Cat |
Sensor |
Name |
Audit |
Countermeasure |
App | app_custom.sh |
Custom Application Sensor | Definable | Definable |
Disk | disk_ckspace.sh | Filesystem Space Sensor | Adequate free blocks/inodes on local filesystems. | None |
disk_ckmounts.sh | Filesystems Mount Table Sensor | No change in filesystems mount table. | Definable | |
File |
file_grp_fields.sh |
Group Fields Sensor | There are 4 fields in every record in /etc/group. | None |
file_grp_uniq_gid.sh |
Unique Group GIDs Sensor | All GIDs in /etc/group are unique. | Ignore previously reported. | |
file_grp_uniq_name.sh |
Unique Group Names Sensor | All Group Names in /etc/group are unique. | Ignore previously reported. | |
file_grp_users.sh |
Valid Group Users Sensor | Every user in /etc/group is a valid user. | Ignore previously reported. | |
file_hugedir.sh |
Huge Directory Sensor | There are no new huge directories. | Ignore previously reported. | |
file_large.sh |
Large File Sensor | There are no new large files. | Ignore previously reported. | |
file_orphans.sh |
Orphan Files Sensor | All files are owned by valid users. | Reset ownership of orphan files. | |
file_pwd_fields.sh |
Passwd Fields Sensor | There are 7 fields in every record in /etc/passwd. | None | |
file_pwd_gid.sh |
Valid Passwd GIDs Sensor | Every /etc/passwd GID is a valid group. | None | |
file_pwd_home.sh |
Valid Passwd Home Dirs Sensor | Every /etc/passwd home directory is valid. | Create directory or ignore if previously reported. | |
file_pwd_shell.sh |
Valid Passwd Shells Sensor | Every /etc/passwd shell is an expected value. | Ignore previously reported. | |
file_unwanted.sh |
Unwanted File Sensor | Verify that certain files do not exist. | None | |
file_wanted.sh |
Wanted File Sensor | Verify that certain files do exist. | None | |
file_watchlog.sh | Log Content Sensor | There is nothing unusual about the contents of a log | None | |
Me |
me_autoupdate.sh |
Auto Update Sensor | OSsonar is up-to-date. | None |
me_ckconfig.sh |
OSsonar Configuration Sensor | No problems with config file. | None | |
me_ckfilemaster.sh |
Verify Master File Table Sensor | Master File Table is being created. | None | |
me_cksum.sh |
OSsonar Intrusion Sensor | Application is secure. | None | |
me_mkfilemaster.sh |
Create File Master Table Sensor | Create a new File Master Table. | None | |
me_ruthere.sh |
Remote Watchdog Sensor |
All remotes are up | None | |
me_syslog.sh |
Syslog Facility Sensor | No messages of concern in the syslog facility. | None | |
Network |
net_ckroutetab.sh |
Network Routing Tables Sensor | No change in the network routing tables. | Accept new table. |
net_cksvcs.sh |
Network Port Services Sensor | No change in the network port services. | None | |
net_no_netrc.sh |
Home Dir .netrc Sensor | No users have .netrc in their home directory. | Ignore previously reported. | |
net_no_rhosts.sh |
Home Dir .rhosts Sensor | No user has .rhosts in their home directory. | Ignore previously reported. | |
net_ping.sh |
Host Ping Sensor | All defined hosts can be pinged. | None | |
net_untrusted_svcs.sh |
Untrusted Network Services Sensor | Untrusted network services are disabled. | None | |
Perf |
perf_alrttest.sh |
Test Alert Sensor | The Alert Manager is working. | None |
perf_ckmailq.sh |
Mail Queue Size Sensor |
The size of the mail queue is nominal. | None | |
perf_ckmysql.sh |
MySQL Response Sensor | MySQL is responding. | Definable | |
perf_cknetints.sh |
Network Interfaces Sensor | No performance problems with network interface cards. | None | |
perf_ckswap.sh |
Swap Space Sensor | No problems with swap space usage. | None | |
perf_loadavg.sh |
System Load Average Sensor | System load average is less than a defined threshold. | Definable | |
perf_webpages.sh |
Web Pages Up Sensor | All defined URLs are responding. | None | |
Process |
proc_all_up.sh |
Daemons Up Sensor | All daemons are up. | Restart failed daemons. |
proc_killstalled.sh |
Stalled Processes Sensor | There are no stalled processes. | Kill stalled processes. | |
proc_orphans.sh |
Orphan Processes Sensor | All processes are owned by a current user. | Kill all orphan processes. | |
proc_runaway.sh |
Runaway Processes Sensor | There are no runaway processes. | Kill runaway process. | |
proc_unwanted.sh |
Unwanted Processes Sensor | There are no unwanted processes. | Kill unwanted processes. | |
Security |
sec_ckintrusion.sh |
Intrusion Detection Sensor | No change to secured directories/files. | None |
sec_ckrootkit.sh |
Rootkit Sensor |
There are no rootkits installed. |
Accept new checksums. |
|
sec_clamscan.sh |
Virus Sensor |
Clamscan reports no viruses. |
Empty scan list when completed. |
|
sec_failedlogins.sh | Failed Logins Sensor | There are no patterns of failed logins of concern. | None | |
sec_failedsu.sh | Failed SU Sensor | There are no patterns of failed su attempts of concern. | None | |
sec_nfsdirs.sh | Secure NFS Sensor | All NFS exported dirs are configured to be secure. | None | |
sec_rogue_dev.sh | Rogue Devices Sensor | There are no rogue device files. | Ignore previously reported. | |
sec_sshapf.sh | SSH Attack Sensor | No one is using ssh to attack this system. | Put the attacker in /etc/apf/deny_hosts.rules | |
sec_stickybit.sh | Sticky Bit Directories Sensor | No sticky bit directory has lost the sticky bit. | None | |
sec_suid_sgid.sh | SUID/SGID Files Sensor | There are no new SUID/SGID files. | Ignore previously reported. | |
sec_webpages.sh | Web Page Change Sensor | All defined URLs have not changed. | None | |
sec_world_writable.sh | World Writable Files Sensor | There are no new world writable files. | Ignore previously reported. | |
System |
sys_ckboot.sh | System Rebooted Sensor | No recent system reboot. | None |
sys_ckhostname.sh | Hostname Changed Sensor | The hostname has not changed. | None | |
sys_ckmailbox.sh | Mail Box Sensor | Mail is being delivered. | Definable | |
sys_cktime.sh | System Time Sensor | System time is reasonable. | None | |
sys_rmtrash.sh | Trash Files Sensor | There are no trash files on the system. | Remove trash files. | |
sys_maildelivery.sh | Mail Delivery Sensor | Mail is being delivered. | Definable | |
sys_tarbkup.sh | System Backup Sensor | This is the system backup manager. | None | |
sys_trimlogs.sh | Trim System Logs Sensor | Audit size of system logs. | Trim the System Logs. | |
User |
usr_cons_login.sh | Root Only On Console Sensor | Root can only log in from console. | None |
usr_mailbox.sh | Secure Mailboxes Sensor | All mailboxes are owned and permissioned correctly. | Fix owner and/or permissions. | |
usr_noage.sh | Password Aging Sensor | All users have password aging. | Ignore previously reported. | |
usr_nologin.sh | New Login Sensor | There are no new users logged in. | None | |
usr_nopwd.sh | Password Sensor | Every user has a password. | None | |
usr_pwd_no_acct.sh | Unwanted Users Sensor | Certain logins are not in /etc/passwd. | None | |
usr_pwd_shadowed.sh | Shadowed Passwords Sensor | All passwords are shadowed. | Ignore previously reported. | |
usr_suid_shell.sh | SUID/SGID Login Shells Sensor | There are no SUID/SGID login shells. | Ignore previously reported. | |
usr_uniq_home.sh | Unique Home Directories Sensor | Every user has a unique home directory. | Ignore previously reported. | |
usr_uniq_uid.sh | Unique Login UIDs Sensor | All UIDs in /etc/passwd are unique. | Ignore previously reported. | |
usr_uniq_usrname.sh | Unique Login Names Sensor | All /etc/passwd login names are unique. | None |