Hello,
This is my first post in this forum, but I have gained a lot of help before by just reading. I’ve come across some issues with some of the checklists for BigFix Compliance. In this post I will refer to “PCI DSS Checklist for Windows 2016”. In this site, there are a couple of fixlets that is configured incorrectly. As an example:
Verify that certificates in use are not self-signed certificates - The relevance check looks like this.
not exists 1 whose(1 = number of values "SendTrustedIssuerList" whose((("1")=(if it ends with "%00" then preceding text of last "%00" of it else if it ends with "%00%00" then preceding text of last "%00%00" of it else it))of((it as string)of it)and((type of it = "REG_SZ")or(type of it = "REG_MULTI_SZ")or(type of it = "REG_EXPAND_SZ")))of keys "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" of keys "HKEY_LOCAL_MACHINE" of native registry)
And the mitigation in the action script looks like this.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v SendTrustedIssuerList /f /d 1
The problem here is the value type(s). In the relevance it’s looking for REG_SZ, REG_MULTI_SZ and REG_EXPAND_SZ. And the action script is creating a value of type REG_SZ. For this setting to be configured correctly, the value type must be REG_DWORD.
The same issue goes with the “PCI DSS Checklist for Windows 2012”. I’ve been looking around and I cannot see anyone else have reported these issues. I read How to ask for IBM product help: PMRs, RFEs, and more and this should be step one. Next step is for me to identify all missconfigured fixlets and task and report them to IBM.
Have anyone came across the same kind of issues for other sites?
Thanks for listening (reading)!
Update
I have now opened a case with IBM regarding this: TS000839734