XP Firewall benchmark

Support topics for the enterprise version of ThreatGuard's SCAP products.
hamiltgr
Posts: 4
Joined: Mon May 12, 2008 9:41 am

XP Firewall benchmark

Postby hamiltgr » Wed Aug 06, 2008 11:37 am

I encountered an unexpected issue with Secutor Magnus not producing or displaying the FDCC-Windows-XP-Firewall Benchmark. We performed scans of several XP systems with the most recent Magnus installation/update; including the Content Updates for, among others, the fdcc-xpfirewall.

The scans performed compliance (and vulnerability) testing and produced compliance scores, but in each case, lacked the firewall benchmark. In an attempt to eliminate other factors, we produced clean Virtual Machine images, performed new Magnus installations, and again scanned systems. The benchmark did not appear in any of these tests either.

Is anyone aware of any issues or obvious oversights that could lead to this behavior?

Thank you!

Randy
Site Admin
Posts: 28
Joined: Sat Feb 24, 2007 9:48 am

Postby Randy » Wed Aug 13, 2008 5:20 am

This could be related to a couple things.

First, make sure the benchmark is enabled. From the Navigator, open the Tools menu and select Server Settings. Click on the Content tab. Make sure the FDCC-Windows-XP V1.0 benchmark is listed and has checkmarks for Active and Display. If the items aren't checked, check them. If not, go to the next step...

Run Secutor Prime (free/Standard/Pro are all fine) on that target, select the FDCC-Windows-XP benchmark and scan. If you don't get results, then the content files aren't recognizing the firewall on that target. If you get results, then go to the next step.

On the Magnus Server, open the Content Manager (Start-->All Programs-->Secutor-->Magnus Server-->Content Manager. Click the Connect button. Highlight the FDCC XP Firewall benchmark and press the Delete button. Click the Save Changes button. When the action is finished, click the Dismiss button. From the Prepare Content menu select From Local Files. Browse to the location of the benchmark files (the ..Secutor\Magnus Server\oem-content directory or a subdirectory under that by default). Select the fdcc-xpfirewall-xccdf.xml file and press the Import button. When complete, press the Dismiss button. Press Done on the Content Importer window. The XP Firewall benchmark should now be listed on the main Content Manager window (with Active and Display checked).

Try rescanning the target in question (right click on the target in the Selected Targets list and select Run Assessment Now. Hopefully you will now see the firewall results. If not, please post your findings.
-- Randy
ThreatGuard, Inc.

mark
Posts: 1
Joined: Wed Aug 13, 2008 8:02 am

Postby mark » Wed Aug 13, 2008 9:56 am

Randy wrote:This could be related to a couple things.

First, make sure the benchmark is enabled. From the Navigator, open the Tools menu and select Server Settings. Click on the Content tab. Make sure the FDCC-Windows-XP V1.0 benchmark is listed and has checkmarks for Active and Display. If the items aren't checked, check them. If not, go to the next step...

Run Secutor Prime (free/Standard/Pro are all fine) on that target, select the FDCC-Windows-XP benchmark and scan. If you don't get results, then the content files aren't recognizing the firewall on that target. If you get results, then go to the next step.

On the Magnus Server, open the Content Manager (Start-->All Programs-->Secutor-->Magnus Server-->Content Manager. Click the Connect button. Highlight the FDCC XP Firewall benchmark and press the Delete button. Click the Save Changes button. When the action is finished, click the Dismiss button. From the Prepare Content menu select From Local Files. Browse to the location of the benchmark files (the ..Secutor\Magnus Server\oem-content directory or a subdirectory under that by default). Select the fdcc-xpfirewall-xccdf.xml file and press the Import button. When complete, press the Dismiss button. Press Done on the Content Importer window. The XP Firewall benchmark should now be listed on the main Content Manager window (with Active and Display checked).

Try rescanning the target in question (right click on the target in the Selected Targets list and select Run Assessment Now. Hopefully you will now see the firewall results. If not, please post your findings.


The benchmark is enabled, Prime scanned the computers fine, I removed the firewall benchmark and reimported it, and we still are not getting firewall results. I have double checked the settings on each of the machines to be scanned and they are consistent with the quick start guide.

We are at a bit of a loss for what to do here. If I remember correctly, the firewall benchmark worked fine with the previous version of Magnus.

Any help is appreciated.

Thanks,
Mark

hamiltgr
Posts: 4
Joined: Mon May 12, 2008 9:41 am

Postby hamiltgr » Wed Aug 13, 2008 11:34 am

I attempted a few other tests to provide additional information and to rule out potential issues.

Firstly, I reconfigured a VM containing Magnus and installed it on a base system running XP. Unfortunately, scanning the base did not produce any XP-Firewall benchmark.

Secondly, I performed a scan of two different networks from a system previously dedicated to Magnus. While the system provided the XP-Firewall Benchmarks in scans conducted prior to the most recent update, they produced none this time, on either network.

Can you think of any other possible oversights?

Thank you

Randy
Site Admin
Posts: 28
Joined: Sat Feb 24, 2007 9:48 am

Postby Randy » Thu Aug 14, 2008 3:01 pm

Did you happen to patch your XP targets to SP3? If so, the pre-1.0 firewall content may not have recognized SP3 (only SP2) and therefore the CPE check would fail and the content wouldn't run. Secutor Prime auto-update distributes the 1.0 content.

Check the file date of the file fdcc-xpfirewall-xccdf.xml in the ..\Secutor\Magnus Server\oem-content directory (or subdirectory below there if you placed it somewhere else). The latest version of the content (that recognizes XP SP3) should have the date 6/20/2008. If that isn't the case, you can download it from NIST at this location, copy the files to the oem-content directory and reimport them.

http://nvd.nist.gov/fdcc/download_fdcc.cfm

If that doesn't fix the problem, please let us know.
-- Randy

ThreatGuard, Inc.

hamiltgr
Posts: 4
Joined: Mon May 12, 2008 9:41 am

Postby hamiltgr » Mon Aug 18, 2008 5:14 pm

The systems all run SP3. I updated the content, but it still did not produce the XP Firewall benchmark.

To test, and provide additional information, we ghosted an image of Windows XP with SP2 back onto one of the target systems (and disabled updates) then scanned it. It produced the XP-Firewall benchmark with no problems.

We plan to perform additional tests to determine if differences exist between updated and cleanly installed SP3 systems.

Thank you for the excellent insight, we'll continue to work on a resolution here as well.

Update: Additionally, we performed content updates to another Virtual Machine running Magnus and a dedicated system running Magnus. Unfortunately, no XP-Firewall results appeared upon scanning.

Update: To confirm the issue resided with XP and SP3, I performed scans of Windows Vista Systems. These produced the Vista-Firewall benchmarks. Unfortunately, we still cannot seem to get the XP-Firewall benchmark with updated content. I'll continue examining possibilities.

robert.hollis
SME
Posts: 24
Joined: Wed Mar 07, 2007 12:32 pm

Postby robert.hollis » Tue Aug 19, 2008 8:20 pm

Hello from the development team, and thank you for your input.

The XP Firewall content prior to the latest SCAP release, explicitly and solely indicated applicability to XP,SP2. The issue of excluding SP3 has been fixed in the "v1.0" version of the content. Your input has highlighted our need to adjust and recognize these changes.

Thanks! We will be issuing a software update in the very near future to address this, and to introduce a few handy enhancements.

-rob

hamiltgr
Posts: 4
Joined: Mon May 12, 2008 9:41 am

Postby hamiltgr » Wed Aug 20, 2008 9:03 am

Excellent news, thank you very much for your time and assistance. Good luck!


Return to “Secutor Magnus Support”

Who is online

Users browsing this forum: No registered users and 1 guest