False positive in USGCB - Windows 7 scan

General support questions for the Secutor Prime product.
maxhavoc
Contributor
Posts: 10
Joined: Thu Feb 10, 2011 8:34 am

False positive in USGCB - Windows 7 scan

Postby maxhavoc » Mon Apr 18, 2011 11:16 am

I am running Secutor Prime Professional and scanning a Windows 7 system configured using USGCB settings. I ran the scan using the USGCB-Windows-7-xccdf.xml policy version 1.1.1.0. It incorrectly flagged Network Access: Allow anonymous SID/Name translation as FAILED. The setting is supposed to be Disabled and I checked via RSOP.msc that it is infact disabled.

I believe this false positive is due to the fact that this particular setting does not exist in the Registry.

On my side I can simply flag this as an exception, but it should be fixed. Thanks.

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Tue Apr 19, 2011 9:14 am

The most recent builds of Secutor Prime have had some updates specifically to make this test accurate. If you have updated to the most recent build of Secutor Prime and are seeing this false positive it's very possible something else is going on.

One is the RSOP namespace itself. Unless you have explicitly created a GPO item for this setting and pushed it out from your domain controller then the RSOP namespace on the machine will be indeterminate.

Try looking at the same setting using the local security policy MMC (secpol.msc). Chances are good that that is the reason this rule is marked as failing for you.

I couldn't, however, tell you which of these settings or combination thereof reflects the effective current policy of the machine.

maxhavoc
Contributor
Posts: 10
Joined: Thu Feb 10, 2011 8:34 am

Postby maxhavoc » Tue Apr 19, 2011 1:47 pm

I am running the latest version. I gave you the policy version number.

I checked secpol.msc and the setting is Disabled there as well. I have also tested multiple machines and they all have this error.

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Tue Apr 19, 2011 2:00 pm

That is curious.

BTW, I should have included it in the previous post, but as of right now the current version of Secutor Prime is Version 4 build 4002. That version has the SID/Name test in it.

Here's one other thing that's worth a try. Run the command

secedit.exe /export /quiet /cfg <FILENAME>


This will dump the policy to FILENAME. Look in that dumped file for the line that says

LSAAnonymousNameLookup =

and see what the value is. That line should appear pretty close to the top of the file. The answer help us figure out what is going on here.

maxhavoc
Contributor
Posts: 10
Joined: Thu Feb 10, 2011 8:34 am

Postby maxhavoc » Wed Apr 20, 2011 7:48 am

I am running version 4 build 4002.

LSAAnonymousNameLookup is set to 0.

When I created the GPOs I just imported the settings direct from NIST so I assure you the GPO is correct.

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Wed Apr 20, 2011 9:51 am

Thanks, all of that information is helpful. That gives us a couple of data points to try to track down what is going on.

One other thing that could prove very helpful is to be able to see the OVAL notes produced when Secutor Prime is evaluating this rule. If you'd rather not have that posted to a public forum you can email them to

Support@ThreatGuard.com

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Wed Apr 20, 2011 11:27 am

This looks like a simple case of the originating benchmark specifying a comparative value that doesn't match the output of the test.

The test that determines this value is a WMI query against the RSOP namespace that returns a value of either "True" or "False". However, the benchmark specifies that a passing value is to be "0", which you can see on line 3244 of the USGCB-Windows-7-xccdf.xml file. If you manually edit the benchmark to change that line from

<value>0</value>

to

<value>False</value>

that would be a quick workaround to stop getting false negatives.

However, until this is corrected at NIST and distributed, your changes will mark your local copy of the benchmark as outside of the baseline and it will get overwritten the next time you do an update of Secutor Prime. So we will also give feedback to NIST to get the benchmark corrected and also see if there is a programmatic change we can make to Secutor Prime that gives you accurate result without breaking SCAP validation.

maxhavoc
Contributor
Posts: 10
Joined: Thu Feb 10, 2011 8:34 am

Postby maxhavoc » Fri Apr 22, 2011 7:13 am

OVAL notes follow:


oval:gov.nist.usgcb.windowsseven:def:85 (compliance)
Network access: Allow anonymous SID/Name translation



---- Result: fail ----

*** BEGIN **************************************************************************

oval:org.mitre.oval:tst:99 [true] (the installed operating system is part of the Microsoft Windows family)
*** AND ***
oval:org.mitre.oval:tst:10792 [true] (Windows 7 is installed)
--- [true]

---- TRUE ----
*** AND **************************************************************************

oval:gov.nist.usgcb.windowsseven:tst:531 [false] (Network access: Allow anonymous SID-Name translation)

---- FALSE ----
*** END **************************************************************************





oval:org.mitre.oval:tst:99 -- the installed operating system is part of the Microsoft Windows family
Windows is windows
--- Result: true


oval:org.mitre.oval:tst:10792 -- Windows 7 is installed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
Windows 7 Professional matches ^[a-zA-Z0-9\(\)\s]*[Ww][Ii][Nn][Dd][Oo][Ww][Ss] 7[a-zA-Z0-9\(\)\s]*$
--- Result: true


oval:gov.nist.usgcb.windowsseven:tst:531 -- Network access: Allow anonymous SID-Name translation
FALSE does not equal 0
--- Result: false

==================================================================================

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Fri Apr 22, 2011 11:11 am

Thanks, that confirms that the results you are seeing match what we are finding -- namely that the value the benchmark uses to determine pass/fail is not the same as what the test returns.

After a careful review of the SCAP specifications we think we can make a programmatic fix to this that is legal and put that into the next update of Secutor Prime.

For a more immediate fix you can use the information from my previous post to edit the benchmark.

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Thu May 12, 2011 2:31 pm

A new update for Secutor Prime has now been posted live that addresses this (build 4003).


Return to “Secutor Prime Support”

Who is online

Users browsing this forum: No registered users and 5 guests