Rootcheck rule for windows - mistake in rule or problem with 64bit system?
13 views
Skip to first unread message
Daniel Bode
Apr 3, 2018, 3:32:46 AM4/3/18
to ossec...@googlegroups.com
Hello,
i am trying to create an Ossec rootcheck file regarding to cis benchmarks for windows server. I noticed that some rules are not working on my Windows Server 2012 R2 (64bit) test-vm.
For example:
#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288]
r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;
I am not sure if this rule is created with a mistake or if the problem is related to the windows regsitry redirection o bit systems (https://github.com/ossec/ossec-hids/issues/301). Is there a workaround to check this hives with rootchecks or are all the keys in hkey_local_machine\software and hkey_current_user\software "useless" for this kind of checks on 64bit Windows? I have seen that there is a workaround in this post, but im not able to implement that.
i am trying to create an Ossec rootcheck file regarding to cis benchmarks for windows server. I noticed that some rules are not working on my Windows Server 2012 R2 (64bit) test-vm.
For example:
#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288]
r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;
I am not sure if this rule is created with a mistake or if the problem is related to the windows regsitry redirection o bit systems (https://github.com/ossec/ossec-hids/issues/301). Is there a workaround to check this hives with rootchecks or are all the keys in hkey_local_machine\software and hkey_current_user\software "useless" for this kind of checks on 64bit Windows? I have seen that there is a workaround in this post, but im not able to implement that.
Thank's for your support.
Best Regards
Daniel
Reply all
Reply to author
Forward
0 new messages