content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Question about auditeventpolicysubcategories_test element

Open jingnanj opened this issue 5 years ago • 0 comments

Description of problem:

I got a "not checked" result when I try to create a rule for the windows system by following Windows CIS Benchmark.

SCAP Security Guide Version:

OpenSCAP command line tool (oscap) 1.2.17 oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_test --report classified_protection_report.html ssg-windows2016-ds.xml

Operating System Version:

windows server 2016

Steps to Reproduce:

  1. Build windows2016 by following the README in the example folder.
  2. Create Audit_Other_Object_Access_Events_is_set_to_Success_and_Failure folder under linux_os/guide/test
  3. Create Oval folder and rule.yml file as following documentation_complete: true

prodtype: windows2016

title: "Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'”

description: |- This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.

rationale: |- The unexpected creation of scheduled tasks and COM+ objects could potentially be an indication of malicious activity. Since these types of actions are generally low volume, it may be useful to capture them in the audit logs for use during an investigation.

severity: unknown

ocil_clause: 'If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities.'

ocil: |- To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Other Object Access Events

  1. Create shared.xml file under oval folder as following:
(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' 
<auditeventpolicysubcategories_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" check="all" check_existence="at_least_one_exists" comment="Ensure 'other_object_access_events' is 'Equals' to 'AUDIT_SUCCESS_FAILURE'" id="org.cisecurity.benchmarks.windows_10:tst:850593" version="1">
  <object object_ref="org.cisecurity.benchmarks.windows_10:obj:850593"/>
  <state state_ref="org.cisecurity.benchmarks.windows_10:ste:850593"/>
</auditeventpolicysubcategories_test>

<auditeventpolicysubcategories_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="Ensure 'other_object_access_events' is 'Equals' to 'AUDIT_SUCCESS_FAILURE'" id="org.cisecurity.benchmarks.windows_10:obj:850593" version="1"/>

<auditeventpolicysubcategories_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="Ensure 'other_object_access_events' is 'Equals' to 'AUDIT_SUCCESS_FAILURE'" id="org.cisecurity.benchmarks.windows_10:ste:850593" version="1">
  <other_object_access_events datatype="string" operation="equals" var_ref="var_org.cisecurity.benchmarks.windows_10_var_850593"/>
</auditeventpolicysubcategories_state>

<external_variable comment="This value is used in Rule: (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" datatype="string" id="var_org.cisecurity.benchmarks.windows_10_var_850593" version="1"/>
  1. Create var_org.cisecurity.benchmarks.windows_10_var_850593.var under test folder as following:

documentation_complete: true

title: 'Ensure Audit Other Object Access Events is set to Success and Failure'

description: |- Ensure This value is used in Rule: 'Ensure Audit Other Object Access Events is set to Success and Failure'

type: string

operator: equals

interactive: false

options: default: AUDIT_SUCCESS_FAILURE

  1. cd content/build
  2. cmake ../
  3. make -j4 windows2016
  4. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_test --report classified_protection_report.html ssg-windows2016-ds.xml

Actual Results:

Rule xccdf_org.ssgproject.content_rule_Audit_Other_Object_Access_Events_is_set_to_Success_and_Failure WARNING: Skipping rule that requires an unregistered check system or incorrect content reference to evaluate. Please consider providing a valid SCAP/OVAL instead of http://scap.nist.gov/schema/ocil/2 Result notchecked

Expected Results:

It should work if that's how auditeventpolicysubcategories_test work. Because I build an almost same oval rule for Linux system, except using auditeventpolicysubcategories_test element with pass result.

jingnanj avatar Nov 18 '20 06:11 jingnanj

There is no Windows product defined in the project.

marcusburghardt avatar Sep 06 '22 15:09 marcusburghardt