2 Replies Latest reply: Feb 17, 2017 2:06 AM by pratikkayastha RSS

I want a .audit file that will be used to check the "Turn off crash detection policy needs to be enabled"

pratikkayastha Novice

# (C) 2015-2016 Tenable Network Security, Inc.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable Network Security, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision$
# $Date$
#
# Description : This .audit is designed against the CIS Security Configuration Benchmark For
#               Microsoft Windows Server 2012 Version 2.0.0 May 16, 2016.
#
# Ref         : https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_non-R2_Benchmark_v2.0.0.pdf
#
# NOTE        : Some queries in this .audit require site-specific data to be known to the query in order to function properly.
#               Please note the following queries and edit their values accordingly.
#
#               2.3.7.4 Configure 'Interactive logon: Message text for users attempting to log on'
#               2.3.7.5 Configure 'Interactive logon: Message title for users attempting to log on'
#               2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'
#               2.2.21 Ensure 'Deny log on through Remote Desktop Services'
#
#<ui_metadata>
#<display_name>CIS Windows Server 2012 DC L1 v2.0.0</display_name>
#<spec>
#  <type>CIS</type>
#  <name>Windows Server 2012 DC L1</name>
#  <version>2.0.0</version>
#  <link>https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_non-R2_Benchmark_v2.0.0.pdf</link>
#</spec>
#<labels>windows,cis,microsoft,server,server_2012,domain_controller</labels>
#<variables>
#<variable>
#<name>LOGON_TEXT</name>
#<default>All activites performed on this system will be monitored.</default>
#<description>Login Window Text</description>
#<info>This is the body text of the login warning a user receives when logging onto the system</info>
#</variable>
#<variable>
#<name>LOGON_CAPTION</name>
#<default>WARNING!!!</default>
#<description>Logon Window Caption</description>
#<info>This is the caption text for the login warning a user receives when logging onto the system</info>
#</variable>
#<variable>
#<name>ANON_NAMED_PIPES</name>
#<default>'LSARPC' && 'NETLOGON' && 'SAMR'</default>
#<description>Anonymous Named Pipes</description>
#<info>This is the list of named pipes can be accessed by anonymous users (NullSessionPipes). If multiple pipes are required place them in quotes joined by two ampersands</info>
#</variable>
#<variable>
#<name>SE_DENY_REMOTE_INTERACTIVE_LOGON</name>
#<default>'Guests' && 'Local account'</default>
#<description>SeDenyRemoteInteractiveLogonRight</description>
#<info>These are the users which should be granted the 'Deny log on through Remote Desktop Services' user right. If multiple users/groups are required place them in quotes joined by two ampersands</info>
#</variable>
#</variables>
#</ui_metadata>

<check_type : "Windows" version:"2">
<group_policy : "MS Windows Server 2012">

  <if>
   <condition type: "AND">
    <custom_item>
     type        : REGISTRY_SETTING
     description : "Windows Server 2012 is installed"
     value_type  : POLICY_TEXT
     value_data  : "^[a-zA-Z0-9\(\)\s]*2012[\s]*[a-zA-Z0-9\(\)\s]*$"
     reg_key     : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
     reg_item    : "ProductName"
     check_type  : CHECK_REGEX
    </custom_item>

</condition>
   <then>

    <report type : "INFO">
     description : "CIS Security Benchmark For Microsoft Windows Server 2012"
    </report>

 

 

<custom_item>
type        : REGISTRY_SETTING
description : "Crash detection is an error analysis program that examines the state of Internet explorer process. Windows starts the Add-on Crash detection program whenever IE stops unexpectedly."
info        : "Ensure that crash detection feature is disabled. To configure this setting."
Rationale   : "IE Crash report information could contain sensitive information from computers memory."
reference   : "800-53|AC-11,800-171|3.1.10,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,CCE|CCE-37993-3,LEVEL|1S"
see_also    : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf"
solution    : "Ensure that crash detection feature is disabled. To configure this setting
1.Click Start > Run and type gpedit.msc.
2.Expand Computer configuration>Administrative Templates>Windows components>Internet explorer and Enable “Turn off Crash Detection”
NOTE: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security. Compliance Manager (SCM).
value_type  : REG_DWORD
reg_key     : "HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions Criteria"
reg_item    : "Turn off Crash Detection"
value_data  : [1]
</custom_item>

 

 

</then>
   <else>
    <report type : "INFO" >
     description : "Windows Server 2012 is not installed"
     info        : "Windows Server 2012 is not installed or Remote Registry Service is disabled."
    </report>
   </else>
  </if>

</group_policy>
</check_type>

 

Please help me to correct above script in order it to scan / check the following "  1) Click Start >Run and type gpedit.msc. 2)Expand Computer configuration>Administrative Templates>Windows components>Internet explorer and Enable “Turn off Crash Detection"


  • Re: I want a .audit file that will be used to check the "Turn off crash detection policy needs to be enabled"
    cstreck Expert

    Items that are breaking the audit:

    - 'Rationale' is not a valid field.  Remove that line as a field and add it as a part of the 'info'.

    - Close the 'solution' tag with a quote on the end.

    - 'value_type' is 'POLICY_DWORD', not 'REG_DWORD'.

    - 'value_data' is just the value '1', not a range with a single element'[1]'  Not even sure if the value_data can be a range.

     

    After that, it should be all about getting the registry path and reg_item correct.

        <custom_item>

          type        : REGISTRY_SETTING

          description : "Crash detection is an error analysis program that examines the state of Internet explorer process. Windows starts the Add-on Crash detection program whenever IE stops unexpectedly."

          info        : "Ensure that crash detection feature is disabled. To configure this setting.

     

    Rationale: IE Crash report information could contain sensitive information from computers memory."

          reference   : "800-53|AC-11,800-171|3.1.10,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,CCE|CCE-37993-3,LEVEL|1S"

          see_also    : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf"

          solution    : "Ensure that crash detection feature is disabled. To configure this setting

    1.Click Start > Run and type gpedit.msc.

    2.Expand Computer configuration>Administrative Templates>Windows components>Internet explorer and Enable “Turn off Crash Detection”

    NOTE: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security. Compliance Manager (SCM)."

          value_type  : POLICY_DWORD

          reg_key     : "HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions Criteria"

          reg_item    : "Turn off Crash Detection"

          value_data  : 1

        </custom_item>

    -chad