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html', - 'http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html', - 'http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html', - 'https://arxiv.org/abs/1909.01785', - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46', - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8', - 'https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a', - 'https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/', - 'https://seclists.org/bugtraq/2019/Oct/0', - 'https://seclists.org/bugtraq/2019/Oct/1', - 'https://seclists.org/bugtraq/2019/Sep/25', - 'https://security.gentoo.org/glsa/201911-04', - 'https://security.netapp.com/advisory/ntap-20190919-0002/', - 'https://security.netapp.com/advisory/ntap-20200122-0002/', - 'https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS', - 'https://www.debian.org/security/2019/dsa-4539', - 'https://www.debian.org/security/2019/dsa-4540', - 'https://www.openssl.org/news/secadv/20190910.txt', - 'https://www.oracle.com/security-alerts/cpuapr2020.html', - 'https://www.oracle.com/security-alerts/cpujan2020.html', - 'https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html', - 'https://www.tenable.com/security/tns-2019-08', - 'https://www.tenable.com/security/tns-2019-09', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-1547', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547', - 'https://usn.ubuntu.com/usn/usn-4376-1', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2019-3843 affects systemd', - id: '23505', - firedtimes: 134, - }, - data: { - vulnerability: { - package: { - name: 'systemd', - version: '229-4ubuntu21.27', - architecture: 'amd64', - condition: 'Package less than 242', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '4.600000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '7.800000', - }, - }, - cve: 'CVE-2019-3843', - title: - 'It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.', - severity: 'High', - published: '2019-04-26', - updated: '2019-06-19', - state: 'Fixed', - cwe_reference: 'CWE-264', - references: [ - 'http://www.securityfocus.com/bid/108116', - 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/', - 'https://security.netapp.com/advisory/ntap-20190619-0002/', - 'https://usn.ubuntu.com/4269-1/', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-3843', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2019-11727 affects thunderbird', - id: '23504', - firedtimes: 312, - }, - data: { - vulnerability: { - package: { - name: 'thunderbird', - version: '1:68.8.0+build2-0ubuntu0.16.04.2', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'partial', - availability: 'none', - }, - base_score: '5', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'low', - availability: 'none', - }, - base_score: '5.300000', - }, - }, - cve: 'CVE-2019-11727', - title: 'CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.', - rationale: - 'A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.', - severity: 'Medium', - published: '2019-07-23', - updated: '2019-07-30', - state: 'Unfixed', - cwe_reference: 'CWE-295', - bugzilla_references: [ - 'https://bugzilla.mozilla.org/show_bug.cgi?id=1552208', - ], - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html', - 'http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html', - 'http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html', - 'http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html', - 'http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html', - 'https://access.redhat.com/errata/RHSA-2019:1951', - 'https://bugzilla.mozilla.org/show_bug.cgi?id=1552208', - 'https://security.gentoo.org/glsa/201908-12', - 'https://www.mozilla.org/security/advisories/mfsa2019-21/', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-11727', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727', - 'https://usn.ubuntu.com/usn/usn-4054-1', - 'https://usn.ubuntu.com/usn/usn-4060-1', - 'https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2019-18276 affects bash', - id: '23505', - firedtimes: 158, - }, - data: { - vulnerability: { - package: { - name: 'bash', - version: '4.3-14ubuntu1.4', - architecture: 'amd64', - condition: 'Package less or equal than 5.0', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'complete', - integrity_impact: 'complete', - availability: 'complete', - }, - base_score: '7.200000', - }, - }, - cve: 'CVE-2019-18276', - title: 'CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.', - severity: 'High', - published: '2019-11-28', - updated: '2020-04-30', - state: 'Fixed', - cwe_reference: 'CWE-273', - bugzilla_references: [ - 'https://bugzilla.suse.com/show_bug.cgi?id=1158028', - ], - references: [ - 'http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html', - 'https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff', - 'https://security.netapp.com/advisory/ntap-20200430-0003/', - 'https://www.youtube.com/watch?v=-wGtxJ8opa8', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-18276', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2017-9502 affects curl', - id: '23504', - firedtimes: 334, - }, - data: { - vulnerability: { - package: { - name: 'curl', - version: '7.47.0-1ubuntu2.14', - architecture: 'amd64', - condition: 'Package less or equal than 7.54.0', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '5', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'low', - }, - base_score: '5.300000', - }, - }, - cve: 'CVE-2017-9502', - title: - 'In curl before 7.54.1 on Windows and DOS, libcurl\'s default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given "URL" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string "file://").', - severity: 'Medium', - published: '2017-06-14', - updated: '2017-07-08', - state: 'Fixed', - cwe_reference: 'CWE-119', - references: [ - 'http://openwall.com/lists/oss-security/2017/06/14/1', - 'http://www.securityfocus.com/bid/99120', - 'http://www.securitytracker.com/id/1038697', - 'https://curl.haxx.se/docs/adv_20170614.html', - 'https://nvd.nist.gov/vuln/detail/CVE-2017-9502', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 10, - description: 'CVE-2018-20483 affects wget', - id: '23505', - firedtimes: 175, - }, - data: { - vulnerability: { - package: { - name: 'wget', - version: '1.17.1-1ubuntu1.5', - architecture: 'amd64', - condition: 'Package less than 1.20.1', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '2.100000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'low', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '7.800000', - }, - }, - cve: 'CVE-2018-20483', - title: - "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", - severity: 'High', - published: '2018-12-26', - updated: '2019-04-09', - state: 'Fixed', - cwe_reference: 'CWE-255', - references: [ - 'http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS', - 'http://www.securityfocus.com/bid/106358', - 'https://access.redhat.com/errata/RHSA-2019:3701', - 'https://security.gentoo.org/glsa/201903-08', - 'https://security.netapp.com/advisory/ntap-20190321-0002/', - 'https://twitter.com/marcan42/status/1077676739877232640', - 'https://usn.ubuntu.com/3943-1/', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-20483', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2019-1010204 affects binutils', - id: '23504', - firedtimes: 369, - }, - data: { - vulnerability: { - package: { - name: 'binutils', - version: '2.26.1-1ubuntu1~16.04.8', - architecture: 'amd64', - condition: - 'Package greater or equal than 2.21 and less or equal than 2.31.1', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '4.300000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'required', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'high', - }, - base_score: '5.500000', - }, - }, - cve: 'CVE-2019-1010204', - title: 'CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.', - severity: 'Medium', - published: '2019-07-23', - updated: '2019-08-22', - state: 'Fixed', - cwe_reference: 'CWE-125', - bugzilla_references: [ - 'https://sourceware.org/bugzilla/show_bug.cgi?id=23765', - ], - references: [ - 'https://security.netapp.com/advisory/ntap-20190822-0001/', - 'https://sourceware.org/bugzilla/show_bug.cgi?id=23765', - 'https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-1010204', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2019-14855 affects dirmngr', - id: '23504', - firedtimes: 382, - }, - data: { - vulnerability: { - package: { - name: 'dirmngr', - source: 'gnupg2', - version: '2.1.11-6ubuntu2.1', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'none', - availability: 'none', - }, - base_score: '5', - }, - }, - cve: 'CVE-2019-14855', - title: 'CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.', - severity: 'Medium', - published: '2020-03-20', - updated: '2020-03-24', - state: 'Unfixed', - cwe_reference: 'CWE-327', - bugzilla_references: ['https://dev.gnupg.org/T4755'], - references: [ - 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855', - 'https://dev.gnupg.org/T4755', - 'https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html', - 'https://rwc.iacr.org/2020/slides/Leurent.pdf', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-14855', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855', - 'https://eprint.iacr.org/2020/014.pdf', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2016-5011 affects uuid-runtime', - id: '23504', - firedtimes: 395, - }, - data: { - vulnerability: { - package: { - name: 'uuid-runtime', - source: 'util-linux', - version: '2.27.1-6ubuntu3.10', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'complete', - }, - base_score: '4.700000', - }, - cvss3: { - vector: { - attack_vector: 'physical', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'required', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'high', - }, - base_score: '4.300000', - }, - }, - cve: 'CVE-2016-5011', - title: 'CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.', - severity: 'Medium', - published: '2017-04-11', - updated: '2017-04-17', - state: 'Unfixed', - cwe_reference: 'CWE-399', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802', - 'https://bugzilla.redhat.com/show_bug.cgi?id=1349536', - ], - references: [ - 'http://rhn.redhat.com/errata/RHSA-2016-2605.html', - 'http://www.openwall.com/lists/oss-security/2016/07/11/2', - 'http://www.securityfocus.com/bid/91683', - 'http://www.securitytracker.com/id/1036272', - 'http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543', - 'http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801', - 'https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3', - 'https://nvd.nist.gov/vuln/detail/CVE-2016-5011', - 'http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2015-5191 affects open-vm-tools', - id: '23504', - firedtimes: 396, - }, - data: { - vulnerability: { - package: { - name: 'open-vm-tools', - version: '2:10.2.0-3~ubuntu0.16.04.1', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'local', - access_complexity: 'high', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '3.700000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'high', - privileges_required: 'low', - user_interaction: 'required', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '6.700000', - }, - }, - cve: 'CVE-2015-5191', - title: 'CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H', - severity: 'Medium', - published: '2017-07-28', - updated: '2017-08-08', - state: 'Unfixed', - cwe_reference: 'CWE-362', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633', - ], - references: [ - 'http://www.securityfocus.com/bid/100011', - 'http://www.securitytracker.com/id/1039013', - 'https://www.vmware.com/security/advisories/VMSA-2017-0013.html', - 'https://nvd.nist.gov/vuln/detail/CVE-2015-5191', - 'http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2018-8975 affects netpbm', - id: '23504', - firedtimes: 397, - }, - data: { - vulnerability: { - package: { - name: 'netpbm', - source: 'netpbm-free', - version: '2:10.0-15.3', - architecture: 'amd64', - condition: 'Package less or equal than 10.81.03', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'medium', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'partial', - }, - base_score: '4.300000', - }, - cvss3: { - vector: { - attack_vector: 'local', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'required', - scope: 'unchanged', - confidentiality_impact: 'none', - integrity_impact: 'none', - availability: 'high', - }, - base_score: '5.500000', - }, - }, - cve: 'CVE-2018-8975', - title: - 'The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.', - severity: 'Medium', - published: '2018-03-25', - updated: '2019-10-03', - state: 'Fixed', - cwe_reference: 'CWE-125', - references: [ - 'http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html', - 'https://github.com/xiaoqx/pocs/blob/master/netpbm', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-8975', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 7, - description: 'CVE-2019-19232 affects sudo', - id: '23504', - firedtimes: 398, - }, - data: { - vulnerability: { - package: { - name: 'sudo', - version: '1.8.16-0ubuntu1.9', - architecture: 'amd64', - condition: 'Package less or equal than 1.8.29', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'none', - integrity_impact: 'partial', - availability: 'none', - }, - base_score: '5', - }, - }, - cve: 'CVE-2019-19232', - title: 'CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - '** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.', - severity: 'Medium', - published: '2019-12-19', - updated: '2020-01-30', - state: 'Fixed', - cwe_reference: 'NVD-CWE-noinfo', - bugzilla_references: [ - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225', - ], - references: [ - 'http://seclists.org/fulldisclosure/2020/Mar/31', - 'https://access.redhat.com/security/cve/cve-2019-19232', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/', - 'https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103', - 'https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812', - 'https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979', - 'https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870', - 'https://security.netapp.com/advisory/ntap-20200103-0004/', - 'https://support.apple.com/en-gb/HT211100', - 'https://support.apple.com/kb/HT211100', - 'https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232', - 'https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506', - 'https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html', - 'https://www.oracle.com/security-alerts/bulletinapr2020.html', - 'https://www.sudo.ws/devel.html#1.8.30b2', - 'https://www.sudo.ws/stable.html', - 'https://www.tenable.com/plugins/nessus/133936', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-19232', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 13, - description: 'CVE-2017-12588 affects rsyslog', - id: '23506', - firedtimes: 64, - }, - data: { - vulnerability: { - package: { - name: 'rsyslog', - version: '8.16.0-1ubuntu3.1', - architecture: 'amd64', - condition: 'Package less or equal than 8.27.0', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '9.800000', - }, - }, - cve: 'CVE-2017-12588', - title: - 'The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.', - severity: 'Critical', - published: '2017-08-06', - updated: '2017-08-14', - state: 'Fixed', - cwe_reference: 'CWE-134', - references: [ - 'https://github.com/rsyslog/rsyslog/blob/master/ChangeLog', - 'https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b', - 'https://github.com/rsyslog/rsyslog/pull/1565', - 'https://nvd.nist.gov/vuln/detail/CVE-2017-12588', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 13, - description: 'CVE-2017-18342 affects python3-yaml', - id: '23506', - firedtimes: 65, - }, - data: { - vulnerability: { - package: { - name: 'python3-yaml', - source: 'pyyaml', - version: '3.11-3build1', - architecture: 'amd64', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '9.800000', - }, - }, - cve: 'CVE-2017-18342', - title: 'CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - "In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.", - severity: 'Critical', - published: '2018-06-27', - updated: '2019-06-24', - state: 'Unfixed', - cwe_reference: 'CWE-20', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878', - ], - references: [ - 'https://github.com/marshmallow-code/apispec/issues/278', - 'https://github.com/yaml/pyyaml/blob/master/CHANGES', - 'https://github.com/yaml/pyyaml/issues/193', - 'https://github.com/yaml/pyyaml/pull/74', - 'https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/', - 'https://security.gentoo.org/glsa/202003-45', - 'https://nvd.nist.gov/vuln/detail/CVE-2017-18342', - 'http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 13, - description: 'CVE-2017-15994 affects rsync', - id: '23506', - firedtimes: 66, - }, - data: { - vulnerability: { - package: { - name: 'rsync', - version: '3.1.1-3ubuntu1.3', - architecture: 'amd64', - condition: 'Package less or equal than 3.1.2', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '9.800000', - }, - }, - cve: 'CVE-2017-15994', - title: - 'rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.', - severity: 'Critical', - published: '2017-10-29', - updated: '2019-10-03', - state: 'Fixed', - cwe_reference: 'CWE-354', - references: [ - 'https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3', - 'https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55', - 'https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b', - 'https://nvd.nist.gov/vuln/detail/CVE-2017-15994', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 13, - description: 'CVE-2019-9169 affects libc6', - id: '23506', - firedtimes: 68, - }, - data: { - vulnerability: { - package: { - name: 'libc6', - source: 'glibc', - version: '2.23-0ubuntu11', - architecture: 'amd64', - condition: 'Package less or equal than 2.29', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '9.800000', - }, - }, - cve: 'CVE-2019-9169', - title: 'CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.', - severity: 'Critical', - published: '2019-02-26', - updated: '2019-04-16', - state: 'Fixed', - cwe_reference: 'CWE-125', - bugzilla_references: [ - 'https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140', - 'https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142', - 'https://sourceware.org/bugzilla/show_bug.cgi?id=24114', - ], - references: [ - 'http://www.securityfocus.com/bid/107160', - 'https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140', - 'https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142', - 'https://kc.mcafee.com/corporate/index?page=content&id=SB10278', - 'https://security.netapp.com/advisory/ntap-20190315-0002/', - 'https://sourceware.org/bugzilla/show_bug.cgi?id=24114', - 'https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9', - 'https://support.f5.com/csp/article/K54823184', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-9169', - 'http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 13, - description: 'CVE-2017-15088 affects krb5-locales', - id: '23506', - firedtimes: 73, - }, - data: { - vulnerability: { - package: { - name: 'krb5-locales', - source: 'krb5', - version: '1.13.2+dfsg-5ubuntu2.1', - architecture: 'all', - condition: 'Package unfixed', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '9.800000', - }, - }, - cve: 'CVE-2017-15088', - title: 'CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.', - rationale: - 'plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.', - severity: 'Critical', - published: '2017-11-23', - updated: '2019-10-09', - state: 'Unfixed', - cwe_reference: 'CWE-119', - bugzilla_references: [ - 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698', - ], - references: [ - 'http://www.securityfocus.com/bid/101594', - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698', - 'https://bugzilla.redhat.com/show_bug.cgi?id=1504045', - 'https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4', - 'https://github.com/krb5/krb5/pull/707', - 'https://nvd.nist.gov/vuln/detail/CVE-2017-15088', - 'http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 13, - description: 'CVE-2018-6485 affects libc-bin', - id: '23506', - firedtimes: 78, - }, - data: { - vulnerability: { - package: { - name: 'libc-bin', - source: 'glibc', - version: '2.23-0ubuntu11', - architecture: 'amd64', - condition: 'Package less or equal than 2.26', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '9.800000', - }, - }, - cve: 'CVE-2018-6485', - title: 'CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.', - rationale: - 'An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.', - severity: 'Critical', - published: '2018-02-01', - updated: '2019-12-10', - state: 'Fixed', - cwe_reference: 'CWE-190', - bugzilla_references: [ - 'http://bugs.debian.org/878159', - 'https://sourceware.org/bugzilla/show_bug.cgi?id=22343', - ], - references: [ - 'http://bugs.debian.org/878159', - 'http://www.securityfocus.com/bid/102912', - 'https://access.redhat.com/errata/RHBA-2019:0327', - 'https://access.redhat.com/errata/RHSA-2018:3092', - 'https://security.netapp.com/advisory/ntap-20190404-0003/', - 'https://sourceware.org/bugzilla/show_bug.cgi?id=22343', - 'https://usn.ubuntu.com/4218-1/', - 'https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html', - 'https://nvd.nist.gov/vuln/detail/CVE-2018-6485', - 'http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485', - 'https://usn.ubuntu.com/usn/usn-4218-1', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 13, - description: 'CVE-2016-7944 affects libxfixes3', - id: '23506', - firedtimes: 82, - }, - data: { - vulnerability: { - package: { - name: 'libxfixes3', - source: 'libxfixes', - version: '1:5.0.1-2', - architecture: 'amd64', - condition: 'Package less or equal than 5.0.2', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '9.800000', - }, - }, - cve: 'CVE-2016-7944', - title: 'CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.', - severity: 'Critical', - published: '2016-12-13', - updated: '2017-07-01', - state: 'Fixed', - cwe_reference: 'CWE-190', - bugzilla_references: [ - 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442', - ], - references: [ - 'http://www.openwall.com/lists/oss-security/2016/10/04/2', - 'http://www.openwall.com/lists/oss-security/2016/10/04/4', - 'http://www.securityfocus.com/bid/93361', - 'http://www.securitytracker.com/id/1036945', - 'https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/', - 'https://lists.x.org/archives/xorg-announce/2016-October/002720.html', - 'https://security.gentoo.org/glsa/201704-03', - 'https://nvd.nist.gov/vuln/detail/CVE-2016-7944', - 'http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 13, - description: 'CVE-2016-7947 affects libxrandr2', - id: '23506', - firedtimes: 83, - }, - data: { - vulnerability: { - package: { - name: 'libxrandr2', - source: 'libxrandr', - version: '2:1.5.0-1', - architecture: 'amd64', - condition: 'Package less or equal than 1.5.0', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '9.800000', - }, - }, - cve: 'CVE-2016-7947', - title: 'CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.', - severity: 'Critical', - published: '2016-12-13', - updated: '2017-07-01', - state: 'Fixed', - cwe_reference: 'CWE-787', - references: [ - 'http://www.openwall.com/lists/oss-security/2016/10/04/2', - 'http://www.openwall.com/lists/oss-security/2016/10/04/4', - 'http://www.securityfocus.com/bid/93365', - 'http://www.securitytracker.com/id/1036945', - 'https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/', - 'https://lists.x.org/archives/xorg-announce/2016-October/002720.html', - 'https://security.gentoo.org/glsa/201704-03', - 'https://nvd.nist.gov/vuln/detail/CVE-2016-7947', - 'http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, - { - rule: { - level: 13, - description: 'CVE-2016-7948 affects libxrandr2', - id: '23506', - firedtimes: 84, - }, - data: { - vulnerability: { - package: { - name: 'libxrandr2', - source: 'libxrandr', - version: '2:1.5.0-1', - architecture: 'amd64', - condition: 'Package less or equal than 1.5.0', - }, - cvss: { - cvss2: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - authentication: 'none', - confidentiality_impact: 'partial', - integrity_impact: 'partial', - availability: 'partial', - }, - base_score: '7.500000', - }, - cvss3: { - vector: { - attack_vector: 'network', - access_complexity: 'low', - privileges_required: 'none', - user_interaction: 'none', - scope: 'unchanged', - confidentiality_impact: 'high', - integrity_impact: 'high', - availability: 'high', - }, - base_score: '9.800000', - }, - }, - cve: 'CVE-2016-7948', - title: 'CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.', - rationale: - 'X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.', - severity: 'Critical', - published: '2016-12-13', - updated: '2017-07-01', - state: 'Fixed', - cwe_reference: 'CWE-787', - references: [ - 'http://www.openwall.com/lists/oss-security/2016/10/04/2', - 'http://www.openwall.com/lists/oss-security/2016/10/04/4', - 'http://www.securityfocus.com/bid/93373', - 'http://www.securitytracker.com/id/1036945', - 'https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/', - 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/', - 'https://lists.x.org/archives/xorg-announce/2016-October/002720.html', - 'https://security.gentoo.org/glsa/201704-03', - 'https://nvd.nist.gov/vuln/detail/CVE-2016-7948', - 'http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948', - ], - assigner: 'cve@mitre.org', - cve_version: '4.0', - status: 'Active', - }, - }, - }, -]; diff --git a/scripts/wazuh-alerts-generator/lib/modules/web.js b/scripts/wazuh-alerts-generator/lib/modules/web.js deleted file mode 100644 index ae1389a2c2..0000000000 --- a/scripts/wazuh-alerts-generator/lib/modules/web.js +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Wazuh app - Docker sample data - * Copyright (C) 2015-2022 Wazuh, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Find more information about this on the LICENSE file. - */ - -module.exports.Protocols = ['GET']; - -module.exports.urls = ['/', '/index.asp', '/remote/login?lang=en', '/index.php?lang=en', '/phpmyadmin2020/index.php?lang=en', '/pma2020/index.php?lang=en', '/administrator/admin/index.php?lang=en', ' /administrator/pma/index.php?lang=en', '/administrator/db/index.php?lang=en', '/db/phpMyAdmin-3/index.php?lang=en', -'/db/myadmin/index.php?lang=en', '/sql/phpMyAdmin/index.php?lang=en', '/sql/phpmyadmin2/index.php?lang=en', '/sql/sqlweb/index.php?lang=en', '/mysql/web/index.php?lang=en', '/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en', '/shopdb/index.php?lang=en'] - - -module.exports.userAgents = [ // https://deviceatlas.com/blog/list-of-user-agent-strings - // Desktop - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0', - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246', - 'Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36', - 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9', - 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36', - - // Smartphones - 'Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36' , - 'Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36', - 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1', - 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1', - 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1', - 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1', - - // Tablets - 'Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36', - 'Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36', - 'Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36', - 'Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36', - 'Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36', - - // Mobile browsers - 'Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1', - 'Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30', - 'Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36', - 'Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996', - 'Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0', - 'Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4', - 'Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36', - 'Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3', - - // Consoles - 'Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US', - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393', - 'Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586', - 'Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)', - 'Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2', - 'Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU' -]; - -module.exports.data = [ - { - "rule": { - "firedtimes": 6, - "mail": false, - "level": 5, - "pci_dss": ["6.5","11.4"], - "description": "Web server 400 error code.", - "groups": ["web","accesslog","attack"], - "id": "31101", - "nist_800_53": ["SA.11","SI.4"], - "gdpr": ["IV_35.7.d"] - }, - "location": "/var/log/httpd/access_log", - "decoder": { - "name": "web-accesslog" - }, - "full_log": "{data.srcip} - - [{_date}] \"{data.protocol} {data.url} HTTP/1.1\" {data.id} 219 \"-\" \"{_user_agent}\"", - }, - { - "previous_output": "94.111.43.1 - - [24/Apr/2020:07:34:21 +0000] \"GET /phpmyadmin2019/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:20 +0000] \"GET /phpmyadmin2018/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:20 +0000] \"GET /phpmyadmin2017/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] \"GET /phpmyadmin2016/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] \"GET /phpmyadmin2015/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] \"GET /phpmyadmin2014/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:19 +0000] \"GET /phpmyadmin2013/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:18 +0000] \"GET /phpmyadmin2012/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:18 +0000] \"GET /phpmyadmin2011/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:17 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 215 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"\n94.111.43.1 - - [24/Apr/2020:07:34:17 +0000] \"GET /pma2019/index.php?lang=en HTTP/1.1\" 404 215 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\"", - // "data": { - // "protocol": "GET", - // "srcip": "94.111.43.1", - // "id": "404", - // "url": "/phpmyadmin2020/index.php?lang=en" - // }, - "rule": { - "firedtimes": 8, - "mail": false, - "level": 10, - "pci_dss": ["6.5","11.4"], - "description": "Multiple web server 400 error codes from same source ip.", - "groups": ["web","accesslog","web_scan","recon"], - "id": "31151", - "nist_800_53": ["SA.11","SI.4"], - "frequency": 14, - "gdpr": ["IV_35.7.d"] - }, - "decoder": { - "name": "web-accesslog" - }, - "full_log": "{data.srcip} - - [{_date}] \"{data.protocol} {data.url} HTTP/1.1\" {data.id} 222 \"-\" \"{_user_agent}\"", - "location": "/var/log/httpd/access_log", - } -] \ No newline at end of file