Module/Rule.nxFileLine/Convert/Data.ps1
|
# Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. <# This is used to centralize the regEx patterns, note that the backslashes are escaped, a single "\s" would be represented as "\\s" #> data regularExpression { ConvertFrom-StringData -StringData @' nxFileLineContainsLine = (?:#|\\$\\s+sudo|#\\s+sudo)\\s+(?:egrep|grep|cat|more).*\\s+(?<filePath>(?!\\/etc\\/redhat-release)(?!\\/etc\\/issue)\\/[\\w.\\/-]*\\/[\\w.\\/-]*).*\\n(?<setting>.*\\n|.*\\n.*\\n|.*\\n.*\\n.*\\n|.*\\n.*\\n.*\\n.*\\n|.*\\n.*\\n.*\\n.*\\n.*\\n|.*\\n.*\\n.*\\n.*\\n.*\\n.*\\n.*\\n)If.*this is a finding nxFileLineContainsLineYumConf = #\\s+(?:grep|more|cat).*\\s+\\/etc\\/yum.conf\\s+(?<setting>.*) nxFileLineContainsLineAuditUbuntu = \\s*sudo\\s*aud(i)*tctl\\s*-l\\s*\\|.*\\n(?<setting>.*\\n|.*\\n.*\\n|.*\\n.*\\n.*\\n|.*\\n.*\\n.*\\n.*\\n|.*\\n.*\\n.*\\n.*\\n.*\\n)If.*this is a finding nxFileLineContainsLineExclude = The result must contain the following line:|If\\s+.*commented\\s+(?:out|line).*|#\\s+cat\\s+\\/etc\\/redhat-release|^The\\s+command\\s+will\\s+return\\s+the\\s+banner.*|^Check\\s+the\\s+specified\\s+banner\\s+file.* nxFileLineFilePathAudit = (?:#|\\$\\s+sudo|#\\s+sudo)\\s+(?:cat|grep|more).*(?<auditPath>\\/etc\\/audit\\/audit\\.rules).* nxFileLineFilePathUbuntuBanner = (?<ubuntuBanner>You are accessing a U.S. Government \\(USG\\) [^"]+(?<=details.)) nxFileLineFilePathAuditUbuntu = \\s*sudo\\s*(?<auditPathUbuntu>aud(i)*tctl\\s*-l\\s*\\|) nxFileLineFilePathBannerUbuntu = Ubuntu.*#\\sgrep\\s-i\\sbanner\\s(?<bannerPathUbuntu>\\/[\\w.\\/-]*\\/[\\w.\\/-]*) nxFileLineFilePathTftp = #\\s+grep.*(?<tftpPath>\\/etc\\/xinetd\\.d\\/tftp).* nxFileLineFilePathRescue = #\\s+grep.*(?<rescuePath>\\/usr\\/lib\\/systemd\\/system\\/rescue\\.service).* nxFileLineFilePath = (?:#|\\$\\s+sudo|#\\s+sudo)\\s+(?:egrep|grep|cat|more).*\\s+(?<filePath>(?!\\/etc\\/redhat-release)\\/[\\w.\\/-]*\\/[\\w.\\/-]*) nxFileLineFooterDetection = ^If\\s+.*$ '@ } <# The doesNotContainPattern variable is used by Get-nxFileLineDoesNotContainPattern #> data doesNotContainPattern { @{ 'active = yes' = '\s*active\s*=\s*no|active=yes|#\s*active\s*=.*' 'Unattended-Upgrade::Remove-Unused-Dependencies "true";' = '\s*Unattended-Upgrade::Remove-Unused-Dependencies\s*("false"|false|true).*|#\s*Unattended-Upgrade::Remove-Unused-Dependencies.*' 'Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";' = '\s*Unattended-Upgrade::Remove-Unused-Kernel-Packages\s*("false"|false|true).*|#\s*Unattended-Upgrade::Remove-Unused-Kernel-Packages.*' 'session required pam_lastlog.so showfailed' = '^\s*session\s*(?!required)\w*\s*pam_lastlog\.so.*|#\s*session\s*\w*\s*pam_lastlog\.so.*|^\s*session(?:\t+|\s{2,})required(?:\t+|\s{2,})pam_lastlog\.so.*' 'ucredit=-1' = '^#\s*ucredit.*$|^ucredit\s*=\s*(?!-1\b)\w*$' 'ucredit = -1' = '^#\s*ucredit.*$|^ucredit\s*=\s*(?!-1\b)\w*$' 'lcredit=-1' = '^#\s*lcredit.*$|^lcredit\s*=\s*(?!-1\b)\w*$' 'lcredit = -1' = '^#\s*lcredit.*$|^lcredit\s*=\s*(?!-1\b)\w*$' 'dcredit=-1' = '^#\s*dcredit.*$|^dcredit\s*=\s*(?!-1\b)\w*$' 'dcredit = -1' = '^#\s*dcredit.*$|^dcredit\s*=\s*(?!-1\b)\w*$' 'difok = 8' = '^\s*difok\s*=\s*(-|)[0-7]$|#\s*difok\s*=.*|difok\s+=\s+.*' # Org 'difok=8' = '^\s*difok\s*=\s*(-|)[0-7]$|#\s*difok\s*=.*|difok\s+=\s+.*' # Org 'PASS_MIN_DAYS 1' = '^\s*PASS_MIN_DAYS\s*[0]*$|#\s*PASS_MIN_DAYS.*' # Org 'PASS_MAX_DAYS 60' = '^\s*PASS_MAX_DAYS\s*([0-9]|[1-5][0-9])$|#\s*PASS_MAX_DAYS.*' # Org 'minlen=15' = '^\s*minlen\s*=\s*([0-9]|[1][1-4])$|#\s*minlen.*' # Org 'minlen = 15' = '^\s*minlen\s*=\s*([0-9]|[1][1-4])$|#\s*minlen.*' # Org 'dictcheck=1' = '^\s*dictcheck\s*=\s*((?!1)|[1]\d+)\d*$|#\s*dictcheck.*' 'enforcing = 1' = '^\s*enforcing\s*=\s*((?!1)|[1]\d+)\d*$|#\s*enforcing.*' 'ocredit=-1' = '^#\s*ocredit.*$|^ocredit\s*=\s*(?!-1)\w*$' 'ocredit = -1' = '^#\s*ocredit.*$|^ocredit\s*=\s*(?!-1)\w*$' '* hard maxlogins 10' = '^\s*\*\s*hard\s*maxlogins\s*([1][1-9]|[2-9]\d+|[1-9][0-9]\d+)$|^#\s*\*\s*hard\s*maxlogins.*' 'TMOUT=900' = '^\s*TMOUT\s*=\s*[0-8]?[0-9]?[0-9]?$|^#\s*TMOUT.*' # Org 'readonly TMOUT' = '^\s*readonly\s+(?!TMOUT\b).*$|^\s*#\s*readonly.*$' # Org 'export TMOUT' = '^\s*export\s+(?!TMOUT\b).*$|^\s*#\s*export.*$' # Org 'ClientAliveInterval 600' = '^\s*ClientAliveInterval\s*[0-5]?[0-9]?[0-9]?\s*$|^#\s*ClientAliveInterval.*|^\s*ClientAliveInterval\s*$' 'Protocol 2' = '^#\s*Protocol.*$|^Protocol\s*(?!2\b)\w*$' 'ClientAliveCountMax 0' = '^#\s*ClientAliveCountMax.*$|^ClientAliveCountMax\s*(?!0\b)\w*$' 'ClientAliveCountMax 1' = '^#\s*ClientAliveCountMax.*$|^ClientAliveCountMax\s*(?!1\b)\w*$' 'PermitEmptyPasswords no' = '^#\s*PermitEmptyPasswords.*$|^PermitEmptyPasswords\s*(?!no\b)\w*$' 'PermitUserEnvironment no' = '^#\s*PermitUserEnvironment.*$|^PermitUserEnvironment\s*(?!no\b)\w*$' 'UMASK 077' = '^\s*UMASK(?!\s077\b)\s*\d*\s*$|^#\s*UMASK.*' 'MACs hmac-sha2-512,hmac-sha2-256' = '#\s*MACs.*|\s*MACs\s*hmac-(?!sha2-512).*' 'minclass = 4' = 'DynamicallyGeneratedDoesNotContainPattern' 'FAIL_DELAY 4' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S create_module -k module-change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S delete_module -k module-change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S finit_module -k module-change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S init_module -k module-change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k delete' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S create_module -k module-change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S delete_module -k module-change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S finit_module -k module-change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S init_module -k module-change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k delete' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd' = 'DynamicallyGeneratedDoesNotContainPattern' '-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd' = 'DynamicallyGeneratedDoesNotContainPattern' 'action_mail_acct = root' = 'DynamicallyGeneratedDoesNotContainPattern' 'AutomaticLoginEnable=false' = 'DynamicallyGeneratedDoesNotContainPattern' 'banner /etc/issue' = 'DynamicallyGeneratedDoesNotContainPattern' 'banner-message-enable=true' = 'DynamicallyGeneratedDoesNotContainPattern' 'cert_policy = ca, ocsp_on, signature;' = 'DynamicallyGeneratedDoesNotContainPattern' 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' = '^#\s*Ciphers.*|^\s*Ciphers\s*aes128-ctr.*|^\s*Ciphers\s*aes192-ctr.*' 'clean_requirements_on_remove=1' = 'DynamicallyGeneratedDoesNotContainPattern' 'Compression delayed' = '^#\s*Compression.*$|^Compression\s*(?!delayed\b)\w*$' 'CREATE_HOME yes' = '^#\s*CREATE_HOME.*$|^CREATE_HOME\s*(?!yes\b)\w*$|^CREATE_HOME\t.*' 'crypt_style = sha512' = 'DynamicallyGeneratedDoesNotContainPattern' 'direction = out' = 'DynamicallyGeneratedDoesNotContainPattern' 'disk_full_action = single' = 'DynamicallyGeneratedDoesNotContainPattern' 'enable_krb5 = yes' = 'DynamicallyGeneratedDoesNotContainPattern' 'ENCRYPT_METHOD SHA512' = 'DynamicallyGeneratedDoesNotContainPattern' 'ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' = 'DynamicallyGeneratedDoesNotContainPattern' 'format = string' = 'DynamicallyGeneratedDoesNotContainPattern' 'gpgcheck=1' = 'DynamicallyGeneratedDoesNotContainPattern' 'GSSAPIAuthentication no' = '^#\s*GSSAPIAuthentication.*$|^GSSAPIAuthentication\s*(?!no\b)\w*$' 'HostbasedAuthentication no' = '^#\s*HostbasedAuthentication.*$|^HostbasedAuthentication\s*(?!no\b)\w*$' 'idle-activation-enabled=true' = 'DynamicallyGeneratedDoesNotContainPattern' 'IgnoreRhosts yes' = '^#\s*IgnoreRhosts.*$|^IgnoreRhosts\s*(?!yes\b)\w*$' 'IgnoreUserKnownHosts yes' = '^#\s*IgnoreUserKnownHosts.*$|^IgnoreUserKnownHosts\s*(?!yes\b)\w*$' 'INACTIVE=0' = '^#\s*INACTIVE.*$|^INACTIVE\s*=\s*(?!0\b)[-]*\w*$' 'KerberosAuthentication no' = '^#\s*KerberosAuthentication.*$|^KerberosAuthentication\s*(?!no\b)\w*$' 'localpkg_gpgcheck=1' = 'DynamicallyGeneratedDoesNotContainPattern' 'lock-enabled=true' = 'DynamicallyGeneratedDoesNotContainPattern' 'maxclassrepeat = 4' = 'DynamicallyGeneratedDoesNotContainPattern' 'maxrepeat = 3' = 'DynamicallyGeneratedDoesNotContainPattern' 'name_format = hostname' = '^#\s*name_format.*$|^name_format\s*=\s*(?!hostname$)\w*$' 'network_failure_action = syslog' = 'DynamicallyGeneratedDoesNotContainPattern' 'overflow_action = syslog' = '^#\s*overflow_action.*$|^overflow_action\s*=\s*(?!syslog$)\w*$' 'password substack system-auth' = '^\s*password(?:\t*|\s*)substack\tsystem-auth\s*$|^#\s*password\s*substack\s*system-auth.*' 'path = /sbin/audisp-remote' = 'DynamicallyGeneratedDoesNotContainPattern' 'PermitRootLogin no' = '^#\s*PermitRootLogin.*$|^PermitRootLogin\s*(?!no\b)\w*$' 'PrintLastLog yes' = '^#\s*PrintLastLog.*$|^PrintLastLog\s*(?!yes\b)\w*$' 'remote_server = 10.0.21.1' = 'DynamicallyGeneratedDoesNotContainPattern' 'RhostsRSAAuthentication no' = '^#\s*RhostsRSAAuthentication.*$|^RhostsRSAAuthentication\s*(?!no\b)\w*$' 'SELINUX=enforcing' = '^#\s*SELINUX.*$|^SELINUX\s*=\s*(?!enforcing\b)\w*$' 'SELINUXTYPE=targeted' = '^#\s*SELINUXTYPE.*$|^SELINUXTYPE\s*=\s*(?!targeted\b)\w*$' 'server_args = -s /var/lib/tftpboot' = 'DynamicallyGeneratedDoesNotContainPattern' 'space_left_action = email' = '^#\s*space_left_action.*$|^space_left_action\s*=\s*(?!email$)\w*$' 'StrictModes yes' = '^#\s*StrictModes.*$|^StrictModes\s*(?!yes\b)\w*$' 'There should be at least three lines returned.' = 'DynamicallyGeneratedDoesNotContainPattern' 'This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue").' = 'DynamicallyGeneratedDoesNotContainPattern' 'TimedLoginEnable=false' = 'DynamicallyGeneratedDoesNotContainPattern' 'type = always' = 'DynamicallyGeneratedDoesNotContainPattern' 'UsePrivilegeSeparation sandbox' = '^#\s*UsePrivilegeSeparation.*$|^UsePrivilegeSeparation\s*(?!sandbox\b)\w*$' '-w /etc/group -p wa -k identity' = 'DynamicallyGeneratedDoesNotContainPattern' '-w /etc/gshadow -p wa -k identity' = 'DynamicallyGeneratedDoesNotContainPattern' '-w /etc/passwd -p wa -k identity' = 'DynamicallyGeneratedDoesNotContainPattern' '-w /etc/security/opasswd -p wa -k identity' = 'DynamicallyGeneratedDoesNotContainPattern' '-w /etc/shadow -p wa -k identity' = 'DynamicallyGeneratedDoesNotContainPattern' '-w /etc/sudoers -p wa -k privileged-actions' = 'DynamicallyGeneratedDoesNotContainPattern' '-w /etc/sudoers.d/ -p wa -k privileged-actions' = 'DynamicallyGeneratedDoesNotContainPattern' '-w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change' = 'DynamicallyGeneratedDoesNotContainPattern' '-w /var/log/lastlog -p wa -k logins' = 'DynamicallyGeneratedDoesNotContainPattern' '-w /var/run/faillock -p wa -k logins' = 'DynamicallyGeneratedDoesNotContainPattern' 'X11Forwarding yes' = '^#\s*X11Forwarding.*$|^X11Forwarding\s*(?!yes\b)\w*$' 'X11Forwarding no' = '^#\s*X11Forwarding.*$|^X11Forwarding\s*(?!no\b)\w*$' } } |