Topic
  • 2 replies
  • Latest Post - ‏2013-01-18T17:13:58Z by SystemAdmin
SystemAdmin
SystemAdmin
2038 Posts

Pinned topic Bigfix not reading registry value

‏2013-01-17T16:50:31Z |
Good morning,

I'm attempting to write a fixlet that will tell me if a given system is auditing logon events, object access, and system events. In order for these fixlets to work, BigFix reads the value of "HKLM\SECURITY\Policy\PolAdtEv". Additionally, "HKLM\SECURITY\Policy\PolAdtEv" is only accessible by NT Authority\System (i.e. unless you change the permissions for the "HKLM\Security" key, you're not going to be able to view its sub-keys).

So, given that the BigFix agent is supposed to be running under NT Authority\System, and "HKLM\SECURITY\Policy\PolAdtEv" can only be viewed by NT Authority\System, why are my fixlets/analyses not returning the proper information?

And, for the curious, the relevance I am using is as follows:
(if (exists values of keys "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of registry as string) then (if ((character 17 of (value of key "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of registry as string)) ="3") then ("Success/Failure") else (if ((character 17 of (value of key "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of registry as string)) ="2") then ("Failure") else (if ((character 17 of (value of key "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of registry as string)) ="1") then ("Success") else (if ((character 17 of (value of key "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of registry as string)) ="0") then ("No Auditing") else ("ERROR - Requires manual checking"))))) else ("ERROR - Requires manual checking"))
Updated on 2013-01-18T17:13:58Z at 2013-01-18T17:13:58Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2038 Posts

    Re: Bigfix not reading registry value

    ‏2013-01-17T16:54:35Z  
    Oh, and as a note, the relevance is only failing on Server 2008 machines...
  • SystemAdmin
    SystemAdmin
    2038 Posts

    Re: Bigfix not reading registry value

    ‏2013-01-18T17:13:58Z  
    I figured it out - it's not that BigFix didn't have proper permissions to read the proper registry key... it's that Microsoft changed the value of the key in question... So that's what was messing up my relevance.

    On the bright side, I did discover the audit policy inspectors, which vastly simplifies the relevance statements...