Hello,
i am trying to create an Ossec rootcheck file
regarding to cis benchmarks for windows server. I noticed that some rules are not working
on my Windows Server 2012 R2 (64bit) test-vm.
For example:
#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
[CIS - Microsoft Windows Server 2012 R2 -
2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [
https://workbench.cisecurity.org/benchmarks/288]
r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;
I am not sure if this rule is created with a mistake or if the problem is related to the windows regsitry redirection o bit systems
(https://github.com/ossec/ossec-hids/issues/301). Is
there a workaround to check this hives with rootchecks or are all the
keys in hkey_local_machine\software and hkey_current_user\software
"useless" for this kind of checks on 64bit Windows? I have seen that there is a workaround in this post, but im not able to implement that.