Hello, i am trying to create an Ossec rootcheck file regarding to cis benchmarks for windows server. I noticed that some rules are not working on my Windows Server 2012 R2 (64bit) test-vm.
For example: #2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher [CIS - Microsoft Windows Server 2012 R2 - 2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288] r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0; I am not sure if this rule is created with a mistake or if the problem is related to the windows regsitry redirection o bit systems (https://github.com/ossec/ossec-hids/issues/301) <https://github.com/ossec/ossec-hids/issues/301>. Is there a workaround to check this hives with rootchecks or are all the keys in hkey_local_machine\software and hkey_current_user\software "useless" for this kind of checks on 64bit Windows? I have seen that there is a workaround in this post, but im not able to implement that. Thank's for your support. Best Regards Daniel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
