Video Screencast Help

CCS 10.5.1 Custom Check

Created: 20 Sep 2011 • Updated: 21 Sep 2011 | 3 comments
This issue has been solved. See solution.

I'm trying to write a check that will verify that only 4 groups can access a system from the network.  I tried using "User Right (Names): Access this computer from the network <List> % {Administrators, Everyone, Users, Backup Operators} and the check failed. I have verified that those are the groups that have access. Granted they have the host name in front - HOSTNAME/Administrators however when I break the check out into individual checks and use the OR operator the check passes. This would seem to indicate it can recognize those accounts. This issue there is that there can be accounts other than those 4 and the check still passes. If I change the operand to AND the check then fails.

Can anyone point me in the right direction to solve this?

 

Thanks

Tim

Comments 3 CommentsJump to latest comment

cmccoy2's picture

the problem that you are having with the "AND" option is that the evidence has multiple values and you can't use the AND unless everything matches.    The %~ (Contains match) is a better option for looking at this because you can use a regular expression to detail all of your options.  There was a similar issue posted earlier by nancy and here is what I replied to her with:

This check can be accomplished, but you have to turn it upside down a bit.  Your logic is correct, but since you are dealing with multiple values you will need to do the following:

E0 :  User rights (Names): Impersonate a Client after authentication <LIST> =~ /Administrators|Local\s*Service|Network\s*Service/i

E1:  User rights (Names): Impersonate a Client after authentication  <LIST> !~ /Administrators|Local\s*Service|Network\s*Service/i

E0 and Not E1  will be your formula.

You were close, but the first expression looks to make sure that any of the items in the regex will be found in the list [you needed to drop the parenthesis because that doesn't exist in the data collected].  Then you need to do a double negative to make sure that there are not any other accounts assigned to this user right.  so expression E1 reads, User rights (names): Impersonate a client after authentication <List> no match /Administrators|Local\s*Service|Network\s*Service/i  then you have to use the "Not" in the formula expression to make sure no other accounts exists for this User right.    This is the only way I have been able to accomplish this.  I haven't tried it in a while, but you may need to create a separate expression for each account that you want to verify is in the list as well

Hope this helps,

Please refer to this posting to get the full context of this response.   I think it will help in building your check.

tsullivan's picture

Thanks for the reply cmccoy2 -- can you breakdown what the user list you show means? In the users guide it says that lists have to be bracketted with { } and you seperate values with a comma. I see the local and the network tags are those place holders for local and network names or are those acting as wild cards?

 

Thanks!

cmccoy2's picture

When you use the %~ (Contains Match) operator, then you need to use a regular expression.   In CCS you will surround the regular expression with '/' (Forward slash).     so if you are looking for a number of options in a string of text, then you would do the following with regard to your original comment:

/Administrators|Everyone|Users|Backup\s*Operators/i

This will look to see if any of the following are in the list: Administrators, Everyone, Users or Backup Operators.   The trailing "i" designates case insensitivity.     With this expression if any of these items are in the list, then it will pass as long as the Multiple Data Options is set to "OR".   If the Multiple data option is set to "And" then it will fail because of the multiple valued list.    If you follow the logic of my original reply, then you need to do the following: Make sure that each item is in the list, then make sure that no other items are in the list.      it could mean that you have to have 4 expressions that would address each item and then one expression that looks for everything else.    If you requirement is that you need to only have the 4 items you mentioned, then this would be the right way to do it.

SOLUTION