Skip to content

Commit ea0cb8f

Browse files
jesuslinaresjesuslinares
committed
Merge branch 'development' - v1.09
2 parents dce0e14 + 3ecaed6 commit ea0cb8f

File tree

17 files changed

+301
-200
lines changed

17 files changed

+301
-200
lines changed

CHANGELOG.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,16 @@
11
# Change Log
22
All notable changes to this project will be documented in this file.
33

4+
## [v1.09] - 2016-05-12
5+
### Added
6+
- Decoders and rules for Amazon
7+
8+
### Changed
9+
- Amazon directory structure.
10+
- Minor changes:
11+
- Apache and Nginx rules.
12+
- RH7 rootchecks.
13+
414
## [v1.08] - 2016-05-05
515
### Added
616
- Redis decoders and rules.

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
1.08
1+
1.09

ossec_ruleset.py

Lines changed: 25 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
#!/usr/bin/env python
22
# OSSEC Ruleset Update
33

4-
# v2.3.2 2016/05/05
4+
# v2.3.3 2016/06/11
55
# Created by Wazuh, Inc. <[email protected]>.
66
# [email protected]
77
# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
@@ -851,23 +851,20 @@ def setup_decoders(decoder):
851851

852852
def setup_rules(rule):
853853
if rule == "ossec":
854-
new_ossec_rules_path = "{0}/ossec/rules/*rules*.xml".format(new_rules_path)
855-
ossec_rules = sorted(glob.glob(new_ossec_rules_path))
854+
rules_path = "{0}/ossec/rules/*_rules.xml".format(new_rules_path)
855+
else:
856+
rules_path = "{0}/{1}/*_rules.xml".format(new_rules_path, rule)
856857

857-
for ossec_rule in ossec_rules:
858-
# Do not copy folders or local_rules.xml
859-
if os.path.isfile(ossec_rule) and "local_rules.xml" not in ossec_rule:
860-
split = ossec_rule.split("/")
861-
filename = split[len(split) - 1]
862-
dest_file = "{0}/rules/{1}".format(ossec_path, filename)
863-
shutil.copyfile(ossec_rule, dest_file)
864-
os.chown(dest_file, root_uid, ossec_gid)
858+
new_rules = sorted(glob.glob(rules_path))
865859

866-
else:
867-
src_file = "{0}/{1}/{1}_rules.xml".format(new_rules_path, rule)
868-
dest_file = "{0}/rules/{1}_rules.xml".format(ossec_path, rule)
869-
shutil.copyfile(src_file, dest_file)
870-
os.chown(dest_file, root_uid, ossec_gid)
860+
for new_rule in new_rules:
861+
# Do not copy folders or local_rules.xml
862+
if os.path.isfile(new_rule) and "local_rules.xml" not in new_rule:
863+
split = new_rule.split("/")
864+
filename = split[len(split) - 1]
865+
dest_file = "{0}/rules/{1}".format(ossec_path, filename)
866+
shutil.copyfile(new_rule, dest_file)
867+
os.chown(dest_file, root_uid, ossec_gid)
871868

872869

873870
def setup_roochecks(rootcheck):
@@ -885,9 +882,17 @@ def setup_ossec_conf(item, type_item):
885882
return
886883

887884
if type_item == "rule":
888-
if not regex_in_file("\s*<include>{0}_rules.xml</include>".format(item), ossec_conf):
889-
logger.log("\t\tNew rule in ossec.conf: '{0}'.".format(item))
890-
write_before_line("<include>local_rules.xml</include>", ' <include>{0}_rules.xml</include>'.format(item), ossec_conf)
885+
886+
if item == "amazon": # Special case
887+
new_items = ["amazon", "amazon-ec2", "amazon-iam"]
888+
else:
889+
new_items = [item]
890+
891+
for new_item in new_items:
892+
if not regex_in_file("\s*<include>{0}_rules.xml</include>".format(new_item), ossec_conf):
893+
logger.log("\t\tNew rule in ossec.conf: '{0}'.".format(new_item))
894+
write_before_line("<include>local_rules.xml</include>", ' <include>{0}_rules.xml</include>'.format(new_item), ossec_conf)
895+
891896
elif type_item == "rootcheck":
892897
if not regex_in_file("<rootcheck>", ossec_conf) or regex_in_file("\s*<rootcheck>\s*\n\s*<disabled>\s*yes", ossec_conf):
893898
logger.log("\t\tRootchecks disabled in ossec.conf -> no activate rootchecks.")
@@ -1021,7 +1026,7 @@ def clean_directory():
10211026

10221027
def usage():
10231028
msg = """
1024-
OSSEC Wazuh Ruleset Update v2.3.2
1029+
OSSEC Wazuh Ruleset Update v2.3.3
10251030
Github repository: https://github.com/wazuh/ossec-rules
10261031
Full documentation: http://documentation.wazuh.com/en/latest/ossec_ruleset.html
10271032

rootcheck/cis_rhel7_linux_rcl.txt

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -26,18 +26,18 @@
2626

2727

2828
# CIS Checks for Red Hat / CentOS 6
29-
# Based on CIS Benchmark for Red Hat Enterprise Linux 6 v1.3.0
29+
# Based on CIS Benchmark for Red Hat Enterprise Linux 7 v1.1.0
3030

3131
# RC scripts location
3232
$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
3333

3434

35-
[CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v2.1.0] [any required] [http://www.ossec.net/]
35+
[CIS - Testing against the CIS Red Hat Enterprise Linux 7 Benchmark v1.1.0] [any required] [http://www.ossec.net/]
3636
f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 6;
37-
f:/etc/redhat-release -> r:^CentOS && r:release 6;
38-
f:/etc/redhat-release -> r:^Cloud && r:release 6;
39-
f:/etc/redhat-release -> r:^Oracle && r:release 6;
40-
f:/etc/redhat-release -> r:^Better && r:release 6;
37+
f:/etc/redhat-release -> r:^CentOS && r:release 7;
38+
f:/etc/redhat-release -> r:^Cloud && r:release 7;
39+
f:/etc/redhat-release -> r:^Oracle && r:release 7;
40+
f:/etc/redhat-release -> r:^Better && r:release 7;
4141

4242
# 1.1.1 /tmp: partition
4343
[CIS - RHEL7 - Build considerations - Robust partition scheme - /tmp is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL7 -]

rules-decoders/amazon-ec2/amazon-ec2_decoders.xml

Lines changed: 0 additions & 28 deletions
This file was deleted.

rules-decoders/amazon-ec2/amazon-ec2_instructions.md

Lines changed: 0 additions & 4 deletions
This file was deleted.

rules-decoders/amazon-iam/amazon-iam_instructions.md

Lines changed: 0 additions & 7 deletions
This file was deleted.

0 commit comments

Comments
 (0)