Hello List, i am trying to create an Ossec rootcheck file regarding to cis benchmarks. I noticed that some rules are not working on my Windows Server 2012 R2 (64bit).
For example: #2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher [CIS - Microsoft Windows Server 2012 R2 - 2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288] r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0; I am not sure if this rule is not correctly or if the problem is related to https://github.com/ossec/ossec-hids/issues/301. If this is related to the problem with the registry redirection, is there a workaround to check this hives with rootchecks or are all the keys in hkey_local_machine\software and hkey_current_user\software "useless" for this kind of checks on 64bit Windows? Thank's for your support. Best Regards Daniel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
