Windows 7 STIG not gathering data from server

We’ve enabled the DISA STIG Checklist for Windows 7, but the site seems to hang before gathering data from sync.bigifix server. Any leads on troubleshooting this?

Gather URL: http://sync.bigfix.com/cgi-bin/bfgather/disawin7

Message at the bottom of the console: Waiting for server to begin gather of DISA STIG Checklist for Windows 7

The message has been there for several days now.

They still haven’t fixed it! Or I should say they fixed it one time, and then let it break again.

Go into the relay diagnostics and see what the error says. I am willing to bet it will be the same error we are having, Error Message: 31: class NoAuthorizedSignature (class X509VerifyError<20>).

I have put a PMR in for IBM to fix this in the past, and they fixed it that time. But it appears that the fix did not get put into production as the error is back. Perhaps a new PMR should be opened.

I just notified our site person so they will take a look at this though it may be a specific user error on publication.

It was exactly that error. I’ll wait to hear word from AlanM.

Sorry to hear you are having some issues gathering this site…

Yes, this DISA STIG Checklist for Windows 7 site is an old site and it’s at site ver 28

I’m able to enable it and gather it in console as well…

Is there anyway we can get the following logs if possible:

  1. BES client logs ( like C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Logs)

  2. Gather Logs ( GatherDB.log from BES Server machine under: C:\Program Files (x86)\BigFix Enterprise\BES Server\GatherDBData)

or/ and some time if possible to speak with you to resolve this issue for you…

Thanks…

Having exactly the same problem PMR 24111,082,000.

Same issue class NoAuthorizedSignature (class X509VerifyError<20>)

In the gatherDB log.

I just turned the DISA STIG Checklist for Windows 7 on.

Lou

Thanks for the details…

I’ve tried this on BES platform ver 9.5.2.56 Console and I could see this site gathered successfully in GatherDB

Mon, 13 Mar 2017 14:57:47 -0700 – Beginning import of version 28 of site DISA STIG Checklist for Windows 7
Mon, 13 Mar 2017 14:58:30 -0700 – Import of version 28 of site DISA STIG Checklist for Windows 7 completed successfully

Can you please share the BES Client log and GatherDB log if possible from the BES Server machine

Will look into the details of the PMR you mentioned as well

Thanks,
Vinoy

A sample from the GatherDB.log:

Wed, 15 Mar 2017 04:13:52 -0400 – Unexpected exception during gather of site DISA STIG Checklist for Windows 7: Unexpected HTTP response: 404
Wed, 15 Mar 2017 05:15:42 -0400 – Beginning import of version 1010 of site Updates for Windows Applications
Wed, 15 Mar 2017 05:18:27 -0400 – Import of version 1010 of site Updates for Windows Applications completed successfully
Wed, 15 Mar 2017 05:18:58 -0400 – Unexpected exception during gather of site DISA STIG Checklist for Windows 7: Unexpected HTTP response: 404
Wed, 15 Mar 2017 06:20:48 -0400 – Unexpected exception during gather of site DISA STIG Checklist for Windows 7: Unexpected HTTP response: 404
Wed, 15 Mar 2017 07:22:41 -0400 – Unexpected exception during gather of site DISA STIG Checklist for Windows 7: Unexpected HTTP response: 404
Wed, 15 Mar 2017 08:24:30 -0400 – Unexpected exception during gather of site DISA STIG Checklist for Windows 7: Unexpected HTTP response: 404
Wed, 15 Mar 2017 09:28:21 -0400 – Beginning import of version 2708 of site Enterprise Security
Wed, 15 Mar 2017 09:39:46 -0400 – Import of version 2708 of site Enterprise Security completed successfully
Wed, 15 Mar 2017 09:40:26 -0400 – Unexpected exception during gather of site DISA STIG Checklist for Windows 7: Unexpected HTTP response: 404
Wed,

I am using an Airgap install where I bring in an AirGapResponse file.

The relevant error in my GatherDB log file is

Unexpected Exception during gather of site DISA STIG Checklist for
Windows 7: class NoAuthorizedSignature (class X509VerifyError<20>)

I cannot post the entire log to this forum.

Thanks for these details… these should help us resolve the issue… Will update soon…

Thanks!!!

It would also help to know the BES Server versions you re using… ( like BES 9.1, BES 9.2, BES 9.5 etc…)

Thanks

Vinoy… I am running BES 9.5.4

In my case, I newly turned on the DISA STIG Checklist for Win 7 and it started with the NoAuthorizedSignature issues after trying the first AirgapResponse import.

I have another server running the DISA STIG checkist for win 7 with no issues.

I have a PMR open 24111,082,000. I would appreciate it if you could look at the PMR, because LVL 2 wants me to turn McAfee AV off which we cannot do in this Air Gapped environment. So its blocking progress through IBM Support.

Thanks!
Lou

Thanks a lot Lou… Sorry for the inconvenience

Will update ASAP…

Hi Everyone,

Propagated a new version of this site ( DISA STIG Checklist for Windows 7)

The new site ver is 30

Changelist:

Used an updated cert file to propagate the site and the site now gathers well both in a SHA 256 or a SHA1 environments on different versions of BES

Here are some details from GatherDB log

Wed, 15 Mar 2017 17:54:29 -0700 – Beginning import of version 30 of site DISA STIG Checklist for Windows 7
Wed, 15 Mar 2017 17:57:07 -0700 – Import of version 30 of site DISA STIG Checklist for Windows 7 completed successfully

This issue should be resolved now…

Please let us know if you are still seeing any issues with gathering of this site…

Sorry for the inconvenience again…

Thanks,
Vinoy

Thank you Vinoy!!!.. just went through the AirGap process and it corrected my problem.

Lou

That’s great to hear Lou!!! And thanks for helping to troubleshoot this issue…

And also thanks Team for helping to resolve this issue with high priority!!!

Thanks,
Vinoy

That worked. Thanks! Appreciate the help.

Dave

Thanks Dave for letting us know that this site gather is working good for you now…
And also thanks for sharing the log details and for your help in troubleshooting it and also for creating a Forum topic…

Regards,
Vinoy