"Different" 800-53 group results

[owensjp]

In parsing through exported XML Magnus results files, we've found a handful of the 800-53 groups that are reported out differently than the others, but only in the Vista desktop benchmark. Those groups are:

AC-2
AU-8
IA-1
SC-8
SI-6
SI-7

While all the other groups include score information, score_color, etc. as attributes. These groups include only two attributes: pass="0" and fail="0". We're not quite sure what to make of this. Can you shed any light on the question? Thanks in advance for your help.

[robert.hollis]

Hello 'JP', and thank you for your question.

0 pass, 0 fail means all rules of that group had 'unknown' results.

Unknown can happen for a couple different reasons. In one case, there may be no underlying OVAL definition in the SCAP data stream to support the check. The Secutor Prime UI will display these instances with a [?]. Another case is when there is an error during the assessment, indicated by a [!]. Secutor Magnus displays all unknown items with a "?".

The Vista content has a number of tests that cannot be performed over the wire. These are the Audit Policy Subcategories. When using Magnus in agentless mode, these items will be reported as an error ("?"), and no results will be available for that group.

Alternative, you can deploy agents to gather this information with Magnus.

-rob