search

OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.39k stars 380 forks source link

1 error and 357 warnings when scanning a Windows 10 system with oscap 1.3.4 #1674

Closed ForPete2024 closed 9 months ago

ForPete2024 commented 3 years ago

Description of Problem:

There are a lot of "unknown" rule results when scanning Windows 10 systems. This seem to be caused by 1 error and 357 warnings during the scan.

OpenSCAP Version:

1.3.4

Operating System & Version:

Windows 10 v1909 (10.0.18363)

Steps to Reproduce:

  1. download the STIG scap file: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_10_V2R1_STIG_SCAP_1-2_Benchmark.zip

  2. Run: oscap xccdf eval --report report.html U_MS_Windows_10_V2R1_STIG_SCAP_1-2_Benchmark.xml on a Windows 10 system.

Actual Results:

There were 66 "unknown" rule results out of a total of 211 rule checks from scans on Windows 10 systems . (when running oscap oval eval --report report.html U_MS_Windows_10_V2R1_STIG_SCAP_1-2_Benchmark.xml there are 71 "unknown" OVAL Definition Results out of a total of 233)

During the scan 1 error and 357 warnings were detected:

93 x Entity name 'setrustedcredmanaccessnameright' from state (id: 'oval:mil.disa.fso.windows:ste:474000') not found in item (id: 'xxx').

91 x Entity name 'seinteractivelogonright' from state (id: 'oval:mil.disa.fso.windows:ste:485100') not found in item (id: 'xxx').

91 x Entity name 'senetworklogonright' from state (id: 'oval:mil.disa.fso.windows:ste:484900') not found in item (id: 'xxx').

4 x Entity name 'sedenyremoteInteractivelogonright' from state (id: 'oval:mil.disa.fso.windows:ste:477800') not found in item (id: 'xxx').

44 x Obtrusive data from probe!

1 x Cannot connect to WMI namespace 'root\cimv2\security\microsoftvolumeencryption'.

7 x OVAL object 'rpminfo_object' is not supported. 6 x OVAL object 'fileeffectiverights53_object' is not supported. 5 x OVAL object 'wmi_object' is not supported. 4 x OVAL object 'file_object' is not supported. 3 x OVAL object 'textfilecontent54_object' is not supported. 2 x OVAL object 'auditeventpolicysubcategories_object' is not supported. 2 x OVAL object 'sid_sid_object' is not supported. 2 x OVAL object 'user_sid55_object' is not supported. 1 x OVAL object 'lockoutpolicy_object' is not supported. 1 x OVAL object 'passwordpolicy_object' is not supported. 1 x OVAL object 'rpmverifyfile_object' is not supported.

The scan runs for more than 12 hours (!); this is an example of one scan: Started at 2021-01-14T19:56:56+01:00 Finished at 2021-01-15T09:27:34+01:00

Expected Results:

0 "unknown" rule results and much shorter scan time

Additional Information / Debugging Steps:

U_MS_Windows_10_V2R1_STIG_SCAP_1-2_Benchmark OpenSCAP 1.3.4 scan log.txt

jan-cerny commented 3 years ago

The Windows version is in a very early state and can't be used for real world use cases at the moment. Unfortunately, we don't have any developers working on the Windows version. Any code contributions are welcomed.