How to get RSoP (Specific) and add to Custom Inventory

Version 2
    Share This:

    Many admins today must deal with Security issues and audits to ensure those Security Items are applied to each device.  Did you know that BMC Client do almost anything?!?

     

    Use Case:

     

    Government customer runs a DISA SCAP job but that will only collect about 65% of the auditable requirements. How can you gather the other 35% of the data required.

     

    I created a Batch file that has a lot of entries that will pipe out the results to specific text files on local machine.  Here is the contents of one such batch file:

    RSoP Batch File

    @Echo off

    PowerShell -ExecutionPolicy ByPass -Command "Get-WMIObject RSOP_UserPrivilegeRight -namespace root\rsop\computer | Where {$_.UserRight -eq 'SeCreateGlobalPrivilege' -and $_.precedence -eq 1} | Format-Table -Wrap -Property UserRight,AccountList -AutoSize | Out-File C:\BCM\CCE-8431-9.log -Encoding utf8"

    PowerShell -ExecutionPolicy ByPass -Command "Get-WMIObject RSOP_UserPrivilegeRight -namespace root\rsop\computer | Where {$_.UserRight -eq 'SeDebugPrivilege' -and $_.precedence -eq 1} | Format-Table -Wrap -Property UserRight,AccountList -AutoSize | Out-File C:\BCM\CCE-8583-7.log -Encoding utf8"

    PowerShell -ExecutionPolicy ByPass -Command "Get-WMIObject RSOP_UserPrivilegeRight -namespace root\rsop\computer | Where {$_.UserRight -eq 'SeAssignPrimaryTokenPrivilege' -and $_.precedence -eq 1} | Format-Table -Wrap -Property UserRight,AccountList -AutoSize | Out-File C:\BCM\CCE-8732-0.log -Encoding utf8"

    PowerShell -ExecutionPolicy ByPass -Command "Get-WMIObject RSOP_UserPrivilegeRight -namespace root\rsop\computer | Where {$_.UserRight -eq 'SeDenyServiceLogonRight' -and $_.precedence -eq 1} | Format-Table -Wrap -Property UserRight,AccountList -AutoSize | Out-File C:\BCM\CCE-9098-5.log -Encoding utf8"

    PowerShell -ExecutionPolicy ByPass -Command "Get-WMIObject RSOP_UserPrivilegeRight -namespace root\rsop\computer | Where {$_.UserRight -eq 'SeSystemProfilePrivilege' -and $_.precedence -eq 1} | Format-Table -Wrap -Property UserRight,AccountList -AutoSize | Out-File C:\BCM\CCE-9419-3.log -Encoding utf8"

    PowerShell -ExecutionPolicy ByPass -Command "Get-WMIObject RSOP_SecuritySettings -namespace root\rsop\computer | Where {$_.KeyName -eq 'EnableAdminAccount' -and $_.precedence -eq 1} | Format-Table -Wrap -Property KeyName,Setting -AutoSize | Out-File C:\BCM\CCE-9199-1.log -Encoding utf8"

     

     

    Now lets take a look of the output file of one of these:

    CCE-9419-3.log

     

    UserRight                AccountList                              

    ---------                -----------                              

    SeSystemProfilePrivilege {Administrators, NT SERVICE\WdiServiceHost}

     

    The Op Rule used actually deletes several header rows so the data I need can use RegEx to get the results into Custom Inventory

     

    How does this appear in Client Management:

    Custom Inventory

     

    Results of CCE-9419-3

     

    These results can now be utilized in Custom Compliance Rules, or just run a report showing the results.

     

    Here is a screenshot of the Op Rule used to run the Batch file and use RegEx to add to custom inventory

     

    My goal in writing this document is to allow BCM admins the opportunity to see what else can be accomplished using this very powerful and capable tool!  I hope this can assist you in letting your creative juices flow!

     

    I thought I would also share another batch file just to show how to extract Audit Policy entries:

    AuditPol.batch

    @echo Off

    AuditPol /get /SubCategory:"Registry" > C:\BCM\Audit\CCE-10078-4_CCE-9737-8.log

    AuditPol /get /SubCategory:"Application Group Management" > C:\BCM\Audit\CCE-8822-9_CCE-9591-9.log

    AuditPol /get /SubCategory:"Account Lockout" > C:\BCM\Audit\CCE-8853-4_CCE-9023-3.log

    AuditPol /get /SubCategory:"Network Policy Server" > C:\BCM\Audit\CCE-9076-1_CCE-9741-0.log

    AuditPol /get /SubCategory:"Filtering Platform Packet Drop" > C:\BCM\Audit\CCE-9133-0.log

    AuditPol /get /SubCategory:"Kerberos Service Ticket Operations" > C:\BCM\Audit\CCE-9148-8_CCE-9269-2.log

    AuditPol /get /SubCategory:"MPSSVC Rule-Level Policy Change" > C:\BCM\Audit\CCE-9153-8_CCE-9913-5.log

    AuditPol /get /SubCategory:"Non Sensitive Privilege Use" > C:\BCM\Audit\CCE-9190-0_CCE-9159-5.log

    AuditPol /get /SubCategory:"Process Termination" > C:\BCM\Audit\CCE-9227-0_CCE-9818-6.log

    AuditPol /get /SubCategory:"Kerberos Authentication Service" > C:\BCM\Audit\CCE-9258-5_CCE-9502-6.log

    AuditPol /get /SubCategory:"File Share" > C:\BCM\Audit\CCE-9376-5_CCE-9405-2.log

    AuditPol /get /SubCategory:"Other Object Access Events" > C:\BCM\Audit\CCE-9455-7_CCE-9545-5.log

    AuditPol /get /SubCategory:"Certification Services" > C:\BCM\Audit\CCE-9460-7_CCE-9488-8.log

    AuditPol /get /SubCategory:"RPC Events" > C:\BCM\Audit\CCE-9492-0_CCE-9364-1.log

    AuditPol /get /SubCategory:"Other System Events" > C:\BCM\Audit\CCE-9586-9_CCE-10088-3.log

    AuditPol /get /SubCategory:"Other Policy Change Events" > C:\BCM\Audit\CCE-9596-8_CCE-10049-5.log

    AuditPol /get /SubCategory:"Other Logon/Logoff Events" > C:\BCM\Audit\CCE-9622-2_CCE-9631-3.log

    AuditPol /get /SubCategory:"Detailed Directory Service Replication" > C:\BCM\Audit\CCE-9628-9_CCE-9526-5.log

    AuditPol /get /SubCategory:"IPsec Quick Mode" > C:\BCM\Audit\CCE-9632-1_CCE-9671-9.log

    AuditPol /get /SubCategory:"Authorization Policy Change" > C:\BCM\Audit\CCE-9633-9_CCE-10050-3.log

    AuditPol /get /SubCategory:"Directory Service Replication" > C:\BCM\Audit\CCE-9637-0_CCE-9755-0.log

    AuditPol /get /SubCategory:"Distribution Group Management" > C:\BCM\Audit\CCE-9644-6_CCE-8829-4.log

    AuditPol /get /SubCategory:"IPsec Extended Mode" > C:\BCM\Audit\CCE-9661-0_CCE-8857-5.log

    AuditPol /get /SubCategory:"IPsec Main Mode" > C:\BCM\Audit\CCE-9715-4_CCE-8956-5.log

    AuditPol /get /SubCategory:"Detailed File Share" > C:\BCM\Audit\CCE-9720-4_CCE-8861-7.log

    AuditPol /get /SubCategory:"Filtering Platform Connection" > C:\BCM\Audit\CCE-9728-7_CCE-9569-5.log

    AuditPol /get /SubCategory:"Directory Service Changes" > C:\BCM\Audit\CCE-9734-5_CCE-8850-0.log

    AuditPol /get /SubCategory:"DPAPI Activity" > C:\BCM\Audit\CCE-9735-2_CCE-9412-8.log

    AuditPol /get /SubCategory:"Directory Service Access" > C:\BCM\Audit\CCE-9765-9_CCE-9791-5.log

    AuditPol /get /SubCategory:"Handle Manipulation" > C:\BCM\Audit\CCE-9789-9_CCE-10098-2.log

    AuditPol /get /SubCategory:"Kernel Object" > C:\BCM\Audit\CCE-9803-8_CCE-9137-1.log

    AuditPol /get /SubCategory:"Other Account Logon Events" > C:\BCM\Audit\CCE-9808-7_CCE-9445-8.log

    AuditPol /get /SubCategory:"File System" > C:\BCM\Audit\CCE-9811-1_CCE-9217-1.log

    AuditPol /get /SubCategory:"Application Generated" > C:\BCM\Audit\CCE-9816-0_CCE-8860-9.log

    AuditPol /get /SubCategory:"SAM" > C:\BCM\Audit\CCE-9856-6_CCE-9845-9.log

    AuditPol /get /SubCategory:"Filtering Platform Policy Change" > C:\BCM\Audit\CCE-9902-8_CCE-10081-8.log

    AuditPol /get /SubCategory:"Other Privilege Use Events" > C:\BCM\Audit\CCE-9988-7_CCE-9314-6.log

    EXIT

     

    Steve Gibbs

    RightStar Systems

    Sr. Systems Consultant

    BMC Certified Administrator