SCM audit settings fixlet relevance returning wrong results

(imported topic written by VadimRomanov)

Hi

I’ve built a custom checklist for our company’s server hardening policy. Some of the checks I’ve used are DISA STIG 2003/2008 “Auditing records are configured as required” checks.

Their relevance expression is (specifically for object access):

not exists 1 whose ((((if bit 0 of (2 as bit set) then item 0 of it else True) and (if bit 1 of (2 as bit set) then item 1 of it else True))) of (if exists select object “* from RSOP_AuditPolicy where Category = ‘AuditObjectAccess’ and precedence = 1” of rsop computer wmi then (boolean value of property “Failure” of it, boolean value of property “Success” of it) of select object “* from RSOP_AuditPolicy where Category = ‘AuditObjectAccess’ and precedence = 1” of rsop computer wmi else (if exists audit policy then (((conjunction of (audit success of it) of system policies of subcategories of it), (conjunction of (audit failure of it) of system policies of subcategories of it)) of categories whose (name of it as lowercase = “Object Access” as lowercase) of audit policy) else if exists key “HKLM\SECURITY\Policy\PolAdtEv” of native registry then ((bit 0 of it, bit 1 of it) of (it as bit set) of hexadecimal integer (following text of position 24 of preceding text of position 26 of (value of key “HKLM\SECURITY\Policy\PolAdtEv” of native registry as string))) else error “unable to read setting”)))

This relevance expression should return FALSE on all servers where object access auditing is set to “failure”.

Problem is it returns TRUE on servers where object access auditing is set by GPO. Servers where the GPO doesn’t apply return FALSE as required.

I can’t understand where exactly the check fails (I’m not as savvy in bigfix relevance language as i’d like to be :slight_smile:

I need the check to return FALSE on ALL servers on which the object access auditing is set to “failure only”, regardless of if it’s applied by GPO, local security policy or registry setting

Some help will be appreciated.

Thanks!

Vadim Romanov

(imported comment written by VadimRomanov)

Anyone knows?

I forgot to mark the post as a question, but it doesn’t mean an answer won’t be welcome :slight_smile:

Vadim

(imported comment written by VadimRomanov)

Nevermind, I figured it out.

Turns out it’s a bit different on Windows 2003 and 2008 because of the addition of subcategory auditing in 2008, making the registry portion of the check return a wrong result since it’s now looking in the wrong place.

Thanks anyhow :slight_smile:

(imported comment written by Eric Walker)

Hi Vadim,

My apologies for not getting back to you sooner. Yes, the relevance is hard to understand; it takes a while to get up to speed on it. I’m glad you were able to figure something out.

We will be releasing new DISA content before too long which handles audit categories and subcategories a little differently now. You may find the new checks of interest when they come out.

All the best,

Eric