We recently ran into a problem with our DISA STIG site for Windows Server 2012 Domain Controllers. The 2012 R2 domain controllers had been reporting back to BigFix Compliance but stopped recently. In Compliance the results changed to Not Relevant for every item being checked.
Looking at the fixlet ‘Applicability – Microsoft Windows Server 2012 (A)’ that is on the 2012 DC site, it is no longer relevant to any computers. There are two relevance statements on the fixlet, and the first one looks like it still works correctly to find 2012/2012 R2 domain controllers.
The second statement appears to be the problem. The statement is:
(version of client >= “8.2.1409.0”) and ((((if windows of it then “windows” else if unix of it then “unix” else if mac of it then “macos” else “undefined”) of operating system = “windows”) and exists (concatenation ", " of (it as string) of (exist matches (regex “^[a-zA-Z0-9()\s]2012[a-zA-Z0-9()\s]$”) of (if type of it = “REG_EXPAND_SZ” or type of it = “REG_MULTI_SZ” then preceding text of first “%00” of (it as string) else if type of it = “REG_NONE” then (it as string) of (hexadecimal integer (it as string)) else it as string) of it) of values “ProductName” of keys “SOFTWARE\Microsoft\Windows NT\CurrentVersion” of keys “HKEY_LOCAL_MACHINE” of native registry) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean) of it > 0)) and not (exists (concatenation ", " of (it as string) of (exist matches (regex “^[a-zA-Z0-9()\s]2012 [rR]2[a-zA-Z0-9()\s]$”) of (if type of it = “REG_EXPAND_SZ” or type of it = “REG_MULTI_SZ” then preceding text of first “%00” of (it as string) else if type of it = “REG_NONE” then (it as string) of (hexadecimal integer (it as string)) else it as string) of it) of values “ProductName” of keys “SOFTWARE\Microsoft\Windows NT\CurrentVersion” of keys “HKEY_LOCAL_MACHINE” of native registry) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean) of it > 0)))
I used it to create an automatic group, and the only result is that it finds 2012 member servers. It does not find the 2012 R2 member servers and does not find 2012 R2 domain controllers.
Has anyone else noticed this recently with their DISA STIG for Windows 2012 DC site?