Secedit exports the file as unicode, so when you open it in notepad, it shows correctly. When you open it with a tool that doesn’t automatically convert it from unicode, you see garbage. To convert the text file into something that you can use with bigfix simply run the following command:
type somefile.txt > somefile2.txt
Type will convert the file to plain text and you can use BigFix from there.
exists (line containing “SeNetworkLogonRight” of file “c:\secnew.txt” as string contains “S-1-1-0”) and exists (line containing “SeNetworkLogonRight” of file “c:\secnew.txt” as string contains “S-1-5-32-544”)
This relevance statement will return True if each of the contains fields are present. False if they do not.
There’s probably a better way to do the comparison, but I threw this together =)
Looks like you guys made a lot of progress on this. Are you using BES to do security policy audits in your company? If so, you might be excited by some things we are working on.
Try this:
if (exists lines whose (it contains “SeNetworkLogonRight” AND (it contains “” AND it contains “”)) of file “C:\test.txt”) then “Audit passed” else “Audit failed”
In this case the “it” refers to each line of the file. This a bit different than JasonO’s relevance because this way requires the SIDs to be on the same line… Depending on what you want to happen, you should have both options covered.
There could be multiple other SIDs there, I have to write the code without the knowledge of what is there. Any number of people could add any number of users/groups from local or Domain level.
I think, I need the statement to be: I only want value1 and value2. If there any other values (and I don’t know what they are) then the audit failed.
That’s an interesting problem, and you might be able to get away with a little trickery.
Instead of looking for “something else” how about this:
if (exists line whose (it contains “SeNetworkLogonRight” AND (it contains “S-1-5-32-551” AND it contains “S-1-5-32-544” and number of substrings “,” of it = 3)) of file “C:\secnew.txt”) then “Audit passed” else “Audit failed”
What this does is makes sure there’s a line containing SeNetworkLogonRight, and then checks to make sure it contains the two SIDs that we want. Then it finally checks for the number of commas in the line. If there are only going to be two SIDs for the audit to pass, there will only be 1 comma. The example you posted looked like this: *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551. The relevance returns “Audit Passed” for this example because both SIDs are there, and there are 3 commas.
Each of the values are separated by commas and since we don’t know how many values are going to be there, we really can’t get a good if then statement together. If we knew the number of properties, we’d just check each of the fields against what we want and if it’s anything else, then fail the audit.