Drilling into the CT, under Rules:
1.9 Security Options > 1.9.2 Network access: Remotely accessible registry paths and sub-paths
It seems like a pretty straight forward compliance check:
??TARGET.IS_SSLF?? = True
Look at your server properties and see if there is a value set for IS_SSLF (should be True/False)
The next two checks are just Security Settings checks for a list of values. I would check those values and see if anything doesn't look right.
Thank you Joe, that fixed it
I see that the default value is FALSE however the servers I am running it against have no default value
Actually, I now have a different error
Error Mar 10, 2014 8:51:23 AM com.bladelogic.om.infra.app.collector.AssetCollectionException: Error occurred during 1.9.2 Network access: Remotely accessible registry paths and sub-paths extended object execution. The exit code was '13'. Additional error information (if it exists) follows: (component=CIS - Windows Server 2008 (CCA-SCI-TMA01.ccdc.local), selector=Extended Object:1.9.2 Network access: Remotely accessible registry paths and sub-paths)
1.9.2 has a condition of
if ??TARGET.IS_SSLF?? = TRUE then
However IS_SSLF is false, so I don't know why BSA is trying to run this rule
Is the overall compliance check coming back as Compliant and just the Rules are showing in bold/red? Or is it actually coming back as Non-compliant on servers where IS_SSLF is set to False?
The compliance job itself fails, it no showing if a server is compliant or not
It's possible it's a bug. Let me spin up my local VM environment and see if I get the same behavior.