Unreadable document

(imported topic written by makousks91)

I have a task that will run: secedit /export /cfg “path and file name”

It produces the information I want, an export of the local security policy.

I can read the document locally.

If I try using the relevence debugger to read lines out of the file I get garbage.

Anyone have any ideas, why I can’t read the file with the debugger?

Should I expect the same results if I just right the relevence language and run it, withou testing?

This is true even if I run the command locally.

(imported comment written by JasonO91)

Steve,

Secedit exports the file as unicode, so when you open it in notepad, it shows correctly. When you open it with a tool that doesn’t automatically convert it from unicode, you see garbage. To convert the text file into something that you can use with bigfix simply run the following command:

type somefile.txt > somefile2.txt

Type will convert the file to plain text and you can use BigFix from there.

Jason

(imported comment written by makousks91)

Thanks that worked.

Now…

If I use the relevance debugger and type:

lines containing “SeNetworkLogonRight” of file “secnew.txt” of folder “c:”

It returns:

SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551

What I want is to know if that line contains the SID(s) we want.

Can I get some help with the relevance language.

here is what I want in english:

If the file c:\secnew.txt contains a line with the value “SeNetworkLogonRight” in it AND

that line also contains some predetermined combination of SID(s) return “Audit Passed”

ELSE return “Audit Failed”

(imported comment written by JasonO91)

Steve,

The relevance would look something like

exists (line containing “SeNetworkLogonRight” of file “c:\secnew.txt” as string contains “S-1-1-0”) and exists (line containing “SeNetworkLogonRight” of file “c:\secnew.txt” as string contains “S-1-5-32-544”)

This relevance statement will return True if each of the contains fields are present. False if they do not.

There’s probably a better way to do the comparison, but I threw this together =)

Jason

(imported comment written by BenKus)

Hey Jason/makousks,

Looks like you guys made a lot of progress on this. Are you using BES to do security policy audits in your company? If so, you might be excited by some things we are working on.

Try this:

if (exists lines whose (it contains “SeNetworkLogonRight” AND (it contains “” AND it contains “”)) of file “C:\test.txt”) then “Audit passed” else “Audit failed”

In this case the “it” refers to each line of the file. This a bit different than JasonO’s relevance because this way requires the SIDs to be on the same line… Depending on what you want to happen, you should have both options covered.

Ben

(imported comment written by makousks91)

Yea. We are using it for auditing.

I stuck now tring to figure out how to “fail” the audit if it contains SIDs that we don’t want there.

Example: If the line were looking at contains the 2 SIDs we want there, but also contains additional SID, how would I put that error correction in?

Also as you can see in my example, I’d like to include the line in error for review.

Your string may be a bit better than what I was using:

if

exists file “read.txt” of folder ((pathname of windows folder) & “\security\database”)

then

( if exists line containing “SeBackupPrivilege” of file “read.txt” of folder ((pathname of windows folder) & “\security\database”) then

(

if

(

substring after “SeBackupPrivilege” of

(

line containing “SeBackupPrivilege” of file “read.txt” of folder ((pathname of windows folder) & “\security\database”) as string

)

contains “S-1-5-32-551”

)

and

(

substring after “SeBackupPrivilege” of

(

line containing “SeBackupPrivilege” of file “read.txt” of folder ((pathname of windows folder) & “\security\database”)

)

contains “S-1-5-32-544”

)

then

“Audit Passed”

else

"Audit Failed " & line containing “SeBackupPrivilege” of file “read.txt” of folder ((pathname of windows folder) & “\security\database”) as string

)

else

“SeBackupPrivilege Value does not exist”)

else

“file does not exist”

(imported comment written by JasonO91)

Steve,

In your “Audit Passed” section, add another if then statement to check for the SIDs you don’t want.

then

“Audit Passed”

else

"Audit Failed " & line containing “SeBackupPrivilege” of file “read.txt” of folder ((pathname of windows folder) & “\security\database”) as string

then

if line containing … then “Audit Failed” else

“Audit Passed”

This would flow like this -->

Find SID 1 and 2 --> Check for bad SID --> Pass/Fail

Do not find SID 1 and 2 --> Fail

Jason

(imported comment written by makousks91)

What if I don’t know what SIDs to look for?

There could be multiple other SIDs there, I have to write the code without the knowledge of what is there. Any number of people could add any number of users/groups from local or Domain level.

I think, I need the statement to be: I only want value1 and value2. If there any other values (and I don’t know what they are) then the audit failed.

Does that make sence?

(imported comment written by JasonO91)

Steve,

That’s an interesting problem, and you might be able to get away with a little trickery.

Instead of looking for “something else” how about this:

if (exists line whose (it contains “SeNetworkLogonRight” AND (it contains “S-1-5-32-551” AND it contains “S-1-5-32-544” and number of substrings “,” of it = 3)) of file “C:\secnew.txt”) then “Audit passed” else “Audit failed”

What this does is makes sure there’s a line containing SeNetworkLogonRight, and then checks to make sure it contains the two SIDs that we want. Then it finally checks for the number of commas in the line. If there are only going to be two SIDs for the audit to pass, there will only be 1 comma. The example you posted looked like this: *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551. The relevance returns “Audit Passed” for this example because both SIDs are there, and there are 3 commas.

Each of the values are separated by commas and since we don’t know how many values are going to be there, we really can’t get a good if then statement together. If we knew the number of properties, we’d just check each of the fields against what we want and if it’s anything else, then fail the audit.

Hope this helps,

Jason

(imported comment written by makousks91)

Thanks.

That does what I need. Shortens up my relevence too.

Thanks and have a happy Monday!!!