11 Replies Latest reply on Nov 27, 2012 2:49 AM by Roy Ong

    windows 2008 compliance template - adding parts

    Roy Ong

      Hi all,

       

      On the 8.2.1 console, I was trying to add parts for Advanced Security Audit Policy Settings from a win 2008 R2 server to a compliance template, but i couldn't find it. I had no issues finding the Local policies-> Audit Policy though.Are Advanced Security Audit Policy Settings only available on a domain controller server? WIll BBSA capture those settings if i had a win 2008 domain controller?

       

      Thanks in advance!

        • 1. Re: windows 2008 compliance template - adding parts
          suresh Balla

          Roy,

           

          Advance Aduit Security policy setting are introduced in windows 2008, these details can be set/get with the help of command auditpol.exe. these details can be viewed through GUI in windows 2008 R2.

           

          BBSA does not provide these details. this can be achived though EO.

           

          disawin-audit.nsh EO is available which will fetch details.

          syntax:

          <fileserver path>/extended_objects/disawin-audit.nsh" "??TARGET.NAME??" "Audit Policy Change"

           

          you can provide any policy name as last parameter.

           

          Please let me know if you find difficult to write. CIS windows 2008 template have

          • 2. Re: windows 2008 compliance template - adding parts
            Roy Ong

            Hi Suresh,

             

            Are the syntax below correct?

             

            nsh -c "//fileserver/D/blstorage/extended_objects/disawin-audit.nsh" "??TARGET.NAME??" "System/IPsecDriver"

            nsh -c "//fileserver/D/blstorage/extended_objects/disawin-audit.nsh" "??TARGET.NAME??" "System/SystemIntegrity"

             

            Can i somehow use/export the extended object parts from the CIS windows 2008? Sorry im new to extended objects.



            Thanks

            Roy

            • 3. Re: windows 2008 compliance template - adding parts
              suresh Balla

              Roy,

              No need to export from current cis template.

              you can create EO under your template.

              Open the template where you want to add EO.

              Goto Local Configuration objects tab.

              click on Add "+" button

              select Extented Objects radio button -> click next

              provide name and description

              command as : nsh -c "%FILE_SERVER_ROOT%/extended_objects/disawin-audit.nsh" "??TARGET.NAME??" "Audit Policy Change"

               

              last parameter will policy name. these values you can find whne you run auditpol coammand.

              execution type: central

              grammer file: xml file grammer(xml.gm)

               

              Once you create EO.

              you can write rules.

              Extended Object Entry:Audit-Policy-1.3.12//findings/PolicyChange/AuditPolicyChange"."Value1 as String (All OS)" equals "SuccessandFailure"

               

              similarly you can create as many as EO's by changing policy names. let me know if you not able to create EO and run. you can check existing rules for more infomation.

               

              Suresh

              • 4. Re: windows 2008 compliance template - adding parts
                Roy Ong

                Suresh,

                 

                I tried out what you mentioned.

                I created the EO, with this script, (nsh -c "//myfileserver/D/blstorage/extended_objects/disawin-audit.nsh" ??TARGET.NAME?? "System System Extension")

                 

                I then created a compliance rule,

                 

                "Extended Object Entry:System - Security System Extension"."Value1 as Integer (All OS)" = 1

                 

                I tested the compliance rule and i got this error.

                Error 0x00000057 occurred:

                The parameter is incorrect.

                • 5. Re: windows 2008 compliance template - adding parts
                  suresh Balla

                  Roy,

                   

                  your syntax is wrong.

                  here EO returns string values, like Success, Failure, SuccessandFailure

                  so rule should be

                  "Extended Object Entry:System - Security System Extension". "Value1 as String (All OS)" equals "SuccessandFailure"

                   

                  you can test the same rule from nsh prompt and check it is returning string value or not.

                   

                  Suresh

                  • 6. Re: windows 2008 compliance template - adding parts
                    Roy Ong

                    C:\Users\bladmin>nsh -c "//myfileserver/D/blstorage/extended_objects/disawin-audit.n

                    sh" serverA "System System Extension"

                    Error 0x00000057 occurred:

                    The parameter is incorrect.

                     

                     

                    <findings><><SystemSystemExtension>UseAuditPol<command>/?fordetailsoneachcommand

                    </SystemSystemExtension></></findings>

                     

                    Whats wrong with the syntax above?

                    • 7. Re: windows 2008 compliance template - adding parts
                      suresh Balla

                      Please check the policy name: it is not "System System Extension" it will be "Security System Extension"

                       

                      run the following command to get the list

                      auditpol.exe /get /category:\* > audit.txt

                       

                      Suresh

                      • 8. Re: windows 2008 compliance template - adding parts
                        Roy Ong

                        opps, thanks my mistake. The script works now.

                         

                        C:\Users\bladmin>nsh -c "//myfileserver/D/blstorage/extended_objects/disawin-audit.n

                        sh" serverA "Security System Extension"

                        <findings><System><SecuritySystemExtension>SuccessandFailure</SecuritySystemExte

                        nsion></System></findings>

                         

                        But i created the rule based on the EO part

                        "Extended Object Entry:System - Security System Extension"."Value1 as String (All OS)" = "SuccessandFailure"

                         

                        But it failed when it should be compliant.

                         

                        I tested the rule on the CIS template.

                        "Extended Object Entry:Audit-Policy-1.3.3//findings/System/SecuritySystemExtension"."Value1 as String (All OS)" = "SuccessandFailure"

                         

                        And it was successful, which is correct.

                         

                        Why is there the "//findings/System/SecuritySystemExtension" part in the CIS template rule... Am i missing some step?

                         

                        Thanks

                        Roy

                        • 9. Re: windows 2008 compliance template - adding parts
                          Roy Ong

                          hmm, seems i didnt out the grammer file: xml file grammer(xml.gm) when creating the EO, will try it out again thanks

                          Roy

                          • 10. Re: windows 2008 compliance template - adding parts
                            suresh Balla

                            you have ran script succesfully. it will retuen values in xml format.

                             

                            <findings><System><SecuritySystemExtension>SuccessandFailure</SecuritySystemExtension></System></findings>

                             

                            rule should be in this way:

                             

                            "Extended Object Entry:System - Security System Extension//findings/System/SecuritySystemExtension"."Value1 as String (All OS)" = "SuccessandFailure"

                             

                            it is important to provide Category and policy name. you can wrire any rule in the above format.

                            and also check grammer files used to read value in EO. it should be xml.gm

                             

                             

                            Suresh


                            1 of 1 people found this helpful
                            • 11. Re: windows 2008 compliance template - adding parts
                              Roy Ong

                              Thanks Suresh for your help, got it to work at last