Need Help Customizing an FDCC oval definition

General support questions for the Secutor Prime product.
jhartig
Posts: 2
Joined: Tue Jan 06, 2009 10:36 am

Need Help Customizing an FDCC oval definition

Postby jhartig » Wed May 05, 2010 9:18 am

I need to modify the current FDCC Oval definition (oval:gov.nist.fdcc.vista:def:6607 / Access from Network - Administrators) to include the 'Offer Remote Assistance Helpers' group.

Here is my modified code...

Code: Select all

   <!-- Definition -->

    <definition id="oval:lmsdc.vista:def:24" version="1" class="compliance">
      <metadata>
        <title>Access this computer from the Network</title>
        <affected family="windows">
          <platform>Microsoft Windows Vista</platform>
        </affected>
        <reference source="http://cce.mitre.org" ref_id="CCE-4334-9"/>
        <reference source="cce.mitre.org/version/4" ref_id="CCE-532"/>
        <reference source="http://support.microsoft.com/kb/823659" ref_id="KB823659"/>
        <description>Administrators and ORA Helpers may access this computer from the network. NOTE: This can break IPSec see Microsoft Knowledge Base article 823659 for further guidance</description>
      </metadata>
      <criteria>
        <extend_definition comment="Windows Vista is installed" definition_ref="oval:org.mitre.oval:def:228"/>
        <criterion comment="Access This Computer From The Network - Administrators" test_ref="oval:lmsdc.vista:tst:241"/>
        <criterion comment="Access This Computer From The Network - ORA Helpers" test_ref="oval:lmsdc.vista:tst:242"/>
        <criterion comment="Access This Computer From The Network - ONLY Administrators and ORA Helpers" test_ref="oval:lmsdc.vista:tst:243"/>
      </criteria>
    </definition>


    <!-- Tests -->

    <accesstoken_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:tst:241" version="1" comment="Access This Computer From The Network - Administrators" check_existence="at_least_one_exists" check="all">
      <object object_ref="oval:lmsdc.vista:obj:241"/>
      <state state_ref="oval:lmsdc.vista:ste:241"/>
    </accesstoken_test>

    <accesstoken_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:tst:242" version="1" comment="Access This Computer From The Network - ORA Helpers" check_existence="at_least_one_exists" check="all">
      <object object_ref="oval:lmsdc.vista:obj:242"/>
      <state state_ref="oval:lmsdc.vista:ste:241"/>
    </accesstoken_test>

    <accesstoken_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:tst:243" version="1" comment="Access This Computer From The Network - Only Administrators and ORA Helpers" check_existence="at_least_one_exists" check="all">
      <object object_ref="oval:lmsdc.vista:obj:243"/>
      <state state_ref="oval:lmsdc.vista:ste:242"/>
    </accesstoken_test>


    <!-- Objects -->
   
    <accesstoken_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:obj:240" version="1">
      <security_principle operation="pattern match">.*</security_principle>
    </accesstoken_object>
   
    <accesstoken_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:obj:241" version="1">
      <security_principle>Administrators</security_principle>
    </accesstoken_object>
   
    <accesstoken_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:obj:2411" version="1">
      <behaviors resolve_group="true"/>
      <security_principle>Administrators</security_principle>
    </accesstoken_object>

    <accesstoken_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:obj:242" version="1">
      <security_principle>Offer Remote Assistance Helpers</security_principle>
    </accesstoken_object>
            
   <accesstoken_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:obj:2421" version="1">
      <security_principle operation="pattern match">\w*/Offer Remote Assistance Helpers</security_principle>
    </accesstoken_object>
   
   <!-- Only Administrators and ORA Helpers-->
   <accesstoken_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:obj:243" version="1">
       <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="INTERSECTION">
           <set set_operator="COMPLEMENT">
            <object_reference>oval:lmsdc.vista:obj:240</object_reference>
            <object_reference>oval:lmsdc.vista:obj:241</object_reference>
           </set>
           <set set_operator="COMPLEMENT">
            <object_reference>oval:lmsdc.vista:obj:240</object_reference>
            <object_reference>oval:lmsdc.vista:obj:2421</object_reference>
           </set>
       </set>
   </accesstoken_object>

   
    <!-- States -->
   
    <accesstoken_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:ste:241" version="1">
      <senetworklogonright datatype="boolean">1</senetworklogonright>
    </accesstoken_state>

    <accesstoken_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:ste:242" version="1">
      <senetworklogonright datatype="boolean">0</senetworklogonright>
    </accesstoken_state>



The results from the SecutorPrime Scan ...

oval:lmsdc.vista:def:24 (compliance)
Access this computer from the Network



---- Result: not evaluated ----

*** BEGIN **************************************************************************

oval:org.mitre.oval:tst:99 [true] (the installed operating system is part of the Microsoft Windows family)
*** AND ***
oval:org.mitre.oval:tst:7914 [true] (Windows 7 is installed)
--- [true]

---- TRUE ----
*** AND **************************************************************************

oval:lmsdc.vista:tst:241 [true] (Access This Computer From The Network - Administrators)

---- TRUE ----
*** AND **************************************************************************

oval:lmsdc.vista:tst:242 [accesstoken_test not evaluated] (Access This Computer From The Network - ORA Helpers)

---- MOOT ----
*** AND **************************************************************************

oval:lmsdc.vista:tst:243 [true] (Access This Computer From The Network - ONLY Administrators and ORA Helpers)

---- MOOT ----
*** END **************************************************************************





oval:org.mitre.oval:tst:99 -- the installed operating system is part of the Microsoft Windows family
Windows is windows
--- Result: true


oval:org.mitre.oval:tst:7914 -- Windows Vista is installed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
Windows 7 Enterprise matches .*[Ww]indows 7.*
--- Result: true


oval:lmsdc.vista:tst:241 -- Access This Computer From The Network - Administrators
builtin/administrators should have senetworklogonright rights: true
builtin/administrators DOES have senetworklogonright rights.

--- Result: true


oval:lmsdc.vista:tst:242 -- Access This Computer From The Network - ORA Helpers
oval:lmsdc.vista:obj:242: No data available (2)
--- Result: error


oval:lmsdc.vista:tst:243 -- Access This Computer From The Network - Only Administrators and ORA Helpers
nt authority/service should have senetworklogonright rights: false
nt authority/service DOES NOT have senetworklogonright rights.

nt authority/network service should have senetworklogonright rights: false
nt authority/network service DOES NOT have senetworklogonright rights.

s-1-5-21-796845957-492894223-839522115-71512 should have senetworklogonright rights: false
s-1-5-21-796845957-492894223-839522115-71512 DOES NOT have senetworklogonright rights.

builtin/guests should have senetworklogonright rights: false
builtin/guests DOES NOT have senetworklogonright rights.

builtin/users should have senetworklogonright rights: false
builtin/users DOES NOT have senetworklogonright rights.

builtin/remote desktop users should have senetworklogonright rights: false
builtin/remote desktop users DOES NOT have senetworklogonright rights.

nt authority/local service should have senetworklogonright rights: false
nt authority/local service DOES NOT have senetworklogonright rights.

--- Result: true

==================================================================================

I have also attempted to set

Code: Select all

    <accesstoken_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:lmsdc.vista:tst:242" version="1" comment="Access This Computer From The Network - ORA Helpers" check_existence="at_least_one_exists" check="all">
      <object object_ref="oval:lmsdc.vista:obj:[b]2421[/b]"/>
      <state state_ref="oval:lmsdc.vista:ste:241"/>
    </accesstoken_test>


But it still fails.

What does the (2) in the following mean?
oval:lmsdc.vista:obj:242: No data available (2)
--- Result: error


When I view other accesstoken checks I see the following:
eovcisvm337/offer remote assistance helpers should have sedebugprivilege rights: false
eovcisvm337/offer remote assistance helpers DOES NOT have sedebugprivilege rights.

What do I need to do to tst/obj:242 to recognize <ComputerName>/offer remote assistance helpers?

Thanks in advance
J Hartig

robert.hollis
SME
Posts: 24
Joined: Wed Mar 07, 2007 12:32 pm

Postby robert.hollis » Wed May 05, 2010 5:17 pm

Good evening Mr. Hartig,

If you are permitted to disclose your content, it would be much easier to walk through this with the full content. Our test bench includes tools to help us better identify content problems as well as source code problems. In these investigations, we consider both possibilities equally.

Can you contact us at support@threatguard.com so we can provide more direct assistance?

Thanks! I look forward to working with you.

-rob


Return to “Secutor Prime Support”

Who is online

Users browsing this forum: No registered users and 2 guests